Giter Club home page Giter Club logo

sslyze's People

Contributors

nabla-c0d3 avatar

Stargazers

 avatar  avatar

Watchers

 avatar  avatar

sslyze's Issues

undefined symbol: SSLv2_method

What steps will reproduce the problem?
1. Run sslyze with --regular
2. Get errors like:

Unhandled exception when processing --resum: 
<type 'exceptions.AttributeError'>: /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

What is the expected output? What do you see instead?

No errors. Results.

What version of the product are you using? On what operating system?

0.3. OpenSSL 1.0.0e-2.1 from Debian unstable. Most distributions are now 
shipping OpenSSL with SSLv2 disabled.

Original issue reported on code.google.com by [email protected] on 18 Nov 2011 at 6:28

Unhandled exception

What steps will reproduce the problem?
1. Executing on Ubuntu 12.04
2.
3.

What is the expected output? What do you see instead?

Unhandled exception when processing --reneg: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --certinfo: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --tlsv1: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --sslv2: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --sslv3: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --resum: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method


What version of the product are you using? On what operating system?
Linux 3.2.0-20-generic-pae #32-Ubuntu SMP Thu Mar 22 02:43:40 UTC 2012 i686 
i686 i386 GNU/Linux

Please provide any additional information below.


Original issue reported on code.google.com by [email protected] on 28 Mar 2012 at 5:21

Add support for OpenSSL 1.0.1 with TLS v1.1 and v1.2

OpenSSL 1.0.1 is almost out and brings support for TLS 1.1 and 1.2.
Add support for that in the cipher suite scanning module.

Create Windows packages with OpenSSL 1.0.1 included. 
This will likely be released as SSLyze 0.4.

Original issue reported on code.google.com by [email protected] on 12 Dec 2011 at 8:07

Add hostname validation

Right now the server's certificate is verified using Mozilla's trust store. 
However, the hostname that's on the certificate is not validated against the 
server's hostname.

Use this:
http://pypi.python.org/pypi/backports.ssl_match_hostname/

Original issue reported on code.google.com by [email protected] on 7 May 2012 at 1:23

Wrong certificate store used?

Trying "python sslyze.py --regular www.cacert.org:443" on my OSX machine with 
CAcert in the OS trust store, I get:

      Validation w/ Mozilla's CA Store:  Certificate is Trusted             

which is invalid, as CAcert is not in the Mozilla CA store.

Original issue reported on code.google.com by [email protected] on 27 Mar 2012 at 8:55

Unhandled exception in _get_cert()

What steps will reproduce the problem?
run sslyze with --certinfo=basic on a site with an invalid cert.
Unhandled exception when processing --certinfo: 
exceptions.TypeError - _get_cert() takes at least 2 arguments (2 given)

plugins/PluginCertInfo.py:100 is missing the target parameter in the call to 
_get_cert()

Original issue reported on code.google.com by [email protected] on 29 Jun 2012 at 10:41

updated openssl and still get error message

$python sslyze.py --reneg www.serverxyz.de:443 

i get the following error message:

* Session Renegotiation : 
OpenSSL version is 0.9.8l or earlier. Can't test for insecure renegotiation. 
Update OpenSSL to 0.9.8m+.

When i check the Version of openSSL:

$OpenSSL> version
$OpenSSL 1.0.0e 6 Sep 2011
$OpenSSL> 

any clues ?

Original issue reported on code.google.com by [email protected] on 3 Jan 2012 at 12:35

Exception --certinfo=basic

Latest version from source:

PluginCertInfo.py line 127

trust_xml.extend(cert_xml)

Gives an exception when run with the following options

./sslyze.py --certinfo=basic google.com

Unhandled exception when processing --certinfo:
exceptions.AttributeError - _ElementInterface instance has no attribute 'extend'


(nb the line number would be really handy when debugging :)

Original issue reported on code.google.com by [email protected] on 4 Jul 2012 at 11:12

Shebang on sslyze.py must be first line

The shebang of "#!/usr/bin/env python" must be the first line of the sslyze 
script to work when not called directly with the python interpreter. Currently 
it is below the description/copyrite statement. svn diff follows:


Index: sslyze.py
===================================================================
--- sslyze.py   (revision 146)
+++ sslyze.py   (working copy)
@@ -1,3 +1,4 @@
+#!/usr/bin/env python
 #-------------------------------------------------------------------------------
 # Name:         sslyze.py
 # Purpose:      Main module of SSLyze.
@@ -19,7 +20,6 @@
 #   You should have received a copy of the GNU General Public License
 #   along with SSLyze.  If not, see <http://www.gnu.org/licenses/>.
 #-------------------------------------------------------------------------------
-#!/usr/bin/env python

Original issue reported on code.google.com by [email protected] on 10 Jan 2012 at 11:41

Add Location header to output for 3xx status

What steps will reproduce the problem?
1. Run sslyze against paypal.com

Changes output from:
        AES256-SHA               256 bits      HTTP 301 Moved Permanently
to:
        AES256-SHA               256 bits      HTTP 301 Moved Permanently (https://www.paypal.com/)

What version of the product are you using? On what operating system?
0.4 Linux

Original issue reported on code.google.com by [email protected] on 28 Jun 2012 at 7:42

Attachments:

Machine parseable output

What would be the recommended method of using sslyze from other programs; 
writing a custom plugin? adding machine parseable output (xml, json, ...) ?

I'm looking at a TLS inventory application, and getting the data out in a 
structured format would be very useful.

Original issue reported on code.google.com by [email protected] on 26 Mar 2012 at 7:48

XML output

Is it possible to get en option to have XML output ? (like sslscan)

Thanks by advance.


Original issue reported on code.google.com by [email protected] on 2 Feb 2012 at 4:22

  • Merged into: #14

Hangup with Openssl 1.0.0g

What steps will reproduce the problem?

1. I am using Ubuntu 10.04 LTS Server
2. I installed openssl 1.0.0g manually to be able to check renegotiation
3. ./config --prefix=/usr/local/ssl-1.0.0g shared enable-zlib enable-camellia 
enable-md2 enable-rc5 enable-threads enable-resolv
4. Create symbolic links to libssl and libcrypto within /usr/local/lib

What is the expected output? What do you see instead?

sslyze hangs (both the svn and the release 0.3) completely in the moment it 
tries to use the new openssl library - the buildin 0.9.8 is working (switchover 
possible by removing the symbolic links), but fails with renegotiation checks

Strg+c output is:

Traceback (most recent call last):
  File "sslyze.py", line 203, in <module>
    main()
  File "sslyze.py", line 178, in main
    result = result_queue.get()
  File "/usr/lib/python2.6/multiprocessing/queues.py", line 91, in get
    res = self._recv()
KeyboardInterrupt

$ python --version
Python 2.6.5




Original issue reported on code.google.com by [email protected] on 2 Feb 2012 at 1:20

Syntax error while executing the script on Linux server

What steps will reproduce the problem?
1. Just download the zip to any linux server
2. Execute "python sslyze.py"
3. See the error message

What is the expected output? What do you see instead?
Expected output was atleast usage message or syntax

Actually got:

Client-89.85 # python sslyze.py
  File "sslyze.py", line 71
    except Exception as e:
                      ^
SyntaxError: invalid syntax
Client-89.85 #


What version of the product are you using? On what operating system?
Client-89.85 # python -V
Python 2.3.4
Client-89.85 #uname -a
Linux localhost.localdomain 2.6.9-67.ELsmp #1 SMP Fri Nov 16 12:48:03 EST 2007 
i686 i686 i386 GNU/Linux
Client-89.85 #


Please provide any additional information below.


Original issue reported on code.google.com by [email protected] on 25 Nov 2011 at 11:30

Support for detecting extensions supported by a scanned server.

TLS now supports extensions, some of which have impact on security; for example 
OCSP Stapling makes it possible for a client to reliably get the revocation 
status of the servers certificate.

OpenSSL v0.9.8h added support for this extension, if you pass -status it checks 
it.

The COMMODO SSL Scanner includes a check for this: 
https://sslanalyzer.comodoca.com/?url=LOGIN.LIVE.COM

It would also be helpful to check for other extensions like SNI since its 
needed to manage v4 address depletion until v6 is fully viable.

Original issue reported on code.google.com by [email protected] on 29 Mar 2012 at 4:02

Socket.timeout for --reneg and --certinfo (using --https_tunnel)

using --regular and --https_tunnel I received timeouts whereas everything 
returned fine

Unhandled exception when processing --reneg: 
socket.timeout - timed out

Unhandled exception when processing --certinfo: 
socket.timeout - timed out

I can connect to another host using this proxy and both of the above options 
return fine.

I had a fiddle within the code, its basically bombing out on 
ssl_connect.connect() within _get_cert().

I had a fiddle with the SSL_CTX settings, None causes it to timeout, tlsv1_2 
causes a timeout, tlsv1_1 causes:

Unhandled exception when processing --certinfo:
utils.CtSSLHelper.SSLHandshakeRejected - SSL Wrong version

and SSLv3 works fine...

None appears to be attempting TLSv1.2 from the captured packets.

The server does negotiate at some levels on TLS1.2 when I use --tlsv1_2.

The following fix attempts SSLv3 if the original attempt fails:

        try: # Perform the SSL handshake
            ssl_connect.connect()
            cert = ssl_connect.ssl.get_peer_certificate()
        except Exception:
            ssl_connect.close()
            ssl_ctx = SSL_CTX.SSL_CTX('sslv3')
            ssl_connect = self._create_ssl_connection(self.target, ssl_ctx=ssl_ctx)
            if verify_cert:
                ssl_connect.ssl_ctx.load_verify_locations(TRUSTED_CA_STORE)
                ssl_connect.ssl.set_verify(constants.SSL_VERIFY_PEER)
            ssl_connect.connect()
            cert = ssl_connect.ssl.get_peer_certificate()


I haven't tried this for renegotiate checks, but it may be worthwhile 
explicitly attempting a CTX value if the initial SSL negotiation times out due 
to some reason?





Original issue reported on code.google.com by [email protected] on 27 Jun 2012 at 12:40

PicklingError: Can't pickle plugins.PluginBase.PluginResult: it's not the same object as plugins.PluginBase.PluginResult

sslyze-read-only$ uname -a
Linux VB-FR976R1-UBUNTU 2.6.32-41-generic #88-Ubuntu SMP Thu Mar 29 13:08:43 
UTC 2012 i686 GNU/Linux
sslyze-read-only$ python --version
Python 2.6.5
sslyze-read-only$ ./sslyze.py --tlsv1_1 --http_get wwwwwwww.wwwwwwww.com

 REGISTERING AVAILABLE PLUGINS
 -----------------------------

   PluginEmpty - OK
   PluginCertInfo - OK
   PluginSessionResumption - OK
   PluginSessionRenegotiation - OK
   PluginOpenSSLCipherSuites - OK

 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   wwwwwwww.wwwwwwww.com:443        => XXX.XXX.XXX.XXX:443                

Traceback (most recent call last):
  File "/usr/lib/python2.6/multiprocessing/queues.py", line 242, in _feed
    send(obj)
PicklingError: Can't pickle plugins.PluginBase.PluginResult: it's not the same 
object as plugins.PluginBase.PluginResult

Original issue reported on code.google.com by [email protected] on 16 May 2012 at 8:35

Fedora 16 x64 support

Getting

PluginCertInfo - Import Error: Could not load OpenSSL 1.0.0 or 0.9.8.
PluginOpenSSLCipherSuites - Import Error: Could not load OpenSSL 1.0.0 or 0.9.8.
PluginSessionResumption - Import Error: Could not load OpenSSL 1.0.0 or 0.9.8.
PluginSessionRenegotiation - Import Error: Could not load OpenSSL 1.0.0 or 
0.9.8.

when run on Fedora 16 x64 (probably also other Fedora versions)

The naming of the libs do not match for Fedora since they have the f at the end.
/lib64/libcrypto.so.1.0.0f
/usr/lib64/libssl.so.1.0.0f

Seem to be working when doing this (but will break others)
so Fedora will have to be identified by more than sys.platform

--- load_openssl.py 2012-01-13 10:16:30.039579016 +0100
+++ load_openssl.py 2012-01-13 10:19:52.184123497 +0100
@@ -51,8 +51,8 @@
         libssl_0_9_8 = 'ssleay32'

     elif sys.platform == 'linux2': # Any Linux
-        libcrypto_1_0_0 = 'libcrypto.so.1.0.0'
-        libssl_1_0_0 = 'libssl.so.1.0.0'
+        libcrypto_1_0_0 = 'libcrypto.so.1.0.0f'
+        libssl_1_0_0 = 'libssl.so.1.0.0f'
         libcrypto_0_9_8 = 'libcrypto.so.0.9.8'
         libssl_0_9_8 = 'libssl.so.0.9.8'

Original issue reported on code.google.com by [email protected] on 13 Jan 2012 at 9:26

IIS always replies with HTTP 400 Bad Request

Sending an HTTP GET (using --http_get) to an IIS server causes the server to 
send back an HTTP 400 Bad Request. It has to do with the way the SSL handshake 
is performed and how the encrypted data is sent, as the GET request itself is 
pretty standard. 

Original issue reported on code.google.com by [email protected] on 7 May 2012 at 1:17

Plugin discovery depends on current directory

What steps will reproduce the problem?
1. cd to the directory containing sslyze
2. run: sslyze --help
3. notice the help for the plugins
4. cd to a different directory
5. run: sslyze --help
6. notice no mention of the plugins

What is the expected output? What do you see instead?
Unless specified otherwise, the default plugin directory should be the 
executable directory, not the current directory

What version of the product are you using? On what operating system?
sslyze-0.3_src on Linux


Original issue reported on code.google.com by [email protected] on 17 Nov 2011 at 8:29

STARTTLS support?

It would be really nice if sslyze also supported scanning protocols doing 
STARTTLS, e.g. SMTP. Perhaps even Jabber as well.

Original issue reported on code.google.com by [email protected] on 2 Jan 2012 at 1:43

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.