SSLChecker is a serverless API written in Python and running on Azure Functions. The API is based on Alban Diquet's SSLyze library. SSLChecker is used to identify obsolete versions of SSL/TLS (e.g., SSL 3.0, and TLS 1.0/1.1) on an endpoint, or perform a full scan to identify all supported versions of SSL/TLS on an endpoint.
Python - Python 3.7 and 3.8 (64-bit). Python 3.9 is not supported yet.
Development - To set up a local development environment, follow the guidance from Microsoft here.
Deployment - As part of the above setup, you will be able to deploy to Azure using the azure-cli. Additionally, Azure DevOps or another CI/CD tool is capable of deploying to Azure.
Invoke the function on the command line using curl:
curl https://<functionname>.azurewebsite.net/api/{scan:alpha}/{view:alpha}/{target}/{port}
There are four parts to pass to the URI: scan, view, target, and port.
"scan" is the type of scan: policy or full. Currently, the default policy prohibits using SSL 2.0/3.0, TLS 1.0/1.1 and some TLS 1.2 ciphers, so the policy scan will identify which unsupported ciphers are in use, if any. A full scan will report back all supported ciphers.
Since corporations often use split-view DNS, "view" in this context is the network viewpoint you want to scan, either internal or external. This is accomplished by specifying a valid DNS server to use for name resolution. The default value for external will use OpenDNS (e.g. 208.67.222.222). The default for internal will be 0.0.0.0 and will result in an error if a scan is attempted and no internal DNS server is specified. Please modify the config.ini file to use an internal DNS server.
"target" should be the DNS domain name or IP that you would like to scan (i.e., github.com or 140.82.113.4).
"port" is optional and if omitted will default to TCP 443.
Microsoft has extensive documentation on how to secure an HTTP endpoint in Azure Functions here. There are two main ways to secure a function: Turn on App Service Authentication/Authorization for the function app, or use Azure API Management (APIM) to authenticate requests. Additionally, Azure functions support API key authorization that you can supply either as a query string variable or in a HTTP header. Microsoft states that API key authorization is not intended as a way to secure an HTTP trigger in production
By default, I have set the authLevel in the function.json file to anonymous. Please note, when running functions locally, authorization is disabled regardless of the specified authorization level.
If you plan on running SSLChecker on the internet, please consider one of the above options for authentication.
Send me mail at joe@metlife.com