nabla-c0d3/sslyze

SSLyze is a Python tool for scanning the SSL/TLS configuration of servers and checking whether those configurations meet security standards. SSL and TLS are the protocols that encrypt traffic between browsers and websites, or between servers. A misconfigured server can use outdated encryption methods or be vulnerable to known attacks, and SSLyze is designed to detect those issues. When you run SSLyze against a server, it connects to that server and checks what encryption settings it supports: which versions of the protocol it accepts, which cipher suites it offers, how its certificate is configured, and whether it is vulnerable to documented attacks like Heartbleed or ROBOT. The results can be saved to a JSON file for further processing. The tool also supports non-web servers including mail servers using SMTP and IMAP, directory servers using LDAP, and database servers using Postgres, among others. One practical use case highlighted in the README is running SSLyze as a step in a continuous integration pipeline. By default, SSLyze checks scan results against Mozilla's recommended TLS configuration and exits with an error code if the server does not comply. You can choose between Mozilla's old, intermediate, or modern configuration profiles, or supply your own custom configuration as a JSON file. This makes it straightforward to automatically flag a deployment that introduces a weaker TLS setup. SSLyze is also available as a Python library with a documented API, so it can be embedded into other applications or run from serverless functions. It installs via pip and also comes as a Docker image and a precompiled Windows executable for users who do not have a Python environment set up. The project is licensed under the GNU Affero General Public License (AGPL).