Analyze SSL Configurations with SSLyze

By | 2014/01/28

The command line python app sslyze is an awesome tool to analyze SSL / TLS configurations for a variety of services. This is a great tool to have in your stash.


The github page for SSLyze is:

https://github.com/iSECPartners/sslyze


For example to test the SSL config on an HTTPS server, try something like this:

$ python sslyze.py --regular example.com:443

$ python sslyze.py --regular scottlinux.com:443



 REGISTERING AVAILABLE PLUGINS
 -----------------------------

  PluginSessionResumption
  PluginCompression
  PluginHSTS
  PluginSessionRenegotiation
  PluginCertInfo
  PluginOpenSSLCipherSuites



 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   scottlinux.com:443                  => 2600:3c01::f03c:91ff:fe96:edba:443



 SCAN RESULTS FOR SCOTTLINUX.COM:443 - 2600:3C01::F03C:91FF:FE96:EDBA:443
 ------------------------------------------------------------------------

  * Compression :
      DEFLATE Compression:               Disabled

  * Session Renegotiation :
      Client-initiated Renegotiations:   Rejected
      Secure Renegotiation:              Supported

  * Certificate - Content :
      SHA1 Fingerprint:                  ab679fbaae46d195f0444b3ec3f5aeccb59fe736
      Common Name:                       scottlinux.com
      Issuer:                            {'countryName': 'US', 'commonName': 'RapidSSL CA', 'organizationName': 'GeoTrust, Inc.'}
      Serial Number:                     0A43C0
      Not Before:                        Jan 24 18:16:35 2013 GMT
      Not After:                         Jan 26 20:17:52 2017 GMT
      Signature Algorithm:               sha1WithRSAEncryption
      Key Size:                          2048 bit
      X509v3 Subject Alternative Name:   {'DNS': ['scottlinux.com']}

  * Certificate - Trust :
      Hostname Validation:               OK - Subject Alternative Name matches
      "Apple - OS X 10.9.0" CA Store:    OK - Certificate is trusted
      "Microsoft - 11/2013" CA Store:    OK - Certificate is trusted
      "Mozilla NSS - 09/2013" CA Store:  OK - Certificate is trusted
      "Java 7 - Update 25" CA Store:     OK - Certificate is trusted

  * Certificate - OCSP Stapling :
      Server did not send back an OCSP response.

  * TLSV1_1 Cipher Suites :

      Rejected Cipher Suite(s): Hidden 

      Preferred Cipher Suite:          
        DHE-RSA-AES256-SHA            256 bits      HTTP 200 OK                        

      Accepted Cipher Suite(s):        
        DHE-RSA-CAMELLIA256-SHA       256 bits      HTTP 200 OK                        
        DHE-RSA-AES256-SHA            256 bits      HTTP 200 OK                        
        CAMELLIA256-SHA               256 bits      HTTP 200 OK                        
        AES256-SHA                    256 bits      HTTP 200 OK                        
        EDH-RSA-DES-CBC3-SHA          168 bits      HTTP 200 OK                        
        DES-CBC3-SHA                  168 bits      HTTP 200 OK                        
        SEED-SHA                      128 bits      HTTP 200 OK                        
        RC4-SHA                       128 bits      HTTP 200 OK                        
        DHE-RSA-SEED-SHA              128 bits      HTTP 200 OK                        
        DHE-RSA-CAMELLIA128-SHA       128 bits      HTTP 200 OK                        
        DHE-RSA-AES128-SHA            128 bits      HTTP 200 OK                        
        CAMELLIA128-SHA               128 bits      HTTP 200 OK                        
        AES128-SHA                    128 bits      HTTP 200 OK                        

  * TLSV1_2 Cipher Suites :

      Rejected Cipher Suite(s): Hidden 

      Preferred Cipher Suite:          
        DHE-RSA-AES256-GCM-SHA384     256 bits      HTTP 200 OK                        

      Accepted Cipher Suite(s):        
        DHE-RSA-CAMELLIA256-SHA       256 bits      HTTP 200 OK                        
        DHE-RSA-AES256-SHA256         256 bits      HTTP 200 OK                        
        DHE-RSA-AES256-SHA            256 bits      HTTP 200 OK                        
        DHE-RSA-AES256-GCM-SHA384     256 bits      HTTP 200 OK                        
        CAMELLIA256-SHA               256 bits      HTTP 200 OK                        
        AES256-SHA256                 256 bits      HTTP 200 OK                        
        AES256-SHA                    256 bits      HTTP 200 OK                        
        AES256-GCM-SHA384             256 bits      HTTP 200 OK                        
        EDH-RSA-DES-CBC3-SHA          168 bits      HTTP 200 OK                        
        DES-CBC3-SHA                  168 bits      HTTP 200 OK                        
        SEED-SHA                      128 bits      HTTP 200 OK                        
        RC4-SHA                       128 bits      HTTP 200 OK                        
        DHE-RSA-SEED-SHA              128 bits      HTTP 200 OK                        
        DHE-RSA-CAMELLIA128-SHA       128 bits      HTTP 200 OK                        
        DHE-RSA-AES128-SHA256         128 bits      HTTP 200 OK                        
        DHE-RSA-AES128-SHA            128 bits      HTTP 200 OK                        
        DHE-RSA-AES128-GCM-SHA256     128 bits      HTTP 200 OK                        
        CAMELLIA128-SHA               128 bits      HTTP 200 OK                        
        AES128-SHA256                 128 bits      HTTP 200 OK                        
        AES128-SHA                    128 bits      HTTP 200 OK                        
        AES128-GCM-SHA256             128 bits      HTTP 200 OK                        

  * TLSV1 Cipher Suites :

      Rejected Cipher Suite(s): Hidden 

      Preferred Cipher Suite:          
        DHE-RSA-AES256-SHA            256 bits      HTTP 200 OK                        

      Accepted Cipher Suite(s):        
        DHE-RSA-CAMELLIA256-SHA       256 bits      HTTP 200 OK                        
        DHE-RSA-AES256-SHA            256 bits      HTTP 200 OK                        
        CAMELLIA256-SHA               256 bits      HTTP 200 OK                        
        AES256-SHA                    256 bits      HTTP 200 OK                        
        EDH-RSA-DES-CBC3-SHA          168 bits      HTTP 200 OK                        
        DES-CBC3-SHA                  168 bits      HTTP 200 OK                        
        SEED-SHA                      128 bits      HTTP 200 OK                        
        RC4-SHA                       128 bits      HTTP 200 OK                        
        DHE-RSA-SEED-SHA              128 bits      HTTP 200 OK                        
        DHE-RSA-CAMELLIA128-SHA       128 bits      HTTP 200 OK                        
        DHE-RSA-AES128-SHA            128 bits      HTTP 200 OK                        
        CAMELLIA128-SHA               128 bits      HTTP 200 OK                        
        AES128-SHA                    128 bits      HTTP 200 OK                        

  * SSLV2 Cipher Suites :

      Rejected Cipher Suite(s): Hidden 

  * Session Resumption :
      With Session IDs:                  Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Session Tickets:          Supported

  * SSLV3 Cipher Suites :

      Rejected Cipher Suite(s): Hidden 



 SCAN COMPLETED IN 7.38 S
 ------------------------

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.