cfssl: Index | Files | Directories

package scan

import ""


Package Files

broad.go connectivity.go pki.go scan_common.go tls_handshake.go tls_session.go


var (
    // Network is the default network to use.
    Network = "tcp"
    // Dialer is the default dialer to use, with a 1s timeout.
    Dialer = &net.Dialer{Timeout: time.Second}
    // Client is the default HTTP Client.
    Client = &http.Client{Transport: &http.Transport{Dial: Dialer.Dial}}
    // RootCAs defines the default root certificate authorities to be used for scan.
    RootCAs *x509.CertPool
var Broad = &Family{
    Description: "Large scale scans of TLS hosts",
    Scanners: map[string]*Scanner{
        "IntermediateCAs": {
            "Scans a CIDR IP range for unknown Intermediate CAs",

Broad contains scanners for large swaths of TLS hosts on the internet.

var Connectivity = &Family{
    Description: "Scans for basic connectivity with the host through DNS and TCP/TLS dials",
    Scanners: map[string]*Scanner{
        "DNSLookup": {
            "Host can be resolved through DNS",
        "CloudFlareStatus": {
            "Host is on CloudFlare",
        "TCPDial": {
            "Host accepts TCP connection",
        "TLSDial": {
            "Host can perform TLS handshake",

Connectivity contains scanners testing basic connectivity to the host

var Default = FamilySet{
    "Connectivity": Connectivity,
    "TLSHandshake": TLSHandshake,
    "TLSSession":   TLSSession,
    "PKI":          PKI,
    "Broad":        Broad,

Default contains each scan Family that is defined

var PKI = &Family{
    Description: "Scans for the Public Key Infrastructure",
    Scanners: map[string]*Scanner{
        "ChainExpiration": {
            "Host's chain hasn't expired and won't expire in the next 30 days",
        "ChainValidation": {
            "All certificates in host's chain are valid",
        "MultipleCerts": {
            "Host serves same certificate chain across all IPs",

PKI contains scanners for the Public Key Infrastructure.

var TLSHandshake = &Family{
    Description: "Scans for host's SSL/TLS version and cipher suite negotiation",
    Scanners: map[string]*Scanner{
        "CipherSuite": {
            "Determines host's cipher suites accepted and preferred order",
        "SigAlgs": {
            "Determines host's accepted signature and hash algorithms",
        "CertsBySigAlgs": {
            "Determines host's certificate signature algorithm matching client's accepted signature and hash algorithms",
        "CertsByCiphers": {
            "Determines host's certificate signature algorithm matching client's accepted ciphers",
        "ECCurves": {
            "Determines the host's ec curve support for TLS 1.2",

TLSHandshake contains scanners testing host cipher suite negotiation

var TLSSession = &Family{
    Description: "Scans host's implementation of TLS session resumption using session tickets/session IDs",
    Scanners: map[string]*Scanner{
        "SessionResume": {
            "Host is able to resume sessions across all addresses",

TLSSession contains tests of host TLS Session Resumption via Session Tickets and Session IDs

func LoadRootCAs Uses

func LoadRootCAs(caBundleFile string) (err error)

LoadRootCAs loads the default root certificate authorities from file.

type Family Uses

type Family struct {
    // Description gives a short description of the scans performed scan/scan_common.goon the host.
    Description string `json:"description"`
    // Scanners is a list of scanners that are to be run in sequence.
    Scanners map[string]*Scanner `json:"scanners"`

Family defines a set of related scans meant to be run together in sequence.

type FamilyResult Uses

type FamilyResult map[string]ScannerResult

FamilyResult contains a scan response for a single Family

type FamilySet Uses

type FamilySet map[string]*Family

FamilySet contains a set of Families to run Scans from.

func (FamilySet) RunScans Uses

func (fs FamilySet) RunScans(host, ip, family, scanner string, timeout time.Duration) (map[string]FamilyResult, error)

RunScans iterates over AllScans, running each scan that matches the family and scanner regular expressions concurrently.

type Grade Uses

type Grade int

Grade gives a subjective rating of the host's success in a scan.

const (
    // Bad describes a host with serious misconfiguration or vulnerability.
    Bad Grade = iota
    // Warning describes a host with non-ideal configuration that maintains support for Warning clients.
    // Good describes host performing the expected state-of-the-art.
    // Skipped descibes the "grade" of a scan that has been skipped.

func (Grade) String Uses

func (g Grade) String() string

String gives the name of the Grade as a string.

type Output Uses

type Output interface{}

Output is the result of a scan, to be stored for potential use by later Scanners.

type Result Uses

type Result struct {
    Family, Scanner string

A Result contains a ScannerResult along with it's scanner and family names.

type Scanner Uses

type Scanner struct {
    // Description describes the nature of the scan to be performed.
    Description string `json:"description"`
    // contains filtered or unexported fields

Scanner describes a type of scan to perform on a host.

func (*Scanner) Scan Uses

func (s *Scanner) Scan(addr, hostname string) (Grade, Output, error)

Scan performs the scan to be performed on the given host and stores its result.

type ScannerResult Uses

type ScannerResult struct {
    Grade  string `json:"grade"`
    Output Output `json:"output,omitempty"`
    Error  string `json:"error,omitempty"`

ScannerResult contains the result for a single scan.


cryptoPackage crypto collects common cryptographic constants.
crypto/md5Package md5 implements the MD5 hash algorithm as defined in RFC 1321.
crypto/rsaPackage rsa implements RSA encryption as specified in PKCS#1.
crypto/sha1Package sha1 implements the SHA1 hash algorithm as defined in RFC 3174.
crypto/sha256Package sha256 implements the SHA224 and SHA256 hash algorithms as defined in FIPS 180-4.
crypto/sha512Package sha512 implements the SHA-384, SHA-512, SHA-512/224, and SHA-512/256 hash algorithms as defined in FIPS 180-4.
crypto/tlsPackage tls partially implements TLS 1.2, as specified in RFC 5246.

Package scan imports 18 packages (graph) and is imported by 129 packages. Updated 2018-07-28. Refresh now. Tools for package owners.