SSLyze
What is SSLyze?
SSLyze is a Python library and a CLI tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL/TLS servers. To learn more about the SSLyze scanner itself visit or SSLyze GitHub.
Deployment
The sslyze chart can be deployed via helm:
# Install HelmChart (use -n to configure another namespace)
helm upgrade --install sslyze oci://ghcr.io/securecodebox/helm/sslyze
Scanner Configuration
The following security scan configuration example are based on the SSLyze Documentation, please take a look at the original documentation for more configuration examples.
The command line interface can be used to easily run server scans: sslyze --mozilla_config=intermediate www.example.com
Usage: python -m sslyze [options] target1.com target2.com:443 target3.com:443{ip} etc...
Options:
  -h, --help            show this help message and exit
  --mozilla_config {modern,intermediate,old}
                        Shortcut to queue various scan commands needed to check the server's TLS configurations against one of Mozilla's recommended TLS configuration. Set to
                        "intermediate" by default.
Trust stores options:
  --update_trust_stores
                        Update the default trust stores used by SSLyze. The
                        latest stores will be downloaded from https://github.c
                        om/nabla-c0d3/trust_stores_observatory. This option is
                        meant to be used separately, and will silence any
                        other command line option supplied to SSLyze.
Client certificate options:
  --cert CERTIFICATE_FILE
                        Client certificate chain filename. The certificates
                        must be in PEM format and must be sorted starting with
                        the subject's client certificate, followed by
                        intermediate CA certificates if applicable.
  --key KEY_FILE        Client private key filename.
  --keyform KEY_FORMAT  Client private key format. DER or PEM (default).
  --pass PASSPHRASE     Client private key passphrase.
Input and output options:
  --json_out JSON_FILE  Write the scan results as a JSON document to the file
                        JSON_FILE. If JSON_FILE is set to '-', the JSON output
                         will instead be printed to stdout. The resulting JSON
                        file is a serialized version of the ScanResult objects
                         described in SSLyze's Python API: the nodes and
                        attributes will be the same. See https://nabla-c0d3.gi
                        thub.io/sslyze/documentation/available-scan-
                        commands.html for more details.
  --targets_in TARGET_FILE
                        Read the list of targets to scan from the file
                        TARGET_FILE. It should contain one host:port per line.
  --quiet               Do not output anything to stdout; useful when using
                      --json_out.
Connectivity options:
  --slow_connection     Greatly reduce the number of concurrent connections
                        initiated by SSLyze. This will make the scans slower
                        but more reliable if the connection between your host
                        and the server is slow, or if the server cannot handle
                        many concurrent connections. Enable this option if you
                        are getting a lot of timeouts or errors.
  --https_tunnel PROXY_SETTINGS
                        Tunnel all traffic to the target server(s) through an
                        HTTP CONNECT proxy. HTTP_TUNNEL should be the proxy's
                        URL: 'http://USER:PW@HOST:PORT/'. For proxies
                        requiring authentication, only Basic Authentication is
                        supported.
  --starttls PROTOCOL Perform a StartTLS handshake when connecting to the
                        target server(s). StartTLS should be one of: auto,
                        smtp, xmpp, xmpp_server, pop3, imap, ftp, ldap, rdp,
                        postgres. The 'auto' option will cause SSLyze to
                        deduce the protocol (ftp, imap, etc.) from the
                        supplied port number, for each target servers.
  --xmpp_to HOSTNAME   Optional setting for STARTTLS XMPP. XMPP_TO should be
                        the hostname to be put in the 'to' attribute of the
                        XMPP stream. Default is the server's hostname.
  --sni SERVER_NAME_INDICATION
                        Use Server Name Indication to specify the hostname to
                        connect to. Will only affect TLS 1.0+ connections.
Scan commands:
    --tlsv1_1           Test a server for TLS 1.1 support.
    --tlsv1_2           Test a server for TLS 1.2 support.
    --robot             Test a server for the ROBOT vulnerability.
    --reneg             Test a server for for insecure TLS renegotiation and
                        client-initiated renegotiation.
    --early_data        Test a server for TLS 1.3 early data support.
    --fallback          Test a server for the TLS_FALLBACK_SCSV mechanism to
                        prevent downgrade attacks.
    --tlsv1_3           Test a server for TLS 1.3 support.
    --certinfo          Retrieve and analyze a server's certificate(s) to
                        verify its validity.
