MCPcopy
hub / github.com/nabla-c0d3/sslyze

github.com/nabla-c0d3/sslyze @6.3.1 sqlite

repository ↗ · DeepWiki ↗ · release 6.3.1 ↗
1,210 symbols 5,564 edges 136 files 148 documented · 12%
README

SSLyze

Run Tests Downloads PyPI version Python version

SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.

SSLyze can analyze the SSL/TLS configuration of a server by connecting to it, in order to ensure that it uses strong encryption settings (certificate, cipher suites, elliptic curves, etc.), and that it is not vulnerable to known TLS attacks (Heartbleed, ROBOT, OpenSSL CCS injection, etc.).

Key features

  • Focus on speed and reliability: SSLyze is a battle-tested tool that is used to reliably scan hundreds of thousands of servers every day.
  • Easy to operationalize: SSLyze can be directly run from CI/CD, in order to continuously check a server against Mozilla's recommended TLS configurations.
  • Fully documented Python API to run scans directly from any Python application, such as a function deployed to AWS Lambda.
  • Support for scanning non-HTTP servers including SMTP, XMPP, LDAP, POP, IMAP, RDP, Postgres and FTP servers.
  • Results of a scan can easily be saved to a JSON file for later processing.
  • And much more!

Quick start

On Windows, Linux (x86 or x64) and macOS, SSLyze can be installed directly via pip:

$ pip install --upgrade pip setuptools wheel
$ pip install --upgrade sslyze
$ python -m sslyze www.yahoo.com www.google.com "[2607:f8b0:400a:807::2004]:443"

It can also be used via Docker:

$ docker run --rm -it nablac0d3/sslyze:6.1.0 www.google.com

Lastly, a pre-compiled Windows executable can be downloaded from the Releases page.

Python API Documentation

A sample script describing how to use the SSLyze's Python API is available at ./api_sample.py.

Full documentation for SSLyze's Python API is available here.

Usage as a CI/CD step

By default, SSLyze will check the server's scan results against Mozilla's recommended "intermediate" TLS configuration, and will return a non-zero exit code if the server is not compliant.

$ python -m sslyze mozilla.com
Checking results against Mozilla's "intermediate" configuration. See https://ssl-config.mozilla.org/ for more details.

mozilla.com:443: OK - Compliant.

The Mozilla configuration to check against can be configured via --mozilla_config={old, intermediate, modern}:

$ python -m sslyze --mozilla_config=modern mozilla.com
Checking results against Mozilla's "modern" configuration. See https://ssl-config.mozilla.org/ for more details.

mozilla.com:443: FAILED - Not compliant.
    * certificate_types: Deployed certificate types are {'rsa'}, should have at least one of {'ecdsa'}.
    * certificate_signatures: Deployed certificate signatures are {'sha256WithRSAEncryption'}, should have at least one of {'ecdsa-with-SHA512', 'ecdsa-with-SHA256', 'ecdsa-with-SHA384'}.
    * tls_versions: TLS versions {'TLSv1.2'} are supported, but should be rejected.
    * ciphers: Cipher suites {'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'} are supported, but should be rejected.

Alternatively, you can check against your own custom TLS configuration by providing a JSON file that follows Mozilla's TLS configuration format:

$ python -m sslyze --custom_tls_config custom_tls_config_example.json mozilla.com
Checking results against custom TLS configuration.

mozilla.com:443: OK - Compliant.

See custom_tls_config_example.json for an example a custom TLS configuration that can be used by SSLyze.

This functionality can be used to easily run an SSLyze scan as a CI/CD step in order to ensure TLS compliance.

Development environment

To setup a development environment:

$ pip install --upgrade pip setuptools wheel
$ pip install -e . 
$ pip install -r requirements-dev.txt

The tests can then be run using:

$ invoke test

License

Copyright (c) 2026 Alban Diquet

SSLyze is made available under the terms of the GNU Affero General Public License (AGPL). See LICENSE.txt for details and exceptions.

Core symbols most depended-on inside this repo

get
called by 108
sslyze/mozilla_tls_profile/tls_config_checker.py
check_connectivity_to_server_and_return_info
called by 83
tests/connectivity_utils.py
scan_server
called by 83
sslyze/plugins/plugin_base.py
_format_field
called by 55
sslyze/plugins/plugin_base.py
create
called by 52
tests/factories.py
m
called by 41
docs/documentation/_static/jquery.js
S
called by 41
docs/documentation/_static/jquery.js
isFunction
called by 40
docs/documentation/_static/jquery-3.5.1.js

Shape

Function 483
Method 403
Class 323
Route 1

Languages

Python67%
TypeScript33%

Modules by API surface

docs/documentation/_static/underscore-1.13.1.js114 symbols
docs/documentation/_static/jquery-3.5.1.js112 symbols
docs/documentation/_static/jquery.js83 symbols
docs/documentation/_static/underscore.js72 symbols
tests/openssl_server/__init__.py24 symbols
tests/scanner_tests/test_mass_scanner.py23 symbols
sslyze/connection_helpers/opportunistic_tls_helpers.py23 symbols
tests/plugins_tests/openssl_cipher_suites/test_openssl_cipher_suites_plugin.py21 symbols
sslyze/scanner/models.py21 symbols
tests/factories.py20 symbols
sslyze/plugins/certificate_info/json_output.py20 symbols
tests/plugins_tests/certificate_info/test_certificate_info_plugin.py18 symbols

Dependencies from manifests, versioned

cx-freeze6.15.15 · 1×
invoke2 · 1×
mypy1.14 · 1×
pytest8 · 1×
ruff0.8.4 · 1×
twine4 · 1×

For agents

$ claude mcp add sslyze \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact