iSEC Research Labs

SSLyze v 0.9 released - Heartbleed edition

16 Apr 2014 - Alban Diquet

A new version of SSLyze is now available. SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. This version brings a few improvements and bug fixes as well as a new plugin to identify servers affected by the Heartbleed vulnerability.

Heartbleed Testing

To implement the Heartbleed check, I used the methodology described on Mozilla's blog, which has the advantage of not directly exploiting the vulnerability unlike most Hearbleed-testing scripts that have been released. Mozilla's technique does not retrieve memory from the server, thereby avoiding server crashes or sensitive data exposure.

Additionally, SSLyze's implementation uses the tool's existing networking code, allowing Heartbleed testing against multiple servers at the same time and on StartTLS services including XMPP, LDAP, SMTP, FTP and POP. Also, just like all of SSLyze's checks, Heartbleed tests can be tunneled through an HTTPS proxy.

Full Changelog

  • Experimental support for Heartbleed detection; see --heartbleed. Heartbleed detection has also been added to --regular scans
  • Capped the maximum number of concurrent connections to around 30 per server in order to avoid DOSing the scanned servers. Scans are slightly slower but a lot less aggressive, resulting in better scan results with less timeout and connection errors
  • Support for Basic Authentication when tunneling scans through an HTTPS proxy with --https_tunnel
  • Bug fixes for IPv6 and XMPP support
  • Updated OpenSSL to 1.0.1g
  • Updated the Apple, Microsoft, Mozilla and Java trust stores
  • Cleaned up the text output of PluginOpenSSLCipherSuites

Download

SSLyze requires Python 2.7; the supported platforms are Windows 7 32/64 bits, Linux 32/64 bits and OS X 64 bits. Pre-compiled packages available in the release section of the project's page on GitHub.