Saturday, July 20, 2019

SSLyze: A Python Tool For Analyzing SSL Configurations

Key features include:
  • Multi-processed and multi-threaded scanning (it’s fast)
  • SSL 2.0/3.0 and TLS 1.0/1.1/1.2 compatibility
  • Performance testing: session resumption and TLS tickets support
  • Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more
  • Server certificate validation and revocation checking through OCSP stapling
  • Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP and FTP
  • Support for client certificates when scanning servers that perform mutual authentication
  • XML output to further process the scan results
Source: https://github.com/iSECPartners/sslyze
  • Author: iSECPartners
  • License: GPLv2
Let’s get started.
First, we need to install SSLyze. Before installing SSLyze, we need to install python setuptools using the following command:
pip install --upgrade setuptools

Then we install SSLyze using the following command:
pip install --upgrade sslyze

Then when the installation is completed, you shall see a screen similar to this:


At this level, you managed to successfully install sslyze.
Now, let’s use the tool and find out what it can really do.
To start SSLyze and go to the help menu, simple type the following command:
sslyze -h

To extract the configuration of a particular website, type the following command:
sslyze –-regular www.yahoo.com


(Here, we took www.yahoo.com as an example, you can replace it with any website of your choice)
Your screen should look like that (if you used www.yahoo.com):
You can scroll down your terminal to see what information the tool has extracted.
You can also go back to the help menu and utilize the commands available until you get what you want.