nabla-c0d3 / sslyze Goto Github PK
View Code? Open in Web Editor NEWFast and powerful SSL/TLS scanning library.
License: GNU Affero General Public License v3.0
Fast and powerful SSL/TLS scanning library.
License: GNU Affero General Public License v3.0
Hello,
Would you accept a JSON output alongside the current XML?
Purpose:
XML is nice and so, but currently the "trend" is more for JSON, as it's really easy to parse it with some small javascript stuff. It would be a better format in order to display elements on some web page.
Also, having a JSON output allows to take profit of the different types like hash and ordered lists, meaning it might be better if we list Server preferred ciphers in Server order.
I'm pretty sure it won't be that hard, as JSON is just, let's say, a list of hashes (or a hash of lists, or both) and can be pretty easily converted to/from this "object" from/to JSON file.
Also, I'm using sslyze in some script, and its original output was JSON — I'm using right now some format conversion process, but that's not really the best way to do what I need ;).
Cheers,
C.
All, I tried to test my site(https://192.168.2.104) if there exist vulnerability of heartbleed but got the socket time out problem. Please help to review below out put.
CHECKING HOST(S) AVAILABILITY
192.168.2.104:443 => 192.168.2.104:443
SCAN RESULTS FOR 192.168.2.104:443 - 192.168.2.104:443
Unhandled exception when processing --heartbleed:
socket.timeout - timed out
I am sure my site (https://192.168.2.104) can be reached in the network.
Is there any reason cause this exception?
Thanks,
Joe
All, I found a typo in the help for the option --resum. the word "ressumption" should be "resumption".
please review it .
--resum Tests the server(s) for session ressumption support
using session IDs and TLS session tickets (RFC 5077).
Thanks.
I was playing around with sslyze today and scanned https://static.rust-lang.org/, which is proxied by CloudFront. The resulting XML is missing some of the usual analysis.
I guess, this:
TRUST_STORES_PATH = join(realpath(dirname(sys.argv[0])), 'plugins',
'data', 'trust_stores')
should rather be:
TRUST_STORES_PATH = join(realpath(dirname(__file__)), 'data',
'trust_stores')
?!
I was attempting to install sslyze in /usr/local
and run it as a normal user, but got this error:
$ python sslyze.py --regular www.isecpartners.com:443 www.google.com Traceback (most recent call last): File "sslyze.py", line 31, in from plugins import PluginsFinder ImportError: No module named plugins
After extracting sslyze into my home directory, it worked.
$ python sslyze.py REGISTERING AVAILABLE PLUGINS ----------------------------- PluginHSTS PluginCertInfo PluginSessionRenegotiation PluginHeartbleed PluginCompression PluginOpenSSLCipherSuites PluginChromeSha1Deprecation PluginSessionResumption Command line error: No targets to scan. Use -h for help.
It would be convenient to have sslyze be able to test for the TLS POODLE issue
Literally no matter what I do I get the following error when trying to run sslyze:
ERROR: Could not import nassl Python module. Did you clone SSLyze's repo ?
I have built nassl on the system and copied it in to folder, I have downloaded every version of the sslyze I can find 32 bit and 64 bit and I still come up with this error.
These are the OS particulars:
Raspbian
Debian Wheezy
Version: February 2015
Release date: 2015-02-16
Kernel version: 3.18
Any help or push in the right direction would be appreciated.
The usingTrustStore
XML element contains both the trust store and when it was last updated. These should be separate attributes.
I'm working on a ruby wrapper to automate sslyze and parse the resulting XML output (a la ruby-nmap). I was wondering if you had a complete DTD for the XML output?
I noticed some XML elements that denote size have a "bit" suffix.
The connectionStatus
attribute in the <cipherSuite/>
XML element contains both the protocol (TCP
, TLS
, HTTP
, etc) as well as the status. I think these should be split into two separate attributes.
When I scan facebook:
$ ./sslyze.py 173.252.120.6:443 --regular --xml_out fb.xml
----- CUT OUTPUT -----
$ head fb.xml
<?xml version="1.0" encoding="utf-8"?>
<document SSLyzeVersion="SSLyze v0.10" SSLyzeWeb="https://github.com/nabla-c0d3/sslyze" title="SSLyze Scan Results">
<invalidTargets/>
<results defaultTimeout="5" httpsTunnel="None" startTLS="None" totalScanTime="7.17561078072">
<target host="173.252.120.6" ip="173.252.120.6" port="443">
<certinfo exception="exceptions.KeyError - 'exponent'"/>
<compression title="Deflate Compression">
<compressionMethod isSupported="False" type="DEFLATE"/>
</compression>
<heartbleed title="OpenSSL Heartbleed">
You can see it didn't retrieve the certificate chain.
<certinfo exception="exceptions.KeyError - 'exponent'"/>
likely because when parsing some output the value exponent was't found.
$ grep -rn 'exponent' ./* | grep ".py:"
./nassl/X509Certificate.py:186: 'exponent': self._parse_pubkey_exponent() }
./nassl/X509Certificate.py:220: def _parse_pubkey_exponent(self):
./plugins/PluginCertInfo.py:337: self.FIELD_FORMAT("Exponent:", "{0} (0x{0:x})".format(int(certDict['subjectPublicKeyInfo']['publicKey']['exponent'])))]
I'm guessing the issue is in ./plugins/PluginCertInfo.py:337 yet have to find out why. For now I've other deadlines to catch :(
Please add sslyze to pypi so that we can simply pip install sslyze
to install sslyze.
<publicKeyAlgorithm/>
contains rsaEncryption
, where as <signatureAlgorithm/>
contains sha256WithRSAEncryption
. I feel these should be hyphen separated Strings.
Attempting to scan a host while being behind a corporate proxy leads to this error:
WARNING: Could not connect (timeout); discarding corresponding tasks.
All usual proxy environment variables are set, and other python scripts on my system work through the proxy, so I'm hoping this isn't too tricky to achieve. Will have a dig through the source later myself and see if I can work out what's required.
Ran into this freak error. Cannot seem to reproduce it.
SCAN RESULTS FOR 192.186.208.98:993 - 192.186.208.98:993 -------------------------------------------------------- * Deflate Compression: OK - Compression disabled Unhandled exception when processing --reneg: _nassl.OpenSSLError - error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record
We are running sslyze 0.6 and are overall very happy with it, however we are getting errors checking SSL certs on certain web servers.
The problem is response of:
certinfo exception="utils.SSLyzeSSLConnection.SSLHandshakeRejected - TLS Alert - Wrong version number"
This only occurs when checking a small number of HTTPS servers.
I realise this is an old version, and the problems we are having may have been resolved in more current releases, however at the moment we are not able to upgrade due to the version of python (2.6) on our monitoring servers.
Are you able to provide any advice on how we could resolve this while continuing to run version 0.6?
I noticed various inconsistencies in the XML schema. Some attributes have the format of Foo_Bar
while others are fooBar
(ex: <keyExchange>
). Also, it seems like <cipherSuite>
maybe should be named <cipher>
? Certain text values appear to be compound values (ex: sha256WithRSAEncryption
and TLS / No ciphers available
). I'm not sure how open you are to changing the XML schema, now that users are consuming it.
When I export everything to an XML file, could you add
the validity in ISO format also?
e.g. instead of
<validity>
<notAfter>May 9 21:58:25 2024 GMT</notAfter>
<notBefore>May 12 21:58:25 2014 GMT</notBefore>
</validity>
it would be great to have the date and time in iso format e.g. with UTC time.
<validity_iso>
<notAfter>2024-05-09 21:58:25</notAfter>
<notBefore>2014-05-12 21:58:25</notBefore>
</validity>
and
<publicKeySize>4096 bit</publicKeySize>
would be easier to have as
<publicKeySize>4096</publicKeySize>
as it's always in bit.
at the moment sslyze exports or prints only the shortened cipher suite names, which is a bit difficult to parse...
Perhaps it would be helpful to integrate an export option for long cipher suite names, or is something like that already possible?
I found this discription on the openssl site:
https://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES
The version attribute should just be X.Y
.
I didn't test it until now - but will it work on FreeBSD?
In the description is it not mentioned...
Add a --quiet
option to suppress stdout.
I think there should be "leaf", "intermediate" and "root" positions for <certificate>
tags.
