ssllabs.endpointdetails

class ssllabs.endpointdetails.CompressionMethods(data)

Bases: object

supported compression methods, from EndpointDetails.compressionMethods()

deflate

set for DEFLATE

class ssllabs.endpointdetails.EndpointDetails(data)

Bases: ssllabs.object.Object

Detailed information about an endpoint, accessed from ssllabs.endpoint.Endpoint.details()

cert

certificate information as a ssllabs.cert.Cert

chaCha20Preference

true if the server takes into account client preferences when deciding if to use ChaCha20 suites.

chain

chain information, as a ssllabs.chain.Chain

compressionMethods

integer value that describes supported compression methods, as a CompressionMethods

dhPrimes

list of DH primes used by the server (as raw binary bytes objects). Not present if the server doesn’t support the DH key exchange.

dhUsesKnownPrimes

whether the server uses known DH primes. Not present if the server doesn’t support the DH key exchange. Possible values: 0 - no 1 - yes, but they’re not weak 2 - yes and they’re weak

dhYsReuse

true if the DH ephemeral server value is reused. Not present if the server doesn’t support the DH key exchange.

drownErrors

true if error occurred in drown test.

drownHosts

list of drown hosts as ssllabs.drownhost.DrownHost. Experimental.

drownVulnerable

true if server vulnerable to drown attack.

fallbackScsv

true if the server supports TLS_FALLBACK_SCSV, false if it doesn’t. This field will not be available if the server’s support for TLS_FALLBACK_SCSV can’t be tested because it supports only one protocol version (e.g., only TLS 1.2).

forwardSecrecy

indicates support for Forward Secrecy, as a ForwardSecrecy object

freak

true of the server is vulnerable to the FREAK attack, meaning it supports 512-bit key exchange.

hasSct

information about the availability of certificate transparency information (embedded SCTs) as HasSct

heartbeat

true if the server supports the Heartbeat extension.

heartbleed

true if the server is vulnerable to the Heartbleed attack.

hostStartTime

endpoint assessment starting time, in milliseconds since 1970. This field is useful when test results are retrieved in several HTTP invocations. Then, you should check that the hostStartTime value matches the startTime value of the host.

hpkpPolicy

server’s HPKP policy as a ssllabs.hpkppolicy.HpkpPolicy. Experimental.

hpkpRoPolicy

server’s HPKP RO (Report Only) policy as a ssllabs.hpkppolicy.HpkpPolicy. Experimental.

hstsPolicy

server’s HSTS policy as a ssllabs.hstspolicy.HstsPolicy. Experimental.

hstsPreloads

information about preloaded HSTS policies as a list of ssllabs.hstspreload.HstsPreload

httpForwarding

available on a server that responded with a redirection to some other hostname.

httpStatusCode

status code of the final HTTP response seen. When submitting HTTP requests, redirections are followed, but only if they lead to the same hostname. If this field is not available, that means the HTTP request failed.

key

key information, as a ssllabs.key.Key

logjam

true if the server uses DH parameters weaker than 1024 bits.

miscIntolerance

indicates various other types of intolerance as MiscIntolerance

nonPrefixDelegation

true if this endpoint is reachable via a hostname without the www prefix

npnProtocols

list of supported protocols

ocspStapling

true if OCSP stapling is deployed on the server

openSSLLuckyMinus20

results of the CVE-2016-2107 test: -1 - test failed 0 - unknown 1 - not vulnerable 2 - vulnerable and insecure

openSslCcs

results of the CVE-2014-0224 test: -1 - test failed 0 - unknown 1 - not vulnerable 2 - possibly vulnerable, but not exploitable 3 - vulnerable and exploitable

poodle

true if the endpoint is vulnerable to POODLE; false otherwise

poodleTls

results of the POODLE TLS test: -3 - timeout -2 - TLS not supported -1 - test failed 0 - unknown 1 - not vulnerable 2 - vulnerable

prefixDelegation

true if this endpoint is reachable via a hostname with the www prefix

protocolIntolerance

indicates protocol version intolerance issues as ProtocolIntolerance

protocols

supported protocols, as a list of ssllabs.protocol.Protocol

rc4Only

true if only RC4 suites are supported.

rc4WithModern

true if RC4 is used with modern clients.

renegSupport

this is RenegSupport object that describes the endpoint support for renegotiation

serverSignature

Contents of the HTTP Server response header when known. This field could be absent for one of two reasons: 1) the HTTP request failed (check httpStatusCode) or 2) there was no Server response header returned.

sessionResumption

this is an integer value that describes endpoint support for session resumption. The possible values are: 0 - session resumption is not enabled and we’re seeing empty session IDs 1 - endpoint returns session IDs, but sessions are not resumed 2 - session resumption is enabled

sessionTickets

indicates support for Session Tickets, as a SessionTickets object

sims

instance of SimDetails.

sniRequired

if SNI support is required to access the web site.

staplingRevocationErrorMessage

description of the problem with the stapled OCSP response, if any.

staplingRevocationStatus

same as ssllabs.cert.Cert.revocationStatus(), but for the stapled OCSP response.

suites

supported cipher suites, as a ssllabs.suites.Suites

supportsNpn

true if the server supports NPN

supportsRc4

true if the server supports at least one RC4 suite.

vulnBeast

true if the endpoint is vulnerable to the BEAST attack

class ssllabs.endpointdetails.ForwardSecrecy(data)

Bases: object

indicates support for Forward Secrecy, from EndpointDetails.forwardSecrecy()

allacheived

set if all simulated clients achieve FS. In other words, this requires an ECDHE + DHE combination to be supported

modernacheived

set based on Simulator results if FS is achieved with modern clients. For example, the server supports ECDHE suites, but not DHE

negotiated

set if at least one browser from our simulations negotiated a Forward Secrecy suite

class ssllabs.endpointdetails.HasSct(data)

Bases: object

information about the availability of certificate transparency information (embedded SCTs), from EndpointDetails.hasSct()

sctincertificate

SCT in certificate

sctinstapledocsp

SCT in the stapled OCSP response

sctintlsextension

SCT in the TLS extension (ServerHello)

class ssllabs.endpointdetails.MiscIntolerance(data)

Bases: object

indicates various other types of intolerance, from EndpointDetails.miscIntolerance()

extensionintolerance

extension intolerance

longhandshakeintolerance

long handshake intolerance

longhandshakeworkaround

long handshake intolerance workaround success

class ssllabs.endpointdetails.ProtocolIntolerance(data)

Bases: object

indicates protocol version intolerance issues, from EndpointDetails.protocolIntolerance()

TLS_1_0

TLS 1.0

TLS_1_1

TLS 1.1

TLS_1_152

TLS 1.152

TLS_1_2

TLS 1.2

TLS_1_3

TLS 1.3

TLS_2_152

TLS 2.152

class ssllabs.endpointdetails.RenegSupport(data)

Bases: object

support for renegotiation, from EndpointDetails.renegSupport()

clientinitiated

set if insecure client-initiated renegotiation is supported

secure

set if secure renegotiation is supported

secureclientinitiated

set if secure client-initiated renegotiation is supported

serverrequiressecure

set if the server requires secure renegotiation support

class ssllabs.endpointdetails.SessionTickets(data)

Bases: object

support for session tickets, from EndpointDetails.sessionTickets()

faulty

set if the implementation is faulty [not implemented]

intolerant

set if the server is intolerant to the extension

supported

set if session tickets are supported