Appendix: Scan Commands

Every type of TLS check that SSLyze can run against a server (supported cipher suites, session renegotiation, etc.) is represented by a ScanCommand, which, when run against a server, will return a specific result.

This page lists all the ScanCommand and their corresponding results available in the current release of SSLyze.

For an example on how to run a scan via the Python API, see Running a Scan in Python.

Contents

• Appendix: Scan Commands

  • Certificate Information

  • Cipher Suites

  • Supported Elliptic Curves

  • ROBOT

  • Session Resumption Support

  • CRIME

  • TLS 1.3 Early Data

  • Downgrade Prevention

  • Heartbleed

  • HTTP Security Headers

  • OpenSSL CCS Injection

  • Insecure Renegotiation

The following scan commands are available in the current version of SSLyze:

The next sections describe the result class that corresponds to each scan command.

Certificate Information

ScanCommand.CERTIFICATE_INFO: Retrieve and analyze a server’s certificate(s) to verify its validity.

Optional arguments

Result class

Cipher Suites

ScanCommand.SSL_2_0_CIPHER_SUITES: Test a server for SSL 2.0 support. ScanCommand.SSL_3_0_CIPHER_SUITES: Test a server for SSL 3.0 support. ScanCommand.TLS_1_0_CIPHER_SUITES: Test a server for TLS 1.0 support. ScanCommand.TLS_1_1_CIPHER_SUITES: Test a server for TLS 1.1 support. ScanCommand.TLS_1_2_CIPHER_SUITES: Test a server for TLS 1.2 support. ScanCommand.TLS_1_3_CIPHER_SUITES: Test a server for TLS 1.3 support.

Result class

Supported Elliptic Curves

ScanCommand.ELLIPTIC_CURVES: Test a server for supported elliptic curves.

Result class

ROBOT

ScanCommand.ROBOT: Test a server for the ROBOT vulnerability.

Result class

Session Resumption Support

ScanCommand.SESSION_RESUMPTION: Test a server for TLS 1.2 session resumption support using session IDs and TLS tickets.

Result class

CRIME

ScanCommand.TLS_COMPRESSION: Test a server for TLS compression support, which can be leveraged to perform a CRIME attack.

Result class

TLS 1.3 Early Data

ScanCommand.TLS_1_3_EARLY_DATA: Test the server(s) for TLS 1.3 early data support.

Result class

Downgrade Prevention

ScanCommand.TLS_FALLBACK_SCSV: Test a server for the TLS_FALLBACK_SCSV mechanism to prevent downgrade attacks.

Result class

Heartbleed

ScanCommand.HEARTBLEED: Test a server for the OpenSSL Heartbleed vulnerability.

Result class

HTTP Security Headers

ScanCommand.HTTP_HEADERS: Test a server for the presence of security-related HTTP headers.

Result class

OpenSSL CCS Injection

ScanCommand.OPENSSL_CCS_INJECTION: Test a server for the OpenSSL CCS Injection vulnerability (CVE-2014-0224).

Result class

Insecure Renegotiation

ScanCommand.SESSION_RENEGOTIATION: Test a server for for insecure TLS renegotiation and client-initiated renegotiation.

Result class