    --certinfo_ca_file CERTINFO_CA_FILE
                        To be used with --certinfo. Path to a file containing
                        root certificates in PEM format that will be used to verify
                         the validity of the server's certificate.
    --heartbleed        Test a server for the OpenSSL Heartbleed
                        vulnerability.
    --resum             Test a server for TLS 1.2 session resumption support using
    --resum_attempts RESUM_ATTEMPTS
                        To be used with --resum. Number of session resumptions
                        (both with Session IDs and TLS Tickets) that SSLyze should attempt. The default value is 5, but a higher
                        value such as 100 can be used to get a more accurate measure of how often session resumption succeeds or fails with the server.
                        session IDs and TLS tickets.
    --http_headers      Test a server for the presence of security-related
                        HTTP headers.
    --sslv2             Test a server for SSL 2.0 support.
    --tlsv1             Test a server for TLS 1.0 support.
    --sslv3             Test a server for SSL 3.0 support.
    --compression       Test a server for TLS compression support, which can
                        be leveraged to perform a CRIME attack.
    --openssl_ccs       Test a server for the OpenSSL CCS Injection
                        vulnerability (CVE-2014-0224).                   
    --elliptic_curves   Test a server for supported elliptic curves.
Requirements
Kubernetes: >=v1.11.0-0
Values
| Key | Type | Default | Description | 
|---|---|---|---|
| cascadingRules.enabled | bool | false | Enables or disables the installation of the default cascading rules for this scanner | 
| imagePullSecrets | list | [] | Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) | 
| parser.affinity | object | {} | Optional affinity settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | 
| parser.env | list | [] | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | 
| parser.image.pullPolicy | string | "IfNotPresent" | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | 
| parser.image.repository | string | "docker.io/securecodebox/parser-sslyze" | Parser image repository | 
| parser.image.tag | string | defaults to the charts version | Parser image tag | 
| parser.nodeSelector | object | {} | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | 
| parser.resources | object | { requests: { cpu: "200m", memory: "100Mi" }, limits: { cpu: "400m", memory: "200Mi" } } | Optional resources lets you control resource limits and requests for the parser container. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | 
| parser.scopeLimiterAliases | object | {} | Optional finding aliases to be used in the scopeLimiter. | 
| parser.tolerations | list | [] | Optional tolerations settings that control how the parser job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | 
| parser.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | 
| scanner.activeDeadlineSeconds | string | nil | There are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup) | 
| scanner.affinity | object | {} | Optional affinity settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/) | 
| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | 
| scanner.env | list | [] | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | 
| scanner.extraContainers | list | [] | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | 
| scanner.extraVolumeMounts | list | [] | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | 
| scanner.extraVolumes | list | [] | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | 
| scanner.image.pullPolicy | string | "IfNotPresent" | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | 
| scanner.image.repository | string | "docker.io/securecodebox/scanner-sslyze" | Container Image to run the scan | 
| scanner.image.tag | string | nil | defaults to the charts appVersion | 
| scanner.nameAppend | string | nil | append a string to the default scantype name. | 
| scanner.nodeSelector | object | {} | Optional nodeSelector settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/) | 
| scanner.podSecurityContext | object | {} | Optional securityContext set on scanner pod (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | 
| scanner.resources | object | {} | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | 
| scanner.securityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":false} | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | 
| scanner.securityContext.allowPrivilegeEscalation | bool | false | Ensure that users privileges cannot be escalated | 
| scanner.securityContext.capabilities.drop[0] | string | "all" | This drops all linux privileges from the container. | 
| scanner.securityContext.privileged | bool | false | Ensures that the scanner container is not run in privileged mode | 
| scanner.securityContext.readOnlyRootFilesystem | bool | true | Prevents write access to the containers file system | 
| scanner.securityContext.runAsNonRoot | bool | false | Enforces that the scanner image is run as a non root user | 
| scanner.suspend | bool | false | if set to true the scan job will be suspended after creation. You can then resume the job using kubectl resume <jobname>or using a job scheduler like kueue | 
| scanner.tolerations | list | [] | Optional tolerations settings that control how the scanner job is scheduled (see: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | 
| scanner.ttlSecondsAfterFinished | string | nil | seconds after which the Kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | 
License
Code of secureCodeBox is licensed under the Apache License 2.0.
