README
¶
SSLLabs-Scan
The SSLLabs-Scan performs the scan provided by Qualys (ssllabs.com)
SSLLabs-Table Columns
| Column | Description |
|---|---|
| IP | IP of the domain |
| StartTime | Start time of the scan (UTC-Time since epoch) |
| TestTime | Run time of the scan |
| Grade | Grade of the scan |
| GradeTrustIgnored | Grade, if trust issues were ignored |
| FutureGrade | Grade, if upcomming changes are added (unused) |
| HasWarnings | Flag, if there are warnings |
| IsExceptional | Flag, if site results ar exceptionally good |
| NumberWeakProtocols | Number of weak used protocols |
| WeakProtocols | List of weak protocols |
| NumberProtocols | Number of protocols |
| Protocols | List of weak protocols |
| NumberWeakSuites | Number of weak cypher suites |
| WeakSuites | List of weak cypher suites |
| NumberSuites | Number of used cypher suites |
| Suites | List of used cypher suites |
| ForwardSecrecy | See below |
| RenegSupport | See below |
| SupportsRC4 | Flag, if RC4-Ciphers are supported |
| VulnBeast | Flag, if the domain has the Beast vulnerability |
| VulnHeartbleed | Flag, if the domain has the heartbleed vulnerability |
| VulnOpenSslCcs | See below |
| VulnOpenSSLLuckyMinus20 | See below |
| VulnTicketbleed | See below |
| VulnBleichenbacher | See below |
| VulnPoodle | See below |
| VulnFreak | Flag, if the domain has the Freak vulnerability |
| VulnLogjam | Flag, if the domain has the logjam vulnerability |
| VulnDrown | Flag, if the domain has the Drown vulnerability |
| DhUsesKnownPrimes | See below |
| DhYsReuse | true if the DH ephemeral server value is reused. Not present if the server doesn't support the DH key exchange |
| EcdhParameterReuse | true if the server reuses its ECDHE values |
| CertificateChainIssues | See below |
| CertificateChainLength | Length of the Certificate Chain |
| EndEntityCertificateThumbprint | Thumbprint of the EndEntity Certificate |
| ScanStatus | Pending: 0, Done: 1, Ignored: 2, Error: 255 |
Certificates-Table Columns
| Column | Description |
|---|---|
| Thumbprint | Certificate Thumbprint |
| ID | Certificate ID |
| SerialNumber | Certificate Serialnumber |
| Subject | Subject |
| Issuer | Issuer |
| SigAlg | Signature Algorithm |
| RevocationStatus | See below |
| Issues | See below |
| KeyStrength | Keystrength |
| DebianInsecure | true if debian flaw is found |
| NotBefore | Not valid before |
| NotAfter | Not valid after |
| NextThumbprint | Thumbprint of the signing certificate |
| NextAssessmentCooloff | Minimum timespan between the start of two assessments |
Details
ForwardSecrecy
* bit 0 (1) - set if at least one browser from our simulations negotiated a Forward Secrecy suite.
* bit 1 (2) - set based on Simulator results if FS is achieved with modern clients. For example, the server supports ECDHE suites, but not DHE.
* bit 2 (4) - set if all simulated clients achieve FS. In other words, this requires an ECDHE + DHE combination to be supported.
RenegSupport
* bit 0 (1) - set if insecure client-initiated renegotiation is supported
* bit 1 (2) - set if secure renegotiation is supported
* bit 2 (4) - set if secure client-initiated renegotiation is supported
* bit 3 (8) - set if the server requires secure renegotiation support
OpenSSLCCS
- -1 - test failed
- 0 - unknown
- 1 - not vulnerable
- 2 - possibly vulnerable, but not exploitable
- 3 - vulnerable and exploitable
OpenSSLLuckyMinus20
* -1 - test failed
* 0 - unknown
* 1 - not vulnerable
* 2 - vulnerable and insecure
Ticketbleed
- -1 - test failed
- 0 - unknown
- 1 - not vulnerable
- 2 - vulnerable and insecure
Bleichenbacher
- -1 - test failed
- 0 - unknown
- 1 - not vulnerable
- 2 - vulnerable (weak oracle)
- 3 - vulnerable (strong oracle)
- 4 - inconsistent results
Poodle
- -3 - timeout
- -2 - TLS not supported
- -1 - test failed
- 0 - unknown
- 1 - not vulnerable
- 2 - vulnerable
Known Debian Insecure
- 0 - no
- 1 - yes, but they're not weak
- 2 - yes and they're weak
Certificate Chain Issues
- bit 0 (1) - unused
- bit 1 (2) - incomplete chain (set only when we were able to build a chain by adding missing intermediate certificates from external sources)
- bit 2 (4) - chain contains unrelated or duplicate certificates (i.e., certificates that are not part of the same chain)
- bit 3 (8) - the certificates form a chain (trusted or not), but the order is incorrect
- bit 4 (16) - contains a self-signed root certificate (not set for self-signed leafs)
- bit 5 (32) - the certificates form a chain (if we added external certificates, bit 1 will be set), but we could not validate it. If the leaf was trusted, that means that we built a different chain we trusted.
Certificate Revocation Status
- 0 - not checked
- 1 - certificate revoked
- 2 - certificate not revoked
- 3 - revocation check error
- 4 - no revocation information
- 5 - internal error
Certificate Issues
- bit 0 (1) - no chain of trust
- bit 1 (2) - not before
- bit 2 (4) - not after
- bit 3 (8) - hostname mismatch
- bit 4 (16) - revoked
- bit 5 (32) - bad common name
- bit 6 (64) - self-signed
- bit 7 (128) - blacklisted
- bit 8 (256) - insecure signature
- bit 9 (512) - insecure key
Configuration
| Field | Possible Values | Description |
|---|---|---|
| Retries | any positive Integer | Numbers of Errors per Domain until the scan of this domain ultimately fails |
| ScanType | 1-5 | Defines for which Protocol the domain is scanned: 1 only HTTPS; 2 only HTTP; 3 Both; 4 Any but HTTPS is preferred; 5 Any but HTTP is preferred |
| ParallelScans | any positive Integer | Number of scans run simultaneous for this API |
| APILocation | URL | Base URL of the API |
| IgnoreMismatch | boolean | If true, Scans are performed for sites with mismatching certificates |
| StartNew | boolean | If true, no cached Results are used. |
| FromCache | boolean | If true, cached Results younger than MaxAge are used. |
| MaxAge | any positive Integer | Maximum allowed age for cached results in hours |
Documentation
¶
Index ¶
- Variables
- type Config
- type LabsCaaPolicy
- type LabsCaaRecord
- type LabsCert
- type LabsCertChain
- type LabsChain
- type LabsChainCert
- type LabsDrownHost
- type LabsEndpoint
- type LabsEndpointDetails
- type LabsError
- type LabsErrorResponse
- type LabsHpkpDirective
- type LabsHpkpPin
- type LabsHpkpPolicy
- type LabsHstsPolicy
- type LabsHstsPreload
- type LabsHttpHeader
- type LabsHttpTransaction
- type LabsInfo
- type LabsKey
- type LabsNamedGroup
- type LabsNamedGroups
- type LabsProtocol
- type LabsReport
- type LabsResults
- type LabsSimClient
- type LabsSimDetails
- type LabsSimulation
- type LabsSuite
- type LabsSuites
- type LabsTrust
- type LabsTrustPath
- type TableRow
Constants ¶
This section is empty.
Variables ¶
View Source
var APILocation = "https://api.ssllabs.com/api/v3"
View Source
var USER_AGENT = "ssllabs-scan v1.5.0 (dev $Id$)"
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
Retries int
ScanType int
ParallelScans int
APILocation string
IgnoreMismatch bool
StartNew bool
FromCache bool
MaxAge int
NewAssessmentCoolOff int64
}
CrawlerConfig
type LabsCaaPolicy ¶
type LabsCaaPolicy struct {
PolicyHostname string
CaaRecords []LabsCaaRecord
}
type LabsCaaRecord ¶
type LabsCert ¶
type LabsCert struct {
Id string
SerialNumber string
Subject string
CommonNames []string
AltNames []string
NotBefore int64
NotAfter int64
IssuerSubject string
SigAlg string
RevocationInfo int
CrlURIs []string
OcspURIs []string
RevocationStatus int
CrlRevocationStatus int
OcspRevocationStatus int
DnsCaa bool
Caapolicy LabsCaaPolicy
MustStaple bool
Sgc int
ValidationType string
Issues int
Sct bool
Sha1Hash string
Sha256Hash string
PinSha256 string
KeyAlg string
KeySize int
KeyStrength int
KeyKnownDebianInsecure bool
Raw string
}
type LabsCertChain ¶
type LabsCertChain struct {
Id string
CertIds []string
Trustpaths []LabsTrustPath
Issues int
NoSni bool
}
type LabsChain ¶
type LabsChain struct {
Certs []LabsChainCert
Issues int
}
type LabsChainCert ¶
type LabsDrownHost ¶
type LabsEndpoint ¶
type LabsEndpointDetails ¶
type LabsEndpointDetails struct {
HostStartTime int64
CertChains []LabsCertChain
Protocols []LabsProtocol
Suites []LabsSuites
NoSniSuites LabsSuites
NamedGroups LabsNamedGroups
ServerSignature string
PrefixDelegation bool
NonPrefixDelegation bool
VulnBeast bool
RenegSupport int
SessionResumption int
CompressionMethods int
SupportsNpn bool
NpnProtocols string
SupportsAlpn bool
AlpnProtocols string
SessionTickets int
OcspStapling bool
StaplingRevocationStatus int
StaplingRevocationErrorMessage string
SniRequired bool
HttpStatusCode int
HttpForwarding string
SupportsRc4 bool
Rc4WithModern bool
Rc4Only bool
ForwardSecrecy int
ProtocolIntolerance int
MiscIntolerance int
Sims LabsSimDetails
Heartbleed bool
Heartbeat bool
OpenSslCcs int
OpenSSLLuckyMinus20 int
Ticketbleed int
Bleichenbacher int
Poodle bool
PoodleTLS int
FallbackScsv bool
Freak bool
HasSct int
DhPrimes []string
DhUsesKnownPrimes int
DhYsReuse bool
EcdhParameterReuse bool
Logjam bool
ChaCha20Preference bool
HstsPolicy LabsHstsPolicy
HstsPreloads []LabsHstsPreload
HpkpPolicy LabsHpkpPolicy
HpkpRoPolicy LabsHpkpPolicy
HttpTransactions []LabsHttpTransaction
DrownHosts []LabsDrownHost
DrownErrors bool
DrownVulnerable bool
}
type LabsErrorResponse ¶
type LabsErrorResponse struct {
ResponseErrors []LabsError `json:"errors"`
}
func (LabsErrorResponse) Error ¶
func (e LabsErrorResponse) Error() string
type LabsHpkpDirective ¶
type LabsHpkpPin ¶
type LabsHpkpPolicy ¶
type LabsHpkpPolicy struct {
Header string
Status string
Error string
MaxAge int64
IncludeSubDomains bool
ReportUri string
Pins []LabsHpkpPin
MatchedPins []LabsHpkpPin
Directives []LabsHpkpDirective
}
type LabsHstsPolicy ¶
type LabsHstsPreload ¶
type LabsHttpHeader ¶
type LabsHttpTransaction ¶
type LabsNamedGroup ¶
type LabsNamedGroups ¶
type LabsNamedGroups struct {
List []LabsNamedGroup
Preference bool
}
type LabsProtocol ¶
type LabsReport ¶
type LabsReport struct {
Host string
Port int
Protocol string
IsPublic bool
Status string
StatusMessage string
StartTime int64
TestTime int64
EngineVersion string
CriteriaVersion string
CacheExpiryTime int64
CertHostnames []string
Endpoints []LabsEndpoint
Certs []LabsCert
// contains filtered or unexported fields
}
type LabsResults ¶
type LabsResults struct {
// contains filtered or unexported fields
}
type LabsSimClient ¶
type LabsSimDetails ¶
type LabsSimDetails struct {
Results []LabsSimulation
}
type LabsSimulation ¶
type LabsSimulation struct {
Client LabsSimClient
ErrorCode int
ErrorMessage string
Attempts int
CertChainId string
ProtocolId int
SuiteId int
SuiteName string
KxType string
KxStrength int
DhBits int
DhP int
DhG int
DhYs int
NamedGroupBits int
NamedGroupId int
NamedGroupName string
AlertType int
AlertCode int
KeyAlg string
KeySize int
SigAlg string
}
type LabsSuites ¶
type LabsTrustPath ¶
type TableRow ¶
type TableRow struct {
IP string
StartTime string
TestTime string
Grade string
GradeTrustIgnored string
FutureGrade string
HasWarnings bool
IsExceptional bool
NumberWeakProtocols int
WeakProtocols string
NumberProtocols int
Protocols string
NumberWeakSuites int
WeakSuites string
NumberSuites int
Suites string
ForwardSecrecy uint8
RenegSupport uint8
SupportsRC4 bool
VulnBeast bool
VulnHeartbleed bool
VulnOpenSslCcs int16
VulnOpenSSLLuckyMinus20 int16
VulnTicketbleed uint8
VulnBleichenbacher int16
VulnPoodle uint8
VulnFreak bool
VulnLogjam bool
VulnDrown bool
DhUsesKnownPrimes uint8
DhYsReuse bool
EcdhParameterReuse bool
CertificateChainIssues int16
CertificateChainLength uint8
EndEntityCertificateThumbprint sql.NullString
ScanStatus int
}
Source Files
Click to show internal directories.
Click to hide internal directories.