rohithadassanayake / sslyze Goto Github PK

TLS now supports extensions, some of which have impact on security; for example 
OCSP Stapling makes it possible for a client to reliably get the revocation 
status of the servers certificate.

OpenSSL v0.9.8h added support for this extension, if you pass -status it checks 
it.

The COMMODO SSL Scanner includes a check for this: 
https://sslanalyzer.comodoca.com/?url=LOGIN.LIVE.COM

It would also be helpful to check for other extensions like SNI since its 
needed to manage v4 address depletion until v6 is fully viable.

What steps will reproduce the problem?
1. Just download the zip to any linux server
2. Execute "python sslyze.py"
3. See the error message

What is the expected output? What do you see instead?
Expected output was atleast usage message or syntax

Actually got:

Client-89.85 # python sslyze.py
  File "sslyze.py", line 71
    except Exception as e:
                      ^
SyntaxError: invalid syntax
Client-89.85 #


What version of the product are you using? On what operating system?
Client-89.85 # python -V
Python 2.3.4
Client-89.85 #uname -a
Linux localhost.localdomain 2.6.9-67.ELsmp #1 SMP Fri Nov 16 12:48:03 EST 2007 
i686 i686 i386 GNU/Linux
Client-89.85 #


Please provide any additional information below.

[deleted issue]

What would be the recommended method of using sslyze from other programs; 
writing a custom plugin? adding machine parseable output (xml, json, ...) ?

I'm looking at a TLS inventory application, and getting the data out in a 
structured format would be very useful.

Is it possible to get en option to have XML output ? (like sslscan)

Thanks by advance.

using --regular and --https_tunnel I received timeouts whereas everything 
returned fine

Unhandled exception when processing --reneg: 
socket.timeout - timed out

Unhandled exception when processing --certinfo: 
socket.timeout - timed out

I can connect to another host using this proxy and both of the above options 
return fine.

I had a fiddle within the code, its basically bombing out on 
ssl_connect.connect() within _get_cert().

I had a fiddle with the SSL_CTX settings, None causes it to timeout, tlsv1_2 
causes a timeout, tlsv1_1 causes:

Unhandled exception when processing --certinfo:
utils.CtSSLHelper.SSLHandshakeRejected - SSL Wrong version

and SSLv3 works fine...

None appears to be attempting TLSv1.2 from the captured packets.

The server does negotiate at some levels on TLS1.2 when I use --tlsv1_2.

The following fix attempts SSLv3 if the original attempt fails:

        try: # Perform the SSL handshake
            ssl_connect.connect()
            cert = ssl_connect.ssl.get_peer_certificate()
        except Exception:
            ssl_connect.close()
            ssl_ctx = SSL_CTX.SSL_CTX('sslv3')
            ssl_connect = self._create_ssl_connection(self.target, ssl_ctx=ssl_ctx)
            if verify_cert:
                ssl_connect.ssl_ctx.load_verify_locations(TRUSTED_CA_STORE)
                ssl_connect.ssl.set_verify(constants.SSL_VERIFY_PEER)
            ssl_connect.connect()
            cert = ssl_connect.ssl.get_peer_certificate()


I haven't tried this for renegotiate checks, but it may be worthwhile 
explicitly attempting a CTX value if the initial SSL negotiation times out due 
to some reason?

What steps will reproduce the problem?

1. I am using Ubuntu 10.04 LTS Server
2. I installed openssl 1.0.0g manually to be able to check renegotiation
3. ./config --prefix=/usr/local/ssl-1.0.0g shared enable-zlib enable-camellia 
enable-md2 enable-rc5 enable-threads enable-resolv
4. Create symbolic links to libssl and libcrypto within /usr/local/lib

What is the expected output? What do you see instead?

sslyze hangs (both the svn and the release 0.3) completely in the moment it 
tries to use the new openssl library - the buildin 0.9.8 is working (switchover 
possible by removing the symbolic links), but fails with renegotiation checks

Strg+c output is:

Traceback (most recent call last):
  File "sslyze.py", line 203, in <module>
    main()
  File "sslyze.py", line 178, in main
    result = result_queue.get()
  File "/usr/lib/python2.6/multiprocessing/queues.py", line 91, in get
    res = self._recv()
KeyboardInterrupt

$ python --version
Python 2.6.5

Trying "python sslyze.py --regular www.cacert.org:443" on my OSX machine with 
CAcert in the OS trust store, I get:

      Validation w/ Mozilla's CA Store:  Certificate is Trusted             

which is invalid, as CAcert is not in the Mozilla CA store.

$python sslyze.py --reneg www.serverxyz.de:443 

i get the following error message:

* Session Renegotiation : 
OpenSSL version is 0.9.8l or earlier. Can't test for insecure renegotiation. 
Update OpenSSL to 0.9.8m+.

When i check the Version of openSSL:

$OpenSSL> version
$OpenSSL 1.0.0e 6 Sep 2011
$OpenSSL> 

any clues ?

What steps will reproduce the problem?
1. cd to the directory containing sslyze
2. run: sslyze --help
3. notice the help for the plugins
4. cd to a different directory
5. run: sslyze --help
6. notice no mention of the plugins

What is the expected output? What do you see instead?
Unless specified otherwise, the default plugin directory should be the 
executable directory, not the current directory

What version of the product are you using? On what operating system?
sslyze-0.3_src on Linux

The shebang of "#!/usr/bin/env python" must be the first line of the sslyze 
script to work when not called directly with the python interpreter. Currently 
it is below the description/copyrite statement. svn diff follows:


Index: sslyze.py
===================================================================
--- sslyze.py   (revision 146)
+++ sslyze.py   (working copy)
@@ -1,3 +1,4 @@
+#!/usr/bin/env python
 #-------------------------------------------------------------------------------
 # Name:         sslyze.py
 # Purpose:      Main module of SSLyze.
@@ -19,7 +20,6 @@
 #   You should have received a copy of the GNU General Public License
 #   along with SSLyze.  If not, see <http://www.gnu.org/licenses/>.
 #-------------------------------------------------------------------------------
-#!/usr/bin/env python

Getting

PluginCertInfo - Import Error: Could not load OpenSSL 1.0.0 or 0.9.8.
PluginOpenSSLCipherSuites - Import Error: Could not load OpenSSL 1.0.0 or 0.9.8.
PluginSessionResumption - Import Error: Could not load OpenSSL 1.0.0 or 0.9.8.
PluginSessionRenegotiation - Import Error: Could not load OpenSSL 1.0.0 or 
0.9.8.

when run on Fedora 16 x64 (probably also other Fedora versions)

The naming of the libs do not match for Fedora since they have the f at the end.
/lib64/libcrypto.so.1.0.0f
/usr/lib64/libssl.so.1.0.0f

Seem to be working when doing this (but will break others)
so Fedora will have to be identified by more than sys.platform

--- load_openssl.py 2012-01-13 10:16:30.039579016 +0100
+++ load_openssl.py 2012-01-13 10:19:52.184123497 +0100
@@ -51,8 +51,8 @@
         libssl_0_9_8 = 'ssleay32'

     elif sys.platform == 'linux2': # Any Linux
-        libcrypto_1_0_0 = 'libcrypto.so.1.0.0'
-        libssl_1_0_0 = 'libssl.so.1.0.0'
+        libcrypto_1_0_0 = 'libcrypto.so.1.0.0f'
+        libssl_1_0_0 = 'libssl.so.1.0.0f'
         libcrypto_0_9_8 = 'libcrypto.so.0.9.8'
         libssl_0_9_8 = 'libssl.so.0.9.8'

OpenSSL 1.0.1 is almost out and brings support for TLS 1.1 and 1.2.
Add support for that in the cipher suite scanning module.

Create Windows packages with OpenSSL 1.0.1 included. 
This will likely be released as SSLyze 0.4.