Looks like the issue from the iSec repo is still present. Issue referenced nassl fix but I'm still seeing this with the latest release:
CHECKING HOST(S) AVAILABILITY
-----------------------------
xxx.xxx.xxx.xxx:7001 => xxx.xxx.xxx.xxx:7001
SCAN RESULTS FOR xxx.xxx.xxx.xxx:7001 - xxx.xxx.xxx.xxx:7001
------------------------------------------------------------
* SSLV2 Cipher Suites:
Undefined - An unexpected error happened:
RC4-MD5 timeout - timed out
RC2-CBC-MD5 timeout - timed out
IDEA-CBC-MD5 timeout - timed out
EXP-RC4-MD5 timeout - timed out
EXP-RC2-CBC-MD5 timeout - timed out
DES-CBC3-MD5 timeout - timed out
DES-CBC-MD5 timeout - timed out
SCAN COMPLETED IN 44.06 S
I just ran into an odd case while testing (--starttls=smtp) a Mimecast SMTP server that is triggering SSL errors for us; sslyze doesn't back off when it encounters 'StartTLSError - SMTP STARTTLS not supported'.
I would expect that it stops on first occurence, whenever that occurs, instead of running the full set of tests on a target that will not yield meaningful results anyway? �Should it not stop the moment there is no 'STARTTLS' seen in the server response?
PluginHSTS fails with login.microsoftonline.com
Chrome reports that www.dinaburg.org
Hey :)
I wondering, why there is a different between
python sslyze.py --reneg www.mint.com
and
python sslyze.py --reneg mint.com
If i skip the www, everything is okay. But if I try it with www. it tells me that secure reneg is vuln.
Same with www.airbnb.com
Why is it acting different?
I have installed sslyze as a system tool and created a link as below:
/usr/bin/sslyze -> /usr/lib64/sslyze/sslyze.py
It was working fine in the previous version. sslyze 0.10 gives the following error:
PluginCertInfo - Import Error: [Errno 2] No such file or directory
PluginChromeSha1Deprecation - Import Error: [Errno 2] No such file or directory
PluginHeartbleed
PluginCompression
PluginSessionResumption
PluginOpenSSLCipherSuites
PluginSessionRenegotiation
PluginHSTS
As you can see, it is unable to find first 2 plugins
Please add support for TLSA.
It would be nice to extend --resum_rate to include session ticket resumption tests.
And there is a possibility that session ticket resumption return "false" even though the session is correctly resumed, because it only compares the sent session ticket and returned one, but according RFC 5077, the server may return a renewed session ticket if the ticket encryption key is rotated. I would recommend using the more reliable 'hit' bit in OpenSSL's SSL struct.
Hello!
I find sslyze to be an excellent tool, however I get strange results regarding the Microsoft CA store support. When I test www.verisign.com sslyze says that the SSL certificate on the site is not supported by the Microsoft root store (it says that the certificate has expired). Can the microsoft.pem file somehow be updated in order to rectify this?
Here is the output I get for www.verisign.com :
Best wishes,
Thomas Höjemo
Every major site I run sslyze against, <ocspStapling/>
just contains an error
attribute with some text. I feel this needs a status attribute to indicate the result of the test.
I noticed that sslyze uses hyphenated names (ex: ECDHE-ECDSA-NULL-SHA
) but most people identify TLS cipher suites using underscores (ex: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
). Should both names be included in the output? Is there a canonical naming convention for cipher suites?
I think there should be a simple supported
attribute. Currently I am checking whether a protocol is supported by querying sslv2/acceptedCipherSuites
.
I just tested 0.10 and found that when I run it against a site that redirects / (i.e https://google.com/ to https://google.com/search) to something else the cipher test will fail, here's an example:
* Session Resumption:
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Session Tickets: OK - Supported
* TLSV1_2 Cipher Suites:
Preferred:
RC4-SHA - 128 bits HTTP 301 Moved Permanently - /share/
Accepted:
AES256-SHA - 256 bits HTTP 301 Moved Permanently - /share/
RC4-SHA - 128 bits HTTP 301 Moved Permanently - /share/
AES128-SHA - 128 bits HTTP 301 Moved Permanently - /share/
* TLSV1_1 Cipher Suites:
Preferred:
RC4-SHA - 128 bits HTTP 301 Moved Permanently - /share/
Accepted:
AES256-SHA - 256 bits HTTP 301 Moved Permanently - /share/
RC4-SHA - 128 bits HTTP 301 Moved Permanently - /share/
AES128-SHA - 128 bits HTTP 301 Moved Permanently - /share/
* TLSV1 Cipher Suites:
Preferred:
RC4-SHA - 128 bits HTTP 301 Moved Permanently - /share/
Accepted:
AES256-SHA - 256 bits HTTP 301 Moved Permanently - /share/
RC4-SHA - 128 bits HTTP 301 Moved Permanently - /share/
AES128-SHA - 128 bits HTTP 301 Moved Permanently - /share/
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
Had a discrepancy between SSLyze and SSLscan over preferred cipher suite for SSLv3. SSLyze thought it was RC4-SHA, SSLscan thought it was DES-CBC3-SHA. Running OpenSSL with -ssl3
returned DES-CBC3-SHA. Also running openssl s_client -ssl3 -cipher DES-CBC3-SHA:RC4-SHA
and then openssl s_client -ssl3 -cipher RC4-SHA:DES-CBC3-SHA
both returned DES-CBC3-SHA. So it looks like SSLscan was right. Looking into this with Wireshark I can see that individually DES-CBC3-SHA was tested but, when it came to determining preference, DES-CBC3-SHA was missing from the full list sent up in the Client Hello so the server couldn't choose it. I'm afraid I can't provide the target server as it was part of a pentest.
