SSLyze is a fast and powerful SSL/TLS scanning tool and Python library. SSLyze can analyze the SSL/TLS configuration of a server by connecting to it, in order to ensure that it uses strong
encryption settings (certificate, cipher suites, elliptic curves, etc.), and that it is not vulnerable to known TLS
attacks (Heartbleed, ROBOT, OpenSSL CCS injection, etc.). On Windows, Linux (x86 or x64) and macOS, SSLyze can be installed directly via pip: It can also be used via Docker: Lastly, a pre-compiled Windows executable can be downloaded from the Releases
page. A sample script describing how to use the SSLyze's Python API is available at ./api_sample.py. Full documentation for SSLyze's Python API is available here. By default, SSLyze will check the server's scan results against Mozilla's recommended "intermediate" TLS
configuration, and will return a non-zero exit code if the server
is not compliant. The Mozilla configuration to check against can be configured via This can be used to easily run an SSLyze scan as a CI/CD step. To setup a development environment: The tests can then be run using: Copyright (c) 2024 Alban Diquet SSLyze is made available under the terms of the GNU Affero General Public License (AGPL). See LICENSE.txt for details and exceptions.$ pip install --upgrade pip setuptools wheel
$ pip install --upgrade sslyze
$ python -m sslyze www.yahoo.com www.google.com "[2607:f8b0:400a:807::2004]:443"
$ docker run --rm -it nablac0d3/sslyze:6.0.0 www.google.com
$ python -m sslyze mozilla.com
Checking results against Mozilla's "intermediate" configuration. See https://ssl-config.mozilla.org/ for more details.
mozilla.com:443: OK - Compliant.
--mozilla_config={old, intermediate, modern}
:$ python -m sslyze --mozilla_config=modern mozilla.com
Checking results against Mozilla's "modern" configuration. See https://ssl-config.mozilla.org/ for more details.
mozilla.com:443: FAILED - Not compliant.
* certificate_types: Deployed certificate types are {'rsa'}, should have at least one of {'ecdsa'}.
* certificate_signatures: Deployed certificate signatures are {'sha256WithRSAEncryption'}, should have at least one of {'ecdsa-with-SHA512', 'ecdsa-with-SHA256', 'ecdsa-with-SHA384'}.
* tls_versions: TLS versions {'TLSv1.2'} are supported, but should be rejected.
* ciphers: Cipher suites {'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'} are supported, but should be rejected.
$ pip install --upgrade pip setuptools wheel
$ pip install -e .
$ pip install -r requirements-dev.txt
$ invoke test