Validate the security of your TLS connections so that they deserve your trust.
Project description
tls-verify
Validate the security of your TLS connections so that they deserve your trust.
Documentation
Basic Usage
python3 -m pip install -U tls-verify
import tlsverify
host = 'google.com'
is_valid, results = tlsverify.verify(host)
print('
Valid ✓✓✓' if is_valid else '
Not Valid. There where validation errors')
python3 -m pip install pipx && pipx install tls-verify
On the command-line:
tlsverify --help
produces:
usage: tlsverify [-h] -H HOST [-p PORT] [-c CAFILES] [-C CLIENT_PEM] [-t TMP_PATH_PREFIX] [--disable-sni] [-b] [-v]
[-vv] [-vvv] [-vvvv]
positional arguments:
targets All unnamed arguments are hosts (and ports) targets to test. ~$ tlsverify google.com:443
github.io owasp.org:80
optional arguments:
-h, --help show this help message and exit
-H HOST, --host HOST host to check
-p PORT, --port PORT TLS port of host
-c CAFILES, --cafiles CAFILES
path to PEM encoded CA bundle file, url or file path accepted
-C CLIENT_PEM, --client-pem CLIENT_PEM
path to PEM encoded client certificate, url or file path accepted
-t TMP_PATH_PREFIX, --tmp-path-prefix TMP_PATH_PREFIX
local file path to use as a prefix when saving temporary files such as those being fetched
for client authorization
--disable-sni Do not negotiate SNI using INDA encoded host
-b, --progress-bars Show task progress bars
-v, --errors-only set logging level to ERROR (default CRITICAL)
-vv, --warning set logging level to WARNING (default CRITICAL)
-vvv, --info set logging level to INFO (default CRITICAL)
-vvvv, --debug set logging level to DEBUG (default CRITICAL)
Features
- Certificate Formats
- ✓ plaintext
- ✓ PEM
- ✓ ASN1/DER
- ✓ pyOpenSSL object
- ✓ python
cryptography
object
- TLS Information
- ✓ Negotiated protocol
- ✓ Negotiated cipher (if a strong cipher, and if Forward Anonymity)
- ✓ List all offered TLS versions
- ✓ Server preferred protocol
- ✓ RSA private key
- ✓ DSA private key
- ✓ Compression supported
- ✓ Client Renegotiation supported
- ✓ Session Resumption caching
- ✓ Session Resumption tickets
- ✓ Session Resumption ticket hint
- ✓ Downgrade attack detection and SCSV
- ✓ TLS version intolerance
- DNS Information
- ✓ Certification Authority Authorization (CAA) present
- ✓ CAA Valid
- ✓ DNSSEC present
- ✓ DNSSEC valid
- ✓ DNSSEC algorithm
- ✓ DNSSEC deprecated and weak algorithms
- HTTP Information
- ✓ HTTP/1 supported (response status and headers)
- ✓ HTTP/1.1 supported (response status and headers)
- ✓ HTTP/2 (TLS) supported (response frame)
- ✓ Expect-CT header (report_uri)
- ✓ Strict-Transport-Security (HSTS) header
- ✓ X-Frame-Options (XFO) header
- ✓ X-Content-Type-Options header (nosniff)
- ✓ Content-Security-Policy (CSP) header is present
- ✓ Cross-Origin-Embedder-Policy (COEP) header (require-corp)
- ✓ Cross-Origin-Resource-Policy (CORP) header (same-origin)
- ✓ Cross-Origin-Opener-Policy (COOP) header (same-origin)
- ✓ Referrer-Policy header (report on unsafe-url usage)
- ✓ X-XSS-Protection header (enabled in blocking mode)
- X.509 Information
- ✓ Root CA
- ✓ Intermediate CAs
- ✓ Certificate is self signed
- ✓ Issuer
- ✓ Serial Number (Hex, Decimal)
- ✓ Certificate Pin (sha256)
- ✓ Signature Algorithm
- ✓ Fingerprint (md5, sha1, sha256)
- ✓ SNI Support
- ✓ OCSP response status
- ✓ OCSP last status and time
- ✓ OCSP stapling
- ✓ OCSP must staple flag
- ✓ Public Key type
- ✓ Public Key size
- ✓ Derive Private Key (PEM format)
- ✓ Authority Key Identifier
- ✓ Subject Key Identifier
- ✓ TLS Extensions
- ✓ Client Authentication expected
- ✓ Certificate Issuer validation Type (DV, EV, OV)
- ✓ Root CA Trust Stores
- Hostname match
- ✓ common name
- ✓ subjectAltName
- ✓ properly handle wildcard names
- ✓ properly handle SNI
- Validations (Actual validity per the RFCs, fail any should fail to establish TLS)
- ✓ Expiry date is future dated
- ✓ OCSP revocation
- ✓ Mozilla CRLite Revocation
- ✓ Valid for TLS use (digital signature)
- ✓ Deprecated protocol
- ✓ Common Name exists, and uses valid syntax
- ✓ Root Certificate is a CA and in a trust store
- ✓ Validate clientAuth expected subjects sent by server
- ✓ Intermediate key usages are verified
- ✓ Valid SAN
- ✓ Impersonation detections
- ✓ C2 (command and control) detections
- ✓ Non-production grade detections
- ✓ issuerAlternativeName
- ✓ authorityKeyIdentifier matches issuer subjectKeyIdentifier
- ✓ keyUsage
- ✓ extendedKeyUsage
- ✓ inhibitAnyPolicy
- ✓ basicConstraints path length
- ✓ Root CA is added to the chain and validated like any other certificate (though browsers ignore this, it is a TLS requirement)
- Assertions (Opinionated checking, TLS is expected to still work)
- ✓ Valid CAA
- ✓ Valid DNSSEC
- ✓ Every certificate in the chain perform all validations (a requirement for zero-trust)
- ✓ Weak ciphers
- ✓ Weak keys
- ✓ Weak Signature Algorithm
- ✓ rfc6066; if OCSP must-staple flag is present the CA provides a valid response, i.e. resolve and validate not revoked
- ✓ Server certificates should not be a CA
- ✓ When client certificate presented, check cert usage permits clientAuth
- ✓ Certificate is not self signed
- Authentication
- ✓ clientAuth
- ✓ CLI output evaluation duration
- ✓ OpenSSL verify errors are actually evaluated and reported instead of either terminate connection or simply ignored (default approach most use VERIFY_NONE we actually let openssl do verification and keep the connection open anyway)
Change Log
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
tls-verify-0.4.6.tar.gz
(59.2 kB
view hashes)
Built Distribution
Close
Hashes for tls_verify-0.4.6-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 27d4689a8b83fa3becd213e558133c2c915e2a69b5cf96aa429e485094116731 |
|
MD5 | da0c6630df3c9c59ff366ab6f2063387 |
|
BLAKE2b-256 | ba11fcae0b1a86d67997f761a8a2fcf1d686d12adc6c1fb897b6275b425f2d8d |