Hello,
This is apparently unrelated with #48 as it doesn't affect only SSLv2.
Here's a sample output:
SCAN RESULTS FOR aaa.bbb:443 - yyy.yyy.yyy.yyy:443
---------------------------------------------------------------
* Deflate Compression:
OK - Compression disabled
* Session Renegotiation:
Client-initiated Renegotiations: OK - Rejected
Secure Renegotiation: OK - Supported
Unhandled exception when processing --certinfo:
socket.timeout - timed out
DES-CBC-SHA timeout - timed out
AECDH-NULL-SHA timeout - timed out
ADH-DES-CBC-SHA timeout - timed out
EDH-RSA-DES-CBC3-SHA TypeError - cannot concatenate 'str' and 'NoneType' objects
ECDHE-RSA-DES-CBC3-SHA TypeError - cannot concatenate 'str' and 'NoneType' objects
ECDHE-RSA-AES256-SHA384 TypeError - cannot concatenate 'str' and 'NoneType' objects
ECDHE-RSA-AES256-SHA TypeError - cannot concatenate 'str' and 'NoneType' objects
[…]
It goes on for the other protocols.
Problem: the host is up n'running, working perfectly in a standard browser.
Lemme know of some way to provide the host so that you can test it on your own (host is public, but as I'm not the manager/owner…)
Cheers,
C.
If I try --hsts its not giving me the right results. It says no hsts supported by facebook for example. But they support hsts, if I check the headers.
Whats the problem? thx
This is the first line in your code:
#!/usr/bin/env python
Please note that this is not working if you have "python2" and "python3" installed. On my system "python" is a symbolic link for "python3". Change it to:
#!/usr/bin/env python2
Thanks
In https://github.com/nabla-c0d3/sslyze/blob/master/plugins/PluginSessionRenegotiation.py, there is a potential false positive when testing Jetty Applications. When Jetty is set to reject renegotiation, it actually completes one handshake, and then closes the socket. So an error is not thrown.
You would however, get 'An established connection was aborted by the software in your host machine' when you try to renegotiate once again since the connection is closed after performing 1 handshake.
Hello!
I'm currently wanting to use sslyze in a script, running as a cron job. I added the xml_output option, but I still get a lot of output from sslyze — is it possible to get some quiet run? I didn't see anything in the options, and the code doesn't seem to propose this kind of feature (a lot of "print" without any condition).
Would be great if this could be done :).
Cheers,
C.
XML output:
<reneg exception="_nassl.OpenSSLError - error:14094458:SSL routines:SSL3_READ_BYTES:tlsv1 unrecognized name"/>
I noticed the <x509v3BasicConstraints>
is a plain string. The BasicConstraints extensions can be defined in short form CA:FALSE pathLen:0
or so called long form. I think it would be useful to fully parse the basic constraints into key:value pairs.
When Ctrl^C
ing sslyze, I noticed it left behind a ton of python sub-processes.
Never mind - found the source.
With 0.10, the XML output has some elements within parent elements of the same name. Examples:
<heartbleed title="OpenSSL Heartbleed">
<heartbleed isVulnerable="False"/>
</heartbleed>
<hsts title="HTTP Strict Transport Security">
<hsts sentHstsHeader="None"/>
</hsts>
This makes it trickier to search for an element in order to read its attributes.
I am assuming that for Heartbleed, you could just roll the boolean into the enclosing element or do what you're doing with chrome_sha1 where the child element is chromeSha1Deprecation. For listing hsts headers, you could rename the element into something like hsts-header.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.