Validate the security of your TLS connections so that they deserve your trust.
Project description
tls-verify
Validate the security of your TLS connections so that they deserve your trust.
Documentation
Basic Usage
python3 -m pip install -U tls-verify
import tlsverify
host = 'google.com'
is_valid, results = tlsverify.verify(host)
print('
Valid ✓✓✓' if is_valid else '
Not Valid. There where validation errors')
python3 -m pip install pipx && pipx install tls-verify
On the command-line:
tlsverify --help
produces:
usage: command-line.py [-h] -H HOST [-p PORT] [-c CAFILES] [-C CLIENT_PEM] [-T CLIENT_CA] [-t TMP_PATH_PREFIX]
[--sni] [-v] [-vv] [-vvv] [-vvvv]
optional arguments:
-h, --help show this help message and exit
-H HOST, --host HOST host to check
-p PORT, --port PORT TLS port of host
-c CAFILES, --cafiles CAFILES
path to PEM encoded CA bundle file, url or file path accepted
-C CLIENT_PEM, --client-pem CLIENT_PEM
path to PEM encoded client certificate, url or file path accepted
-T CLIENT_CA, --client-ca-pem CLIENT_CA
path to PEM encoded client CA certificate, url or file path accepted
-t TMP_PATH_PREFIX, --tmp-path-prefix TMP_PATH_PREFIX
local file path to use as a prefix when saving temporary files such as those being fetched
for client authorization
--sni Negotiate SNI via PyOpenSSL Connection set_tlsext_host_name and INDA encoded host
-v, --errors-only set logging level to ERROR (default CRITICAL)
-vv, --warning set logging level to WARNING (default CRITICAL)
-vvv, --info set logging level to INFO (default CRITICAL)
-vvvv, --debug set logging level to DEBUG (default CRITICAL)
Features
- Certificate Formats
- ✓ plaintext
- ✓ PEM
- ✓ ASN1/DER
- ✓ pyOpenSSL object
- ✓ python
cryptography
object
- TLS Information
- ✓ negotiated_protocol
- ✓ negotiated_cipher
- ✓ RSA private key
- ✓ DSA private key
- X.509 Information
- ✓ certificate_subject
- ✓ certificate_issuer
- ✓ certificate_issuer_country
- ✓ certificate_signature_algorithm
- ✓ SNI
- Signatures
- ✓ certificate_md5_fingerprint
- ✓ certificate_sha1_fingerprint
- ✓ certificate_sha256_fingerprint
- ✓ certificate_pin_sha256
- ✓ certificate_serial_number
- ✓ certificate_serial_number_decimal
- ✓ certificate_serial_number_hex
- ✓ certificate_public_key_type
- ✓ certificate_key_size
- ✓ Expiry date is future dated
- Hostname match
- ✓ common name
- ✓ subjectAltName
- ✓ properly handle wildcard names
- ✓ certificate_is_self_signed
- Enumerate the TLS extensions to ensure all validations are performed (excluding non-standard or any custom extensions that may exist)
- ✓ subjectAltName
- ✓ issuerAlternativeName
- ✓ authorityKeyIdentifier matches issuer subjectKeyIdentifier
- ✓ keyUsage
- ✓ extendedKeyUsage
- ✓ inhibitAnyPolicy
- ✓ basicConstraints ca
- ✓ basicConstraints path_length
- ✓ validate clientAuth subjects
- Authentication
- ✓ clientAuth
- revocation
- ✓ OCSP
- ✓ Root Certificate is a CA and in a trust store
- Validate the complete chain (a requirement for zero-trust)
- ✓ correctly build the chain
- ✓ All certs in the chain are not revoked
- ✓ Intermediate key usages are verified
- ✓ optionally; allow the user to include additional cacert bundle
- optionally; client condition; path length is exactly 3 (Root CA, signer/issuer, server cert) regardless of tls extension basicConstraints path_length
- Not using known weak "x"
- ✓ protocol
- ✓ keys
- ✓ signature algorithm
- ✓ CLI output evaluation duration
- ✓ OpenSSL verify errors are actually evaluated and reported instead of either terminate connection or simply ignored (default approach most use VERIFY_NONE we actually let openssl do verification and keep the connection open anyway)
Change Log
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
tls-verify-0.2.3.tar.gz
(33.7 kB
view hashes)
Built Distribution
Close
Hashes for tls_verify-0.2.3-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | bd98523e5f15227411855d708ca0ba3cedceef9fb8047ef155abb31a750268bf |
|
MD5 | 45e0ae1eed73e9dc7b012e5d1d366703 |
|
BLAKE2b-256 | 9f55968fac331a29c914b093a9be1d16d01c380fcd958ff94d4af0f29f2c6a31 |