Python Makefile
Clone or download
tomato42 Merge pull request #444 from tomato42/timeout-in-tls13-finished
make the more robust, report better errors when it fails
Latest commit 01f44ce Aug 6, 2018
Failed to load latest commit information.
.github also ask for tlsfuzzer version in Bug issue template Jun 8, 2018
docs add slides from Fosdem 2017 conference Feb 5, 2017
scripts Merge pull request #444 from tomato42/timeout-in-tls13-finished Aug 6, 2018
tests differentiate timeout from close in error message Aug 3, 2018
tlsfuzzer fix line wrapping/formatting in Aug 3, 2018
.checkignore add ignore file for quantifiedcode Nov 24, 2015
.codeclimate.yml be more lenient with similar code Oct 10, 2016
.gitignore ignore files which are used when running with local tlslite/ecdsa lib Apr 11, 2018
.gitmodules switch dependency to tlslite-ng Jun 13, 2015
.landscape.yaml pep257 configuration Nov 24, 2015
.pep257 pep257 configuration Nov 24, 2015
.travis.yml remove external 3DES implementations from CI Jul 19, 2018 add project's code of conduct May 2, 2018 contributing guidelines May 14, 2018
LICENSE Initial commit Jan 8, 2015
Makefile verify presence of scripts in retention config in simple test run too Jul 27, 2018 add build times to readme Jul 25, 2018 - specify unit Jan 3, 2018 add VISION document May 14, 2018
build-requirements-2.6.txt move build dependencies to dedicated files Jul 16, 2018
build-requirements-3.2.txt PyYAML 3.13 dropped support for Python 3.2 Jul 16, 2018
build-requirements.txt move build dependencies to dedicated files Jul 16, 2018
requirements.txt require version that has correctly behaving pure python implementation Jul 20, 2018 basic infrastructure Feb 9, 2015

Build Status Coverage Status Code Health Code Climate

Build history


Fuzzer and test suite for TLS (SSLv2, SSLv3, v1.0, v1.1, v1.2, v1.3) implementations. Early alpha version - thus no API stability guarantees.

Ready-to-use scripts testing for many vulnerabilities ( ROBOT, DROWN, etc.) and general standards conformity (RFC 5246, RFC 7627, RFC 7905, etc.)


You'll need:

  • Python 2.6 or later or Python 3.2 or later
  • tlslite-ng 0.8.0-alpha16 or later (note that tlslite will not work and they conflict with each other)
  • ecdsa python module (dependency of tlslite-ng, should get installed automatically with it)

Optionally, to make some calculations faster, you may want to install the following libraries (see tlslite-ng README for details):

  • m2crypto
  • pycrypto
  • gmp

To get pip (if your python installation doesn't already have it) download and run:


Then install tlslite-ng:

pip install --pre tlslite-ng

(Use --upgrade --pre if you did install it before)

Download the tlsfuzzer:

git clone


After all dependencies are installed, make sure:

  • you're in the directory of the project (after git clone just cd tlsfuzzer)
  • the server you want to test is running on the same computer (localhost)
  • the server is listening on port 4433
  • and the server will answer with data to HTTP queries (answer with valid HTTP responses is optional)

Then you can run one of the tests in scripts directory, like so:

PYTHONPATH=. python scripts/

If test has additional requirements, it will output them to console. No errors printed means that all expecations were met (so for tests with bad data the server rejected our messages).

All scripts also accept --help to print the help message (specification of all the options given script supports), -h to specify the hostname or IP address of the server-to-be-tested and -p to specify the port of the service to be tested.

See for more info and how to interpret errors and failures reported by scripts.

Server under test configuration

In general, the server under test requires just a RSA certificate, you can create it using the following OpenSSL command:

openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj \
/CN=localhost -nodes -batch

Note: tlsfuzzer verifies only TLS level behaviour, it does not perform any checks on the certificate (like hostname validation, CA signatures or key usage). It does however verify if the signatures made on TLS message by the server (like in Server Key Exchange or Certificiate Verify message) match the certificate sent by the server.

More detailed instructions, including how to build the different frameworks from source, are available in the Server setup wiki page.

Example server configurations:


To test OpenSSL, it's sufficient to pass an extra -www option to a typical s_server command line:

openssl s_server -key localhost.key -cert localhost.crt -www


To test GnuTLS server, you need to tell it to behave as an HTTP server and additionally, to not ask for client certificates:

gnutls-serv --http -p 4433 --x509keyfile localhost.key --x509certfile \
localhost.crt --disable-client-cert


To test the Mozilla NSS library server, you first need to create a database with server certificate:

mkdir nssdb
certutil -N -d sql:nssdb --empty-password
openssl pkcs12 -export -passout pass: -out localhost.p12 -inkey localhost.key \
-in localhost.crt -name localhost
pk12util -i localhost.p12 -d sql:nssdb -W ''

Finally, start the server with support for TLSv1.0 and later protocols, DHE ciphers and with the above certificate:

selfserv -d sql:./nssdb -p 4433 -V tls1.0: -H 1 -n localhost


See the document for description how to set up your development environment, sanity check the changes and requirements the changes need to follow.

You may also want to read the to learn more about the planned scope of the project.

Contributors are expected to follow the project's CODE OF CONDUCT when interacting with other members of the community.