------------------------------------------------------------------- Sat Aug 13 21:43:23 UTC 2022 - Jeff Kowalczyk - Update to version 3.0.7 * Fix "ID resumption test failed" bug under Darwin * Fix "locale error message when en_US.UTF-8 isn't available" bug * Fix "Darwin / LibreSSL startup problem" which leads to a question upfront * Make upfront handshake tests more compatible by adding - Update to version 3.0.6 * Bugfix: Remove DST x3 Root CA which lead to trust issues for servers using a Letsencrypt certificate (Miguel Jacq) * Bugfix: Newer openssl.cnf break detection of openssl binary * Documenation update to reflect renaming standard ciphers to cipher categories * Ignore usage of ~/.digrc where possible * Fixing host information in JSON output when using STARTTLS XMPP * TLS 1.3 improvements wrt server certificates * Bugfix: Order of -U --ids-friendly doesn't matter anymore * Disable ANSI codes when TERM=screen * Improved SSL/TLS port detection in nmap greppable files using as input to testssl.sh * Bugfix when nmap files had .txt extension * Display certficate time in UTC * Use _uname -n`` instead of hostname --> POSIX * Few output fixes ------------------------------------------------------------------- Mon May 10 20:33:48 UTC 2021 - Martin Hauke - Update to version 3.0.5 * Fix off by one error in HSTS (now: 180 instead of 179 days) * Fix minor output inconsistency in JSON output (Chad) * Improve compatibility for OpenSSL 3.0 (David Cooper) * Fix localization issue for ciphers where e.g. in Swedish W is being treated as a variant of V so that the W in TLS_ECDHE_RSA_WITH* didn't match the bash pattern * Fixes in file openssl-iana.mapping.html (Elfranne) * Fix quoting for CVE+JSON output in run_heartbleed() * Fix trailing dot issue in hostnames * Fix improper proper halving of the dates for Let's Encrypt certificates ------------------------------------------------------------------- Thu Nov 26 14:45:01 UTC 2020 - Matthias Fehring - Update to version 3.0.4 * This version is a quick fix for a regression of detecting SSLv2 ciphers in a basic function. ------------------------------------------------------------------- Thu Nov 19 09:50:48 UTC 2020 - Matthias Fehring - Update to version 3.0.3 * Update certificate stores * manpage fix (Karl) * minor speedups for some vulnerability tests * bash 5.1 fix * Secure Client-Initiated Renegotiation false positive fix * BREACH is now medium * invalid JSON fix and other JSON improvements (David) * Adding native Android 7 handshake instead of Chrome which has TLS 1.3 (Christoph) * Header flag X-XSS-Protection is now labled as INFO * No cyan colors in HHHTP header flags anymore, colons added ------------------------------------------------------------------- Fri Jul 24 08:04:11 UTC 2020 - Matthias Fehring - Update to version 3.0.2 * Remove potential licensing conflicts * Fix situations when TLS 1.3 is used for Ticketbleed check * Improved compatibility with LibreSSL 3.0 * Add brotil compression to BREACH * Faster and more robust XMPP STARTTLS handshakes * More robust STARTTLS handshakes * Fix outputs, sometimes misleading ------------------------------------------------------------------- Wed Apr 15 09:23:34 UTC 2020 - Martin Hauke - Update to version 3.0.1 * Fix hang in BEAST check when there are ciphers starting with SSL_* but which are no SSLv2 cipher * Fix bug in setting DISPLAY_CIPHERNAMES when $CIPHERS_BY_STRENGTH_FILE is not a/v. * Fix basic auth LF problem * Fix printing percent chars * Fix minor HTML generation bug * Fix security bug: sanitizing DNS input * make --ids-friendly work again * Update sneaky user agent * Update links in code comments * Cosmetic code updates * Fix output bug when >1 PTR records returned * More output fixes ------------------------------------------------------------------- Fri Apr 3 20:05:45 UTC 2020 - Christian Boltz - fix bash path for Leap 15.x ------------------------------------------------------------------- Thu Jan 23 20:42:34 UTC 2020 - Martin Hauke - Update to version 3.0 * Full support of TLS 1.3, shows also drafts supported * Extended protocol downgrade checks * ROBOT check * Better TLS extension support * Better OpenSSL 1.1.1 and higher versions support as well as LibreSSL >3 * DNS over Proxy and other proxy improvements * Decoding of unencrypted BIG IP cookies * Initial client certificate support * Warning of 825 day limit for certificates issued after 2018/3/1 * Socket timeouts (--connect-timeout) * IDN/IDN2 servername/URI + emoji support, supposed libidn/idn2 is installed and DNS resolver is recent)support * Initial support for certificate compression * Better JSON output: renamed IDs and findings shorter/better parsable, also includes certficate * JSON output now valid also for non-responding servers * Testing now per default 370 ciphers * Further improving the robustness of TLS sockets (sending and parsing) * Support of supplying timeout value for openssl connect -- useful for batch/mass scanning * File input for serial or parallel mass testing can be also in nmap grep(p)able (-oG) format * LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2) * PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3) * Check for session resumption (Ticket, ID) * TLS Robustness check GREASE and more * Server preference distinguishes between TLS 1.3 and lower protocols * Mark TLS 1.0 and TLS 1.1 as deprecated * Does a few startup checks which make later tests easier and faster (determine_optimal_\*()) * Expect-CT header detection * --phone-out does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL * --phone-out checks whether the private key has been compromised via https://pwnedkeys.com/ * Missing SAN warning * Added support for private CAs * Way better handling of connectivity problems (counting those, if threshold exceeded -> bye) * Fixed TCP fragmentation * Added --ids-friendly switch * Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors. * Better error msg suppression (not fully installed OpenSSL) * Better parsing of HTTP headers & better output of longer HTTP headers * Display more HTTP security headers * HTTP Basic Auth support for HTTP header * experimental "eTLS" detection * Dockerfile and repo @ docker hub with that file (see above) * Java Root CA store added * Better support for XMPP via STARTTLS & faster * Certificate check for to-name in stream of XMPP * Support for NNTP and LMTP via STARTTLS, fixes for MySQL and PostgresQL * Support for SNI and STARTTLