Validate the security of your TLS connections so that they deserve your trust.
Project description
tls-verify
Validate the security of your TLS connections so that they deserve your trust.
Documentation
Basic Usage
python3 -m pip install -U tls-verify
import tlsverify
host = 'google.com'
is_valid, results = tlsverify.verify(host)
print('
Valid ✓✓✓' if is_valid else '
Not Valid. There where validation errors')
python3 -m pip install pipx && pipx install tls-verify
On the command-line:
tlsverify --help
produces:
usage: tlsverify [-h] [-H HOST] [-p PORT] [-c CAFILES] [-C CLIENT_PEM] [-t TMP_PATH_PREFIX] [--pci-dss]
[--nist-strict-mode] [--fips-nist-transition-mode] [--disable-sni] [--show-private-key]
[--hide-validation-details] [-j JSON_FILE] [--hide-progress-bars] [-v] [-vv] [-vvv] [-vvvv]
[--version]
[targets ...]
positional arguments:
targets All unnamed arguments are hosts (and ports) targets to test. ~$ tlsverify google.com:443
github.io owasp.org:80
optional arguments:
-h, --help show this help message and exit
-H HOST, --host HOST single host to check
-p PORT, --port PORT TLS port of host
-c CAFILES, --cafiles CAFILES
path to PEM encoded CA bundle file, url or file path accepted
-C CLIENT_PEM, --client-pem CLIENT_PEM
path to PEM encoded client certificate, url or file path accepted
-t TMP_PATH_PREFIX, --tmp-path-prefix TMP_PATH_PREFIX
local file path to use as a prefix when saving temporary files such as those being fetched
for client authorization
--pci-dss Include PCI DSS requirements assertions
--nist-strict-mode Include NIST SP800-131A strict mode assertions
--fips-nist-transition-mode
Include FIPS 140-2 transition to NIST SP800-131A assertions
--disable-sni Do not negotiate SNI using INDA encoded host
--show-private-key If the private key is exposed, show it in the results
--hide-validation-details
Do not include detailed validation messages in output
-j JSON_FILE, --json-file JSON_FILE
Store to file as JSON
--hide-progress-bars Hide task progress bars
-v, --errors-only set logging level to ERROR (default CRITICAL)
-vv, --warning set logging level to WARNING (default CRITICAL)
-vvv, --info set logging level to INFO (default CRITICAL)
-vvvv, --debug set logging level to DEBUG (default CRITICAL)
--version
Features
- Compliance
- PCI DSS 3.2.1
- NIST SP800-131A (strict mode)
- FIPS 140-2 (NIST SP800-131A transition mode)
- Certificate Formats
- ✓ plaintext
- ✓ PEM
- ✓ ASN1/DER
- ✓ pyOpenSSL object
- ✓ python
cryptography
object
- TLS Information
- ✓ Negotiated protocol
- ✓ Negotiated cipher (if a strong cipher, and if Forward Anonymity)
- ✓ List all offered TLS versions
- ✓ Server preferred protocol
- ✓ RSA private key
- ✓ DSA private key
- ✓ Compression supported
- ✓ Client Renegotiation supported
- ✓ Session Resumption caching
- ✓ Session Resumption tickets
- ✓ Session Resumption ticket hint
- ✓ Downgrade attack detection and SCSV
- ✓ TLS version intolerance
- ✓ TLS version interference
- DNS Information
- ✓ Certification Authority Authorization (CAA) present
- ✓ CAA Valid
- ✓ DNSSEC present
- ✓ DNSSEC valid
- ✓ DNSSEC algorithm
- ✓ DNSSEC deprecated and weak algorithms
- HTTP Information
- ✓ HTTP/1 supported (response status and headers)
- ✓ HTTP/1.1 supported (response status and headers)
- ✓ HTTP/2 (TLS) supported (response frame)
- ✓ Expect-CT header (report_uri)
- ✓ Strict-Transport-Security (HSTS) header
- ✓ X-Frame-Options (XFO) header
- ✓ X-Content-Type-Options header (nosniff)
- ✓ Content-Security-Policy (CSP) header is present
- ✓ Cross-Origin-Embedder-Policy (COEP) header (require-corp)
- ✓ Cross-Origin-Resource-Policy (CORP) header (same-origin)
- ✓ Cross-Origin-Opener-Policy (COOP) header (same-origin)
- ✓ Referrer-Policy header (report on unsafe-url usage)
- ✓ X-XSS-Protection header (enabled in blocking mode)
- X.509 Information
- ✓ Root CA
- ✓ Intermediate CAs
- ✓ Certificate is self signed
- ✓ Expired
- ✓ Version
- ✓ Issuer
- ✓ Serial Number (Hex, Decimal)
- ✓ Certificate Pin (sha256)
- ✓ Signature Algorithm
- ✓ Fingerprint (md5, sha1, sha256)
- ✓ SNI Support
- ✓ OCSP response status
- ✓ OCSP last status and time
- ✓ OCSP stapling
- ✓ OCSP must staple flag
- ✓ Public Key type
- ✓ Public Key size
- ✓ Derive Private Key (PEM format)
- ✓ Authority Key Identifier
- ✓ Subject Key Identifier
- ✓ TLS Extensions
- ✓ Client Authentication expected
- ✓ Certificate Issuer validation Type (DV, EV, OV)
- ✓ Root CA Trust Stores
- Hostname match
- ✓ common name
- ✓ subjectAltName
- ✓ properly handle wildcard names
- ✓ properly handle SNI
- Validations (Actual validity per the RFCs, fail any should fail to establish TLS)
- ✓ Expiry date is future dated
- ✓ OCSP revocation
- ✓ Mozilla CRLite Revocation
- ✓ Valid for TLS use (digital signature)
- ✓ Deprecated protocol
- ✓ Common Name exists, and uses valid syntax
- ✓ Root Certificate is a CA and in a trust store
- ✓ Validate clientAuth expected subjects sent by server
- ✓ Intermediate key usages are verified
- ✓ Valid SAN
- ✓ Impersonation detections
- ✓ C2 (command and control) detections
- ✓ Non-production grade detections
- ✓ issuerAlternativeName
- ✓ authorityKeyIdentifier matches issuer subjectKeyIdentifier
- ✓ keyUsage
- ✓ extendedKeyUsage
- ✓ inhibitAnyPolicy
- ✓ basicConstraints path length
- ✓ Root CA is added to the chain and validated like any other certificate (though browsers ignore this, it is a TLS requirement)
- Assertions (Opinionated checking, TLS is expected to still work)
- ✓ Valid CAA
- ✓ Valid DNSSEC
- ✓ Every certificate in the chain perform all validations (a requirement for zero-trust)
- ✓ Weak ciphers
- ✓ Weak keys
- ✓ Weak Signature Algorithm
- ✓ rfc6066; if OCSP must-staple flag is present the CA provides a valid response, i.e. resolve and validate not revoked
- ✓ Server certificates should not be a CA
- ✓ When client certificate presented, check cert usage permits clientAuth
- ✓ Certificate is not self signed
- Authentication
- ✓ clientAuth
- ✓ CLI output evaluation duration
- ✓ OpenSSL verify errors are actually evaluated and reported instead of either terminate connection or simply ignored (default approach most use VERIFY_NONE we actually let openssl do verification and keep the connection open anyway)
Change Log
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
tls-verify-0.4.14.tar.gz
(60.2 kB
view hashes)
Built Distribution
Close
Hashes for tls_verify-0.4.14-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | fec2703ee90bd85a3516768069b9e5dfce8d75555ccafc9bfddddd26083a4c23 |
|
MD5 | bff58c5a6980aa302077dd0818a1cdab |
|
BLAKE2b-256 | 0f7bbec2bd75c229a834274f5c999af52c6e1ddfd7a713b665dbe96ecc35904e |