rohithadassanayake / sslyze Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/sslyze
Automatically exported from code.google.com/p/sslyze
using --regular and --https_tunnel I received timeouts whereas everything
returned fine
Unhandled exception when processing --reneg:
socket.timeout - timed out
Unhandled exception when processing --certinfo:
socket.timeout - timed out
I can connect to another host using this proxy and both of the above options
return fine.
I had a fiddle within the code, its basically bombing out on
ssl_connect.connect() within _get_cert().
I had a fiddle with the SSL_CTX settings, None causes it to timeout, tlsv1_2
causes a timeout, tlsv1_1 causes:
Unhandled exception when processing --certinfo:
utils.CtSSLHelper.SSLHandshakeRejected - SSL Wrong version
and SSLv3 works fine...
None appears to be attempting TLSv1.2 from the captured packets.
The server does negotiate at some levels on TLS1.2 when I use --tlsv1_2.
The following fix attempts SSLv3 if the original attempt fails:
try: # Perform the SSL handshake
ssl_connect.connect()
cert = ssl_connect.ssl.get_peer_certificate()
except Exception:
ssl_connect.close()
ssl_ctx = SSL_CTX.SSL_CTX('sslv3')
ssl_connect = self._create_ssl_connection(self.target, ssl_ctx=ssl_ctx)
if verify_cert:
ssl_connect.ssl_ctx.load_verify_locations(TRUSTED_CA_STORE)
ssl_connect.ssl.set_verify(constants.SSL_VERIFY_PEER)
ssl_connect.connect()
cert = ssl_connect.ssl.get_peer_certificate()
I haven't tried this for renegotiate checks, but it may be worthwhile
explicitly attempting a CTX value if the initial SSL negotiation times out due
to some reason?
Original issue reported on code.google.com by [email protected]
on 27 Jun 2012 at 12:40
OpenSSL 1.0.1 is almost out and brings support for TLS 1.1 and 1.2.
Add support for that in the cipher suite scanning module.
Create Windows packages with OpenSSL 1.0.1 included.
This will likely be released as SSLyze 0.4.
Original issue reported on code.google.com by [email protected]
on 12 Dec 2011 at 8:07
Sending an HTTP GET (using --http_get) to an IIS server causes the server to
send back an HTTP 400 Bad Request. It has to do with the way the SSL handshake
is performed and how the encrypted data is sent, as the GET request itself is
pretty standard.
Original issue reported on code.google.com by [email protected]
on 7 May 2012 at 1:17
Latest version from source:
PluginCertInfo.py line 127
trust_xml.extend(cert_xml)
Gives an exception when run with the following options
./sslyze.py --certinfo=basic google.com
Unhandled exception when processing --certinfo:
exceptions.AttributeError - _ElementInterface instance has no attribute 'extend'
(nb the line number would be really handy when debugging :)
Original issue reported on code.google.com by [email protected]
on 4 Jul 2012 at 11:12
See title.
Original issue reported on code.google.com by [email protected]
on 7 May 2012 at 1:26
Add support for CONNECT proxies and add a --proxy option.
Original issue reported on code.google.com by [email protected]
on 7 Nov 2011 at 3:27
What steps will reproduce the problem?
1. cd to the directory containing sslyze
2. run: sslyze --help
3. notice the help for the plugins
4. cd to a different directory
5. run: sslyze --help
6. notice no mention of the plugins
What is the expected output? What do you see instead?
Unless specified otherwise, the default plugin directory should be the
executable directory, not the current directory
What version of the product are you using? On what operating system?
sslyze-0.3_src on Linux
Original issue reported on code.google.com by [email protected]
on 17 Nov 2011 at 8:29
$python sslyze.py --reneg www.serverxyz.de:443
i get the following error message:
* Session Renegotiation :
OpenSSL version is 0.9.8l or earlier. Can't test for insecure renegotiation.
Update OpenSSL to 0.9.8m+.
When i check the Version of openSSL:
$OpenSSL> version
$OpenSSL 1.0.0e 6 Sep 2011
$OpenSSL>
any clues ?
Original issue reported on code.google.com by [email protected]
on 3 Jan 2012 at 12:35
The shebang of "#!/usr/bin/env python" must be the first line of the sslyze
script to work when not called directly with the python interpreter. Currently
it is below the description/copyrite statement. svn diff follows:
Index: sslyze.py
===================================================================
--- sslyze.py (revision 146)
+++ sslyze.py (working copy)
@@ -1,3 +1,4 @@
+#!/usr/bin/env python
#-------------------------------------------------------------------------------
# Name: sslyze.py
# Purpose: Main module of SSLyze.
@@ -19,7 +20,6 @@
# You should have received a copy of the GNU General Public License
# along with SSLyze. If not, see <http://www.gnu.org/licenses/>.
#-------------------------------------------------------------------------------
-#!/usr/bin/env python
Original issue reported on code.google.com by [email protected]
on 10 Jan 2012 at 11:41
What steps will reproduce the problem?
1. Just download the zip to any linux server
2. Execute "python sslyze.py"
3. See the error message
What is the expected output? What do you see instead?
Expected output was atleast usage message or syntax
Actually got:
Client-89.85 # python sslyze.py
File "sslyze.py", line 71
except Exception as e:
^
SyntaxError: invalid syntax
Client-89.85 #
What version of the product are you using? On what operating system?
Client-89.85 # python -V
Python 2.3.4
Client-89.85 #uname -a
Linux localhost.localdomain 2.6.9-67.ELsmp #1 SMP Fri Nov 16 12:48:03 EST 2007
i686 i686 i386 GNU/Linux
Client-89.85 #
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 25 Nov 2011 at 11:30
Is it possible to get en option to have XML output ? (like sslscan)
Thanks by advance.
Original issue reported on code.google.com by [email protected]
on 2 Feb 2012 at 4:22
What steps will reproduce the problem?
1. Run sslyze with --regular
2. Get errors like:
Unhandled exception when processing --resum:
<type 'exceptions.AttributeError'>: /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0:
undefined symbol: SSLv2_method
What is the expected output? What do you see instead?
No errors. Results.
What version of the product are you using? On what operating system?
0.3. OpenSSL 1.0.0e-2.1 from Debian unstable. Most distributions are now
shipping OpenSSL with SSLv2 disabled.
Original issue reported on code.google.com by [email protected]
on 18 Nov 2011 at 6:28
What steps will reproduce the problem?
1. Run sslyze against paypal.com
Changes output from:
AES256-SHA 256 bits HTTP 301 Moved Permanently
to:
AES256-SHA 256 bits HTTP 301 Moved Permanently (https://www.paypal.com/)
What version of the product are you using? On what operating system?
0.4 Linux
Original issue reported on code.google.com by [email protected]
on 28 Jun 2012 at 7:42
Attachments:
[deleted issue]
Getting
PluginCertInfo - Import Error: Could not load OpenSSL 1.0.0 or 0.9.8.
PluginOpenSSLCipherSuites - Import Error: Could not load OpenSSL 1.0.0 or 0.9.8.
PluginSessionResumption - Import Error: Could not load OpenSSL 1.0.0 or 0.9.8.
PluginSessionRenegotiation - Import Error: Could not load OpenSSL 1.0.0 or
0.9.8.
when run on Fedora 16 x64 (probably also other Fedora versions)
The naming of the libs do not match for Fedora since they have the f at the end.
/lib64/libcrypto.so.1.0.0f
/usr/lib64/libssl.so.1.0.0f
Seem to be working when doing this (but will break others)
so Fedora will have to be identified by more than sys.platform
--- load_openssl.py 2012-01-13 10:16:30.039579016 +0100
+++ load_openssl.py 2012-01-13 10:19:52.184123497 +0100
@@ -51,8 +51,8 @@
libssl_0_9_8 = 'ssleay32'
elif sys.platform == 'linux2': # Any Linux
- libcrypto_1_0_0 = 'libcrypto.so.1.0.0'
- libssl_1_0_0 = 'libssl.so.1.0.0'
+ libcrypto_1_0_0 = 'libcrypto.so.1.0.0f'
+ libssl_1_0_0 = 'libssl.so.1.0.0f'
libcrypto_0_9_8 = 'libcrypto.so.0.9.8'
libssl_0_9_8 = 'libssl.so.0.9.8'
Original issue reported on code.google.com by [email protected]
on 13 Jan 2012 at 9:26
Scanning for cipher suites takes too much space in the output.
There's probably too much info displayed anyway. Improve that.
Original issue reported on code.google.com by [email protected]
on 7 Nov 2011 at 3:28
What steps will reproduce the problem?
1. I am using Ubuntu 10.04 LTS Server
2. I installed openssl 1.0.0g manually to be able to check renegotiation
3. ./config --prefix=/usr/local/ssl-1.0.0g shared enable-zlib enable-camellia
enable-md2 enable-rc5 enable-threads enable-resolv
4. Create symbolic links to libssl and libcrypto within /usr/local/lib
What is the expected output? What do you see instead?
sslyze hangs (both the svn and the release 0.3) completely in the moment it
tries to use the new openssl library - the buildin 0.9.8 is working (switchover
possible by removing the symbolic links), but fails with renegotiation checks
Strg+c output is:
Traceback (most recent call last):
File "sslyze.py", line 203, in <module>
main()
File "sslyze.py", line 178, in main
result = result_queue.get()
File "/usr/lib/python2.6/multiprocessing/queues.py", line 91, in get
res = self._recv()
KeyboardInterrupt
$ python --version
Python 2.6.5
Original issue reported on code.google.com by [email protected]
on 2 Feb 2012 at 1:20
What steps will reproduce the problem?
run sslyze with --certinfo=basic on a site with an invalid cert.