What steps will reproduce the problem?
1. Executing on Ubuntu 12.04
2.
3.

What is the expected output? What do you see instead?

Unhandled exception when processing --reneg: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --certinfo: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --tlsv1: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --sslv2: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --sslv3: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

Unhandled exception when processing --resum: 
<type 'exceptions.AttributeError'>: /lib/i386-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method


What version of the product are you using? On what operating system?
Linux 3.2.0-20-generic-pae #32-Ubuntu SMP Thu Mar 22 02:43:40 UTC 2012 i686 
i686 i386 GNU/Linux

Please provide any additional information below.

What steps will reproduce the problem?
1. Run sslyze against paypal.com

Changes output from:
        AES256-SHA               256 bits      HTTP 301 Moved Permanently
to:
        AES256-SHA               256 bits      HTTP 301 Moved Permanently (https://www.paypal.com/)

What version of the product are you using? On what operating system?
0.4 Linux

Sending an HTTP GET (using --http_get) to an IIS server causes the server to 
send back an HTTP 400 Bad Request. It has to do with the way the SSL handshake 
is performed and how the encrypted data is sent, as the GET request itself is 
pretty standard. 

What steps will reproduce the problem?
run sslyze with --certinfo=basic on a site with an invalid cert.
Unhandled exception when processing --certinfo: 
exceptions.TypeError - _get_cert() takes at least 2 arguments (2 given)

plugins/PluginCertInfo.py:100 is missing the target parameter in the call to 
_get_cert()

See title.

Latest version from source:

PluginCertInfo.py line 127

trust_xml.extend(cert_xml)

Gives an exception when run with the following options

./sslyze.py --certinfo=basic google.com

Unhandled exception when processing --certinfo:
exceptions.AttributeError - _ElementInterface instance has no attribute 'extend'


(nb the line number would be really handy when debugging :)

What steps will reproduce the problem?
1. Run sslyze with --regular
2. Get errors like:

Unhandled exception when processing --resum: 
<type 'exceptions.AttributeError'>: /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0: 
undefined symbol: SSLv2_method

What is the expected output? What do you see instead?

No errors. Results.

What version of the product are you using? On what operating system?

0.3. OpenSSL 1.0.0e-2.1 from Debian unstable. Most distributions are now 
shipping OpenSSL with SSLv2 disabled.

sslyze-read-only$ uname -a
Linux VB-FR976R1-UBUNTU 2.6.32-41-generic #88-Ubuntu SMP Thu Mar 29 13:08:43 
UTC 2012 i686 GNU/Linux
sslyze-read-only$ python --version
Python 2.6.5
sslyze-read-only$ ./sslyze.py --tlsv1_1 --http_get wwwwwwww.wwwwwwww.com

 REGISTERING AVAILABLE PLUGINS
 -----------------------------

   PluginEmpty - OK
   PluginCertInfo - OK
   PluginSessionResumption - OK
   PluginSessionRenegotiation - OK
   PluginOpenSSLCipherSuites - OK

 CHECKING HOST(S) AVAILABILITY
 -----------------------------

   wwwwwwww.wwwwwwww.com:443        => XXX.XXX.XXX.XXX:443                

Traceback (most recent call last):
  File "/usr/lib/python2.6/multiprocessing/queues.py", line 242, in _feed
    send(obj)
PicklingError: Can't pickle plugins.PluginBase.PluginResult: it's not the same 
object as plugins.PluginBase.PluginResult

Add support for CONNECT proxies and add a --proxy option.

Scanning for cipher suites takes too much space in the output. 
There's probably too much info displayed anyway. Improve that.

It would be really nice if sslyze also supported scanning protocols doing 
STARTTLS, e.g. SMTP. Perhaps even Jabber as well.

Right now the server's certificate is verified using Mozilla's trust store. 
However, the hostname that's on the certificate is not validated against the 
server's hostname.

Use this:
http://pypi.python.org/pypi/backports.ssl_match_hostname/