Home 零对冲(ZeroHedge)每日HackerNews

SSLyze——SSL配置扫描库和命令行工具
SSLyze – SSL configuration scanning library and CLI tool

原始链接: https://github.com/nabla-c0d3/sslyze

SSLyze是一个Python库和命令行工具,用于分析服务器的SSL/TLS配置,以确保强大的加密和漏洞防护。它快速、可靠,并用于大规模服务器扫描。 其主要功能包括:根据已知的攻击(如Heartbleed)和Mozilla的推荐配置(旧版、中间版、现代版)检查证书强度、密码套件和TLS版本支持。它可以轻松集成到CI/CD管道中进行持续监控,如果服务器未能通过合规性检查,则返回非零退出代码。 SSLyze支持HTTP之外的各种协议,例如SMTP、XMPP和FTP。结果可以保存为JSON格式,以便日后分析。安装非常简单,可以通过pip或Docker进行。Python API允许直接从自定义应用程序进行扫描。它采用AGPL许可证。

Hacker News 最新 | 过去 | 评论 | 提问 | 展示 | 招聘 | 提交 登录 SSLyze – SSL 配置扫描库和命令行工具 (github.com/nabla-c0d3) 5 分,来自 Brysonbw,2 小时前 | 隐藏 | 过去 | 收藏 | 讨论 加入我们,参加 6 月 16-17 日在旧金山举办的 AI 初创公司学校! 指导原则 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系我们 搜索:
相关文章
原文

Run Tests Downloads PyPI version Python version

SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.

SSLyze can analyze the SSL/TLS configuration of a server by connecting to it, in order to ensure that it uses strong encryption settings (certificate, cipher suites, elliptic curves, etc.), and that it is not vulnerable to known TLS attacks (Heartbleed, ROBOT, OpenSSL CCS injection, etc.).

  • Focus on speed and reliability: SSLyze is a battle-tested tool that is used to reliably scan hundreds of thousands of servers every day.
  • Easy to operationalize: SSLyze can be directly run from CI/CD, in order to continuously check a server against Mozilla's recommended TLS configuration.
  • Fully documented Python API to run scans directly from any Python application, such as a function deployed to AWS Lambda.
  • Support for scanning non-HTTP servers including SMTP, XMPP, LDAP, POP, IMAP, RDP, Postgres and FTP servers.
  • Results of a scan can easily be saved to a JSON file for later processing.
  • And much more!

On Windows, Linux (x86 or x64) and macOS, SSLyze can be installed directly via pip:

$ pip install --upgrade pip setuptools wheel
$ pip install --upgrade sslyze
$ python -m sslyze www.yahoo.com www.google.com "[2607:f8b0:400a:807::2004]:443"

It can also be used via Docker:

$ docker run --rm -it nablac0d3/sslyze:6.1.0 www.google.com

Lastly, a pre-compiled Windows executable can be downloaded from the Releases page.

A sample script describing how to use the SSLyze's Python API is available at ./api_sample.py.

Full documentation for SSLyze's Python API is available here.

By default, SSLyze will check the server's scan results against Mozilla's recommended "intermediate" TLS configuration, and will return a non-zero exit code if the server is not compliant.

$ python -m sslyze mozilla.com

Checking results against Mozilla's "intermediate" configuration. See https://ssl-config.mozilla.org/ for more details.

mozilla.com:443: OK - Compliant.

The Mozilla configuration to check against can be configured via --mozilla_config={old, intermediate, modern}:

$ python -m sslyze --mozilla_config=modern mozilla.com

Checking results against Mozilla's "modern" configuration. See https://ssl-config.mozilla.org/ for more details.

mozilla.com:443: FAILED - Not compliant.
    * certificate_types: Deployed certificate types are {'rsa'}, should have at least one of {'ecdsa'}.
    * certificate_signatures: Deployed certificate signatures are {'sha256WithRSAEncryption'}, should have at least one of {'ecdsa-with-SHA512', 'ecdsa-with-SHA256', 'ecdsa-with-SHA384'}.
    * tls_versions: TLS versions {'TLSv1.2'} are supported, but should be rejected.
    * ciphers: Cipher suites {'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'} are supported, but should be rejected.

This can be used to easily run an SSLyze scan as a CI/CD step.

To setup a development environment:

$ pip install --upgrade pip setuptools wheel
$ pip install -e . 
$ pip install -r requirements-dev.txt

The tests can then be run using:

Copyright (c) 2025 Alban Diquet

SSLyze is made available under the terms of the GNU Affero General Public License (AGPL). See LICENSE.txt for details and exceptions.

联系我们 contact @ memedata.com