Import Upstream version 3.0.7

parents
Pipeline #583 failed with stages
in 11 minutes and 28 seconds
# These files are text and should be normalized (convert crlf => lf)
*.py text diff=python
*.pem text
*.txt text
*.md text
---
name: Bug report
about: Create a report to help us improve
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Install SSLyze using '...' [e.g. pip, git]
2. Run the following command '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Python environment (please complete the following information):**
- OS: [e.g. Windows 10, Ubuntu 16.04, macOS Sierra]
- Python version: [e.g. 3.6, 3.7]
**Additional context**
Add any other context about the problem here.
---
name: Feature request
about: Suggest an idea for this project
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
htmlcov/
.mypy_cache/
.pytest_cache/
.vscode
# Pipenv
requirements.txt
*.py[cod]
# C extensions
*.so
# Packages
*.egg
*.egg-info
dist
build
eggs
parts
bin
var
sdist
develop-eggs
.installed.cfg
lib
lib64
# Installer logs
pip-log.txt
# Unit test / coverage reports
.coverage
.tox
nosetests.xml
#Translations
*.mo
#Mr Developer
.mr.developer.cfg
# Pydev
.project
.pydevproject
#Pycharm
.idea
# OpenSSL DLLs
*.dll
# Tests
*.xml
# Depedencies
nassl/*
.DS_Store
# Certificates
ca/*
*.key
# Sphynx
docs/_build/*
docs/documentation/_sources/*
docs/documentation/.doctrees/*
language: python
python:
- "3.7"
- "3.8"
install:
- pip install pipenv
- pipenv install --dev
script:
- invoke test
# Install SSLyze as a module and run the sample script
- python setup.py install
- cd docs # Switch folder to avoid conflicts between ./sslyze and the installed sslyze module
- python ../api_sample.py
FROM python:3.7-slim
RUN pip install sslyze
ENTRYPOINT ["sslyze"]
CMD ["-h"]
\ No newline at end of file
This diff is collapsed.
# Include the license file
include LICENSE.txt
include README.md
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"
[packages]
nassl = "<3.1.0,>=3.0.0"
cryptography = "<=2.9,>=2.6"
tls-parser = "==1.2.2"
[dev-packages]
mypy = "*"
"flake8" = "*"
invoke = "*"
pytest = "*"
sphinx = "*"
sphinx-rtd-theme = "*"
twine = "*"
sphinx-autodoc-typehints = "*"
black = "==19.10b0"
pytest-cov = "*"
faker = "*"
cx-freeze = "*"
[requires]
python_version = "3.7"
This diff is collapsed.
SSLyze
======
[![Build Status](https://travis-ci.org/nabla-c0d3/sslyze.svg?branch=master)](https://travis-ci.org/nabla-c0d3/sslyze)
[![Downloads](https://pepy.tech/badge/sslyze)](https://pepy.tech/badge/sslyze)
[![PyPI version](https://img.shields.io/pypi/v/sslyze.svg)](https://pypi.org/project/sslyze/)
[![Python version](https://img.shields.io/pypi/pyversions/sslyze.svg)](https://pypi.org/project/sslyze/)
SSLyze is a fast and powerful SSL/TLS scanning library.
It allows you to analyze the SSL/TLS configuration of a server by connecting to it, in order to detect various
issues (bad certificate, weak cipher suites, Heartbleed, ROBOT, TLS 1.3 support, etc.).
SSLyze can either be used as command line tool or as a Python library.
Key features
------------
* Fully [documented Python API](https://nabla-c0d3.github.io/sslyze/documentation/), in order to run scans and process
the results directly from Python.
* Support for TLS 1.3 and early data (0-RTT) testing.
* Scans are automatically dispatched among multiple workers, making them very fast.
* Performance testing: session resumption and TLS tickets support.
* Security testing: weak cipher suites, insecure renegotiation, ROBOT, Heartbleed and more.
* Server certificate validation and revocation checking through OCSP stapling.
* Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.
* Scan results can be written to a JSON file for further processing.
* And much more!
Quick start
-----------
SSLyze can be installed directly via pip:
$ pip install --upgrade setuptools
$ pip install --upgrade sslyze
$ python -m sslyze --regular www.yahoo.com:443 www.google.com "[2607:f8b0:400a:807::2004]:443"
Documentation
-------------
Documentation is [available here][documentation].
License
-------
Copyright (c) 2020 Alban Diquet
SSLyze is made available under the terms of the GNU Affero General Public License (AGPL). See LICENSE.txt for details and exceptions.
