Appendix: Scan Commands ¶

Every type of TLS check that SSLyze can run against a server (supported cipher suites, session renegotiation, etc.) is represented by a ScanCommand, which, when run against a server, will return a specific result.

This page lists all the ScanCommand and their corresponding results available in the current release of SSLyze.

For an example on how to run a scan via the Python API, see Running a Scan in Python.

The following scan commands are available in the current version of SSLyze:

The next sections describe the result class that corresponds to each scan command.

Certificate Information ¶

ScanCommand.CERTIFICATE_INFO: Retrieve and analyze a server’s certificate(s) to verify its validity.

Optional arguments¶

Result class¶

Cipher Suites ¶

ScanCommand.SSL_2_0_CIPHER_SUITES: Test a server for SSL 2.0 support. ScanCommand.SSL_3_0_CIPHER_SUITES: Test a server for SSL 3.0 support. ScanCommand.TLS_1_0_CIPHER_SUITES: Test a server for TLS 1.0 support. ScanCommand.TLS_1_1_CIPHER_SUITES: Test a server for TLS 1.1 support. ScanCommand.TLS_1_2_CIPHER_SUITES: Test a server for TLS 1.2 support. ScanCommand.TLS_1_3_CIPHER_SUITES: Test a server for TLS 1.3 support.

Result class¶

Supported Elliptic Curves ¶

ScanCommand.ELLIPTIC_CURVES: Test a server for supported elliptic curves.

Result class¶

ROBOT ¶

ScanCommand.ROBOT: Test a server for the ROBOT vulnerability.

Result class¶

Session Resumption Support ¶

ScanCommand.SESSION_RESUMPTION: Test a server for TLS 1.2 session resumption support using session IDs and TLS tickets.

Result class¶

CRIME ¶

ScanCommand.TLS_COMPRESSION: Test a server for TLS compression support, which can be leveraged to perform a CRIME attack.

Result class¶

TLS 1.3 Early Data ¶

ScanCommand.TLS_1_3_EARLY_DATA: Test the server(s) for TLS 1.3 early data support.

Result class¶

Downgrade Prevention ¶

ScanCommand.TLS_FALLBACK_SCSV: Test a server for the TLS_FALLBACK_SCSV mechanism to prevent downgrade attacks.

Result class¶

Heartbleed ¶

ScanCommand.HEARTBLEED: Test a server for the OpenSSL Heartbleed vulnerability.

Result class¶

HTTP Security Headers ¶

ScanCommand.HTTP_HEADERS: Test a server for the presence of security-related HTTP headers.

Result class¶

OpenSSL CCS Injection ¶

ScanCommand.OPENSSL_CCS_INJECTION: Test a server for the OpenSSL CCS Injection vulnerability (CVE-2014-0224).

Result class¶

Insecure Renegotiation ¶

ScanCommand.SESSION_RENEGOTIATION: Test a server for for insecure TLS renegotiation and client-initiated renegotiation.

Result class¶

Extended Master Secret ¶

ScanCommand.TLS_EXTENDED_MASTER_SECRET: Test a server for TLS Extended Master Secret extension support.

Result class¶