Thursday, June 18, 2015

Qualys SSL labs API - A MultiThreaded python script to scan large number of servers and produce neat results

Hi Security enthusiast,

So if you were following closely on recent developments regarding SSL/TLS security, you might have heard that Qualys SSL labs released an API to automate the testing of internet hosted applications with their awesome hosted testing solution.


If you have not heard about it here is the location to their server testing page - https://www.ssllabs.com/ssltest/

And their API documentation here - https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs.md

So now that the API is released you can automate testing of any number of servers with any language that is able to talk with qualys server via HTTP protocol. My company wanted to test all of our servers with SSL labs, so i thought why can't i automate it with python or something. So here it is, i made a multithreaded python script to test a large number of servers in one go and get results in neat format that my management wanted :-)

The script is intended for python 2.7

You can find the script here - https://github.com/moheshmohan/pyssltest

The script takes a text file as input with the urls to servers that you need test listed line by line and it initites ssl lab tests on each of them (25 threads parallel so 25 tests) and based on the result it generates a CSV file with extended information from the results

Please note that the script currently supports only one endpoint per url, i will enhance it in future to iterate through each endpoints, in case of urls with multiple endpoints.

The results will contain the following items each row

Input_URL - The input URL 
Domain - The domain 
IP - The IP address it resolved to 
returncode - The value returned from Qualys server (READY, ERROR etc) 
Grade - The Grade as per Qualys rating 
Secondary grade - Secondary Grade as per qualys rating 
Now it contains these items per each server. Basically these contain Y (yes) or N (no) values and the headings are self explanatory

Freak
Poodle_TLS 
Insecure renegotiation 
OpenSSL ccs 
Insecure DH
SSL v2 
Poodle_SSL
wrong domain 
cert expired 
self signed cert
No TLS1.2?
SSL v3
RC4
cert chain issue
CRIME
forward secrecy not supported?
weak private key?
weak signature
secure renegotiation
TLS 1.0
TLS 1.1
TLS 1.2 

Running the script

To run the script you can use the following command

python pyssltest.py -i inp.txt -o inp.csv -n

I will explain each switches,

-i <filename> :- A text file with target urls listed line by line 
-o <filename> :- A csv file to which the output will be written 
-n  :- Optional, To always initiate new tests. If this is omitted cached results from qualys is fetched 
Its pretty simple and fast way to run ssl labs against a bunch of servers.

Please provide some feedback about script on comments below.

Thanks for reading

21 comments:

  1. Replies
    1. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts. Python Projects for Students Data analytics is the study of dissecting crude data so as to make decisions about that data. Data analytics advances and procedures are generally utilized in business ventures to empower associations to settle on progressively Python Training in Chennai educated business choices. In the present worldwide commercial center, it isn't sufficient to assemble data and do the math; you should realize how to apply that data to genuine situations such that will affect conduct. In the program you will initially gain proficiency with the specialized skills, including R and Python dialects most usually utilized in data analytics programming and usage; Python Training in Chennai at that point center around the commonsense application, in view of genuine business issues in a scope of industry segments, for example, wellbeing, promoting and account. Project Center in Chennai

      Delete
  2. Hello team ,

    Thanks for your post, i have used the python script to check SSL certificates for some websites, i got this errors, i have checked for several times without success :/

    ```
    Input_URL,Domain,IP,Common Name,Source,Date Added,Portfolio,sub portfolio,ELT,POC,IT Contact,Status,returncode,Grade,Secondary grade,Expected Remediation Date,Grade After Remediation,Actual Remediation Date,Actual Grade after Remediation,Drown (Experimental),Freak,Logjam,Poodle_TLS,Insecure renegotiation,OpenSSL ccs,Insecure DH,SSL v2,SSLv2 SuitesDisabled,Poodle_SSL,wrong domain,cert expired,Ey issued cert,self signed cert,No TLS1.2?,SSL v3,RC4,rc4Only,cert chain issue,Cert chain incomplete,CRIME,forward secrecy not supported?,weak private key?,weak signature,secure renegotiation,TLS 1.0,TLS 1.1,TLS 1.2,Recommendation to raise score to A,Date Last scanned(Auto),Date Manually validated,Comments,Audit teams Comments(New grade as on *),Thumbprint,common names,alternate names
    ldeb.fr,ldeb.fr,[Errno 2] No such file or directory: 'results/ldeb.fr.txt',READY,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error,Error
    ```

    Could have any suggestions plz

    Regards

    ReplyDelete
  3. Awesome post. I am a normal visitor of your blog and appreciate you taking the time to maintain the excellent site. I’ll be a frequent visitor for a long time.

    ACP Sheet
    ACP Sheet Price
    Aluminium Composite Panel
    ACP Panel
    ACP Sheets

    ReplyDelete
  4. Thanks for sharing informative article. We are one of the reputed removalists Melbourne offer professional home, office and furniture relocation service at affordable service. piano movers Melbourne

    ReplyDelete
  5. I must thank you for posting this blog because the topic is very much in demand today and everyone wants to read about dynamodb. thanks for sharing these type of informative blogs..keep it up!!

    android training in chennai

    android online training in chennai

    android training in bangalore

    android training in hyderabad

    android Training in coimbatore

    android training

    android online training

    ReplyDelete