[documentation]: https://nabla-c0d3.github.io/sslyze/documentation
from sslyze import (
ServerNetworkLocationViaDirectConnection,
ServerConnectivityTester,
Scanner,
ServerScanRequest,
ScanCommand,
)
from sslyze.errors import ConnectionToServerFailed
def main() -> None:
# First validate that we can connect to the servers we want to scan
servers_to_scan = []
for hostname in ["cloudflare.com", "google.com"]:
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup(hostname, 443)
try:
server_info = ServerConnectivityTester().perform(server_location)
servers_to_scan.append(server_info)
except ConnectionToServerFailed as e:
print(f"Error connecting to {server_location.hostname}:{server_location.port}: {e.error_message}")
return
scanner = Scanner()
# Then queue some scan commands for each server
for server_info in servers_to_scan:
server_scan_req = ServerScanRequest(
server_info=server_info, scan_commands={ScanCommand.CERTIFICATE_INFO, ScanCommand.SSL_2_0_CIPHER_SUITES},
)
scanner.queue_scan(server_scan_req)
# Then retrieve the result of the scan commands for each server
for server_scan_result in scanner.get_results():
print(f"\nResults for {server_scan_result.server_info.server_location.hostname}:")
# Scan commands that were run with no errors
try:
ssl2_result = server_scan_result.scan_commands_results[ScanCommand.SSL_2_0_CIPHER_SUITES]
print("\nAccepted cipher suites for SSL 2.0:")
for accepted_cipher_suite in ssl2_result.accepted_cipher_suites:
print(f"* {accepted_cipher_suite.cipher_suite.name}")
except KeyError:
pass
try:
certinfo_result = server_scan_result.scan_commands_results[ScanCommand.CERTIFICATE_INFO]
print("\nCertificate info:")
for cert_deployment in certinfo_result.certificate_deployments:
print(f"Leaf certificate: \n{cert_deployment.received_certificate_chain_as_pem[0]}")
except KeyError:
pass
# Scan commands that were run with errors
for scan_command, error in server_scan_result.scan_commands_errors.items():
print(f"\nError when running {scan_command}:\n{error.exception_trace}")
if __name__ == "__main__":
main()
def basic_example_connectivity_testing() -> None:
# Define the server that you want to scan
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("www.google.com", 443)
# Do connectivity testing to ensure SSLyze is able to connect
try:
server_info = ServerConnectivityTester().perform(server_location)
except ConnectionToServerFailed as e:
# Could not connect to the server; abort
print(f"Error connecting to {server_location}: {e.error_message}")
return
print(f"Connectivity testing completed: {server_info}")
def basic_example() -> None:
# Define the server that you want to scan
server_location = ServerNetworkLocationViaDirectConnection.with_ip_address_lookup("www.google.com", 443)
# Do connectivity testing to ensure SSLyze is able to connect
try:
server_info = ServerConnectivityTester().perform(server_location)
except ConnectionToServerFailed as e:
# Could not connect to the server; abort
print(f"Error connecting to {server_location}: {e.error_message}")
return
# Then queue some scan commands for the server
scanner = Scanner()
server_scan_req = ServerScanRequest(
server_info=server_info, scan_commands={ScanCommand.CERTIFICATE_INFO, ScanCommand.SSL_2_0_CIPHER_SUITES},
)
scanner.queue_scan(server_scan_req)
# Then retrieve the results
for server_scan_result in scanner.get_results():
print(f"\nResults for {server_scan_result.server_info.server_location.hostname}:")
# SSL 2.0 results
ssl2_result = server_scan_result.scan_commands_results[ScanCommand.SSL_2_0_CIPHER_SUITES]
print("\nAccepted cipher suites for SSL 2.0:")
for accepted_cipher_suite in ssl2_result.accepted_cipher_suites:
print(f"* {accepted_cipher_suite.cipher_suite.name}")
# Certificate info results
certinfo_result = server_scan_result.scan_commands_results[ScanCommand.CERTIFICATE_INFO]
print("\nCertificate info:")
for cert_deployment in certinfo_result.certificate_deployments:
print(f"Leaf certificate: \n{cert_deployment.received_certificate_chain_as_pem[0]}")

\ No newline at end of file
Appendix: Scan Commands
#######################
Every type of scan that SSLyze can run against a server (supported cipher suites, session renegotiation, etc.) is
represented by a ``ScanCommand``, which, when run against a server, will return a specific result.
This page lists all the ``ScanCommand`` and their corresponding results available in the current release of SSLyze.
For an example on how to run a ``ScanCommand``, see :doc:`/running-scan-commands`.
.. contents::
:depth: 2
The following scan commands are available in the current version of SSLyze:
.. module:: sslyze
.. autoclass:: ScanCommand
:members:
:undoc-members:
The next sections describe the result class that corresponds to each scan command.