CPU architectures
The scanner is currently supported for these CPU architectures:
- linux/amd64
- linux/arm64
Examples
example.com
- Scan
- Findings
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "sslyze-example"
spec:
  scanType: "sslyze"
  parameters:
    - "--mozilla_config=intermediate"
    - "example.com"
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
[{
  "osi_layer": "PRESENTATION",
  "reference": null,
  "location": "example.com:443",
  "name": "TLS Service",
  "description": "",
  "identified_at": "2023-08-23T08:00:47.239Z",
  "category": "TLS Service Info",
  "severity": "INFORMATIONAL",
  "mitigation": null,
  "attributes": {
    "hostname": "example.com",
    "ip_addresses": ["93.184.216.34"],
    "port": 443,
    "tls_versions": ["TLS 1.0", "TLS 1.1", "TLS 1.2", "TLS 1.3"],
    "cipher_suites": ["SEED-SHA", "CAMELLIA256-SHA", "CAMELLIA128-SHA", "AES256-SHA", "AES128-SHA", "ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES128-SHA", "DHE-RSA-SEED-SHA", "DHE-RSA-CAMELLIA256-SHA", "DHE-RSA-CAMELLIA128-SHA", "DHE-RSA-AES256-SHA", "DHE-RSA-AES128-SHA", "AES128-GCM-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA256", "DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-AES256-SHA256", "DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES128-SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256"]
  },
  "id": "6cd691f3-1174-4472-ad66-0ddb490c1d91",
  "parsed_at": "2023-08-23T08:00:57.820Z"
}, {
  "osi_layer": "PRESENTATION",
  "reference": null,
  "location": "example.com:443",
  "name": "TLS Version TLS 1.0 is considered insecure",
  "category": "Outdated TLS Version",
  "description": "The server uses outdated or insecure tls versions.",
  "identified_at": "2023-08-23T08:00:47.239Z",
  "severity": "MEDIUM",
  "mitigation": "Upgrade to a higher tls version.",
  "attributes": {
    "hostname": "example.com",
    "ip_addresses": ["93.184.216.34"],
    "port": 443,
    "outdated_version": "TLS 1.0"
  },
  "id": "d7c7ea04-72be-4ca1-b159-8336bddbedc4",
  "parsed_at": "2023-08-23T08:00:57.820Z"
}, {
  "osi_layer": "PRESENTATION",
  "reference": null,
  "location": "example.com:443",
  "name": "TLS Version TLS 1.1 is considered insecure",
  "category": "Outdated TLS Version",
  "description": "The server uses outdated or insecure tls versions.",
  "identified_at": "2023-08-23T08:00:47.239Z",
  "severity": "MEDIUM",
  "mitigation": "Upgrade to a higher tls version.",
  "attributes": {
    "hostname": "example.com",
    "ip_addresses": ["93.184.216.34"],
    "port": 443,
    "outdated_version": "TLS 1.1"
  },
  "id": "17bcb87a-830c-4598-a48a-0c8c824a6ff2",
  "parsed_at": "2023-08-23T08:00:57.820Z"
}]
secureCodeBox.io
- Scan
- Findings
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "sslyze-securecodebox.io"
  labels:
    organization: "secureCodeBox"
spec:
  scanType: "sslyze"
  parameters:
    - "--mozilla_config=intermediate"
    - "securecodebox.io"
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
[{
  "osi_layer": "PRESENTATION",
  "reference": null,
  "location": "securecodebox.io:443",
  "name": "TLS Service",
  "description": "",
  "identified_at": "2023-08-23T08:02:56.691Z",
  "category": "TLS Service Info",
  "severity": "INFORMATIONAL",
  "mitigation": null,
  "attributes": {
    "hostname": "securecodebox.io",
    "ip_addresses": ["185.199.110.153"],
    "port": 443,
    "tls_versions": ["TLS 1.2", "TLS 1.3"],
    "cipher_suites": ["AES256-SHA", "AES128-GCM-SHA256", "AES128-SHA", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256"]
  },
  "id": "81834c41-0845-48ca-901b-10f636b7f1e1",
  "parsed_at": "2023-08-23T08:03:02.935Z"
}]
unsafe-https
- Scan
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "sslyze-unsafe-https"
  labels:
    organization: "secureCodeBox"
spec:
  scanType: "sslyze"
  parameters:
    - "--mozilla_config=intermediate"
    - "unsafe-https"