SSLyze
SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.
SSLyze can analyze the SSL/TLS configuration of a server by connecting to it, in order to ensure that it uses strong encryption settings (certificate, cipher suites, elliptic curves, etc.), and that it is not vulnerable to known TLS attacks (Heartbleed, ROBOT, OpenSSL CCS injection, etc.).
Github: https://github.com/nabla-c0d3/sslyze
# 安装
$ python -m pip install sslyze
# 使用
$ python -m sslyze www.baidu.com
> sslyze.exe www.baidu.com
CHECKING CONNECTIVITY TO SERVER(S)
----------------------------------
www.baidu.com:443 => 220.181.38.149
SCAN RESULTS FOR WWW.BAIDU.COM:443 - 220.181.38.149
---------------------------------------------------
* Certificates Information:
Hostname sent for SNI: www.baidu.com
Number of certificates detected: 1
Certificate #0 ( RSAPublicKey )
SHA1 Fingerprint: 9742d59827d62288cf59c3ff75868dd5d312a0af
Common Name: baidu.com
Issuer: GlobalSign RSA OV SSL CA 2018
Serial Number: 26585094245224241434632730821
Not Before: 2023-07-06
Not After: 2024-08-06
Public Key Algorithm: RSAPublicKey
Signature Algorithm: sha256
Key Size: 2048
Exponent: 65537
SubjAltName - DNS Names: ['baidu.com', 'baifubao.com', 'www.baidu.cn', 'www.baidu.com.cn', 'mct.y.nuomi.com', 'apollo.auto', 'dwz.cn', '*.baidu.com', '*.baifubao.com', '*.baidustatic.com', '*.bdstatic.com', '*.bdimg.com', '*.hao123.com', '*.nuomi.com', '*.chuanke.com', '*.trustgo.com', '*.bce.baidu.com', '*.eyun.baidu.com', '*.map.baidu.com', '*.mbd.baidu.com', '*.fanyi.baidu.com', '*.baidubce.com', '*.mipcdn.com', '*.news.baidu.com', '*.baidupcs.com', '*.aipage.com', '*.aipage.cn', '*.bcehost.com', '*.safe.baidu.com', '*.im.baidu.com', '*.baiducontent.com', '*.dlnel.com', '*.dlnel.org', '*.dueros.baidu.com', '*.su.baidu.com', '*.91.com', '*.hao123.baidu.com', '*.apollo.auto', '*.xueshu.baidu.com', '*.bj.baidubce.com', '*.gz.baidubce.com', '*.smartapps.cn', '*.bdtjrcv.com', '*.hao222.com', '*.haokan.com', '*.pae.baidu.com', '*.vd.bdstatic.com', '*.cloud.baidu.com', 'click.hm.baidu.com', 'log.hm.baidu.com', 'cm.pos.baidu.com', 'wn.pos.baidu.com', 'update.pan.baidu.com']
Certificate #0 - Trust
Android CA Store (14.0.0_r9): OK - Certificate is trusted
Apple CA Store (iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10):OK - Certificate is trusted
Java CA Store (jdk-13.0.2): OK - Certificate is trusted
Mozilla CA Store (2024-02-04): OK - Certificate is trusted
Windows CA Store (2023-12-11): OK - Certificate is trusted
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: baidu.com --> GlobalSign RSA OV SSL CA 2018 --> GlobalSign
Verified Chain: baidu.com --> GlobalSign RSA OV SSL CA 2018 --> GlobalSign
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
Certificate #0 - Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: OK - 3 SCTs included
Certificate #0 - OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
* SSL 2.0 Cipher Suites:
Attempted to connect using 7 cipher suites; the server rejected all cipher suites.
* SSL 3.0 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 1 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
The group of cipher suites supported by the server has the following properties:
Forward Secrecy INSECURE - Not Supported
Legacy RC4 Algorithm INSECURE - Supported
* TLS 1.0 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 6 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm INSECURE - Supported
* TLS 1.1 Cipher Suites:
Attempted to connect using 80 cipher suites.
The server accepted the following 6 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm INSECURE - Supported
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 7 cipher suites:
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 ECDH: prime256v1 (256 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 ECDH: prime256v1 (256 bits)
The group of cipher suites supported by the server has the following properties:
Forward Secrecy OK - Supported
Legacy RC4 Algorithm INSECURE - Supported
* TLS 1.3 Cipher Suites:
Attempted to connect using 5 cipher suites; the server rejected all cipher suites.
* Deflate Compression:
OK - Compression disabled
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* ROBOT Attack:
OK - Not vulnerable.
* Session Renegotiation:
Client Renegotiation DoS Attack: OK - Not vulnerable
Secure Renegotiation: OK - Supported
* Elliptic Curve Key Exchange:
Supported curves: prime256v1
Rejected curves: X25519, X448, prime192v1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp224r1, secp256k1, secp384r1, secp521r1, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1
SCANS COMPLETED IN 33.189360 S
------------------------------
COMPLIANCE AGAINST MOZILLA TLS CONFIGURATION
--------------------------------------------
Checking results against Mozilla's "MozillaTlsConfigurationEnum.INTERMEDIATE" configuration. See https://ssl-config.mozilla.org/ for more details.
www.baidu.com:443: FAILED - Not compliant.
* maximum_certificate_lifespan: Certificate life span is 396 days, should be less than 366.
* tls_versions: TLS versions {'TLSv1.1', 'TLSv1', 'SSLv3'} are supported, but should be rejected.
* ciphers: Cipher suites {'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_RC4_128_SHA'} are supported, but should be rejected.
$ python -m sslyze 1.1.1.1:443