Certificate Information
***********************
**ScanCommand.CERTIFICATE_INFO**: Retrieve and analyze a server's certificate(s) to verify its validity.
Optional arguments
==================
.. autoclass:: CertificateInfoExtraArguments
Result class
============
.. autoclass:: CertificateInfoScanResult
.. autoclass:: CertificateDeploymentAnalysisResult
.. autoclass:: PathValidationResult
.. autoclass:: TrustStore
.. autoclass:: OcspResponse
.. autoclass:: OcspResponseStatusEnum
:members:
:undoc-members:
Cipher Suites
*************
**ScanCommand.SSL_2_0_CIPHER_SUITES**: Test a server for SSL 2.0 support.
**ScanCommand.SSL_3_0_CIPHER_SUITES**: Test a server for SSL 3.0 support.
**ScanCommand.TLS_1_0_CIPHER_SUITES**: Test a server for TLS 1.0 support.
**ScanCommand.TLS_1_1_CIPHER_SUITES**: Test a server for TLS 1.1 support.
**ScanCommand.TLS_1_2_CIPHER_SUITES**: Test a server for TLS 1.2 support.
**ScanCommand.TLS_1_3_CIPHER_SUITES**: Test a server for TLS 1.3 support.
Result class
============
.. autoclass:: CipherSuitesScanResult
.. autoclass:: CipherSuiteRejectedByServer
.. autoclass:: CipherSuiteAcceptedByServer
.. autoclass:: EphemeralKeyInfo
.. autoclass:: CipherSuite
.. autoclass:: TlsVersionEnum
:members:
:undoc-members:
ROBOT
*****
**ScanCommand.ROBOT**: Test a server for the ROBOT vulnerability.
Result class
============
.. autoclass:: RobotScanResult
.. autoclass:: RobotScanResultEnum
:members:
:undoc-members:
Session Resumption Support
**************************
**ScanCommand.SESSION_RESUMPTION**: Test a server for session resumption support using session IDs and TLS tickets.
Result class
============
.. autoclass:: SessionResumptionSupportScanResult
Session Resumption Rate
***********************
**ScanCommand.SESSION_RESUMPTION_RATE**: Measure a server's session resumption rate when attempting 100 resumptions using session IDs.
Result class
============
.. autoclass:: SessionResumptionRateScanResult
CRIME
*****
**ScanCommand.TLS_COMPRESSION**: Test a server for TLS compression support, which can be leveraged to perform a CRIME attack.
Result class
============
.. autoclass:: CompressionScanResult
TLS 1.3 Early Data
******************
**ScanCommand.TLS_1_3_EARLY_DATA**: Test the server(s) for TLS 1.3 early data support.
Result class
============
.. autoclass:: EarlyDataScanResult
Downgrade Prevention
********************
**ScanCommand.TLS_FALLBACK_SCSV**: Test a server for the TLS_FALLBACK_SCSV mechanism to prevent downgrade attacks.
Result class
============
.. autoclass:: FallbackScsvScanResult
Heartbleed
**********
**ScanCommand.HEARTBLEED**: Test a server for the OpenSSL Heartbleed vulnerability.
Result class
============
.. autoclass:: HeartbleedScanResult
HTTP Security Headers
*********************
**ScanCommand.HTTP_HEADERS**: Test a server for the presence of security-related HTTP headers.
Result class
============
.. autoclass:: HttpHeadersScanResult
.. autoclass:: StrictTransportSecurityHeader
.. autoclass:: PublicKeyPinsHeader
.. autoclass:: ExpectCtHeader
OpenSSL CCS Injection
*********************
**ScanCommand.OPENSSL_CCS_INJECTION**: Test a server for the OpenSSL CCS Injection vulnerability (CVE-2014-0224).
Result class
============
.. autoclass:: OpenSslCcsInjectionScanResult
Insecure Renegotiation
**********************
**ScanCommand.SESSION_RENEGOTIATION**: Test a server for for insecure TLS renegotiation and client-initiated renegotiation.
Result class
============
.. autoclass:: SessionRenegotiationScanResult
# -*- coding: utf-8 -*-
#
# sslyze documentation build configuration file, created by
# sphinx-quickstart on Sun Jan 15 12:41:02 2017.
#
# This file is execfile()d with the current directory set to its
# containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
#
import os
import sys
# Add sslyze to the path
sys.path.insert(0, os.path.abspath('..'))
from sslyze import __version__ # noqa: E402
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
#
# needs_sphinx = '1.0'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'sphinx.ext.autodoc',
'sphinx.ext.napoleon',
'sphinx_autodoc_typehints'
]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix(es) of source filenames.
# You can specify multiple suffix as a list of string:
#
# source_suffix = ['.rst', '.md']
source_suffix = '.rst'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = __version__.__title__
copyright = __version__.__copyright__
author = __version__.__author__
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
version = __version__.__version__
# The full version, including alpha/beta/rc tags.
release = version
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
language = None
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
# This patterns also effect to html_static_path and html_extra_path
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# If true, `todo` and `todoList` produce output, else they produce nothing.
todo_include_todos = False
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
#
html_theme = "alabaster"
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
#
# html_theme_options = {}