Unhandled exception when processing --certinfo:
exceptions.TypeError - _get_cert() takes at least 2 arguments (2 given)
plugins/PluginCertInfo.py:100 is missing the target parameter in the call to
_get_cert()
Original issue reported on code.google.com by [email protected]
on 29 Jun 2012 at 10:41
Trying "python sslyze.py --regular www.cacert.org:443" on my OSX machine with
CAcert in the OS trust store, I get:
Validation w/ Mozilla's CA Store: Certificate is Trusted
which is invalid, as CAcert is not in the Mozilla CA store.
Original issue reported on code.google.com by [email protected]
on 27 Mar 2012 at 8:55
Right now the server's certificate is verified using Mozilla's trust store.
However, the hostname that's on the certificate is not validated against the
server's hostname.
Use this:
http://pypi.python.org/pypi/backports.ssl_match_hostname/
Original issue reported on code.google.com by [email protected]
on 7 May 2012 at 1:23
TLS now supports extensions, some of which have impact on security; for example
OCSP Stapling makes it possible for a client to reliably get the revocation
status of the servers certificate.
OpenSSL v0.9.8h added support for this extension, if you pass -status it checks
it.
The COMMODO SSL Scanner includes a check for this:
https://sslanalyzer.comodoca.com/?url=LOGIN.LIVE.COM
It would also be helpful to check for other extensions like SNI since its
needed to manage v4 address depletion until v6 is fully viable.
Original issue reported on code.google.com by [email protected]
on 29 Mar 2012 at 4:02
sslyze-read-only$ uname -a
Linux VB-FR976R1-UBUNTU 2.6.32-41-generic #88-Ubuntu SMP Thu Mar 29 13:08:43
UTC 2012 i686 GNU/Linux
sslyze-read-only$ python --version
Python 2.6.5
sslyze-read-only$ ./sslyze.py --tlsv1_1 --http_get wwwwwwww.wwwwwwww.com
REGISTERING AVAILABLE PLUGINS
-----------------------------
PluginEmpty - OK
PluginCertInfo - OK
PluginSessionResumption - OK
PluginSessionRenegotiation - OK
PluginOpenSSLCipherSuites - OK
CHECKING HOST(S) AVAILABILITY
-----------------------------
wwwwwwww.wwwwwwww.com:443 => XXX.XXX.XXX.XXX:443
Traceback (most recent call last):
File "/usr/lib/python2.6/multiprocessing/queues.py", line 242, in _feed
send(obj)
PicklingError: Can't pickle plugins.PluginBase.PluginResult: it's not the same
object as plugins.PluginBase.PluginResult
Original issue reported on code.google.com by [email protected]
on 16 May 2012 at 8:35
It would be really nice if sslyze also supported scanning protocols doing
STARTTLS, e.g. SMTP. Perhaps even Jabber as well.
Original issue reported on code.google.com by [email protected]
on 2 Jan 2012 at 1:43
What would be the recommended method of using sslyze from other programs;
writing a custom plugin? adding machine parseable output (xml, json, ...) ?
I'm looking at a TLS inventory application, and getting the data out in a
structured format would be very useful.
Original issue reported on code.google.com by [email protected]
on 26 Mar 2012 at 7:48
What steps will reproduce the problem?
1. Executing on Ubuntu 12.04
2.
3.
What is the expected output? What do you see instead?
Unhandled exception when processing --reneg:
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0:
undefined symbol: SSLv2_method
Unhandled exception when processing --certinfo:
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0:
undefined symbol: SSLv2_method
Unhandled exception when processing --tlsv1:
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0:
undefined symbol: SSLv2_method
Unhandled exception when processing --sslv2:
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0:
undefined symbol: SSLv2_method
Unhandled exception when processing --sslv3:
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0:
undefined symbol: SSLv2_method
Unhandled exception when processing --resum:
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0:
undefined symbol: SSLv2_method
What version of the product are you using? On what operating system?
Linux 3.2.0-20-generic-pae #32-Ubuntu SMP Thu Mar 22 02:43:40 UTC 2012 i686
i686 i386 GNU/Linux
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 28 Mar 2012 at 5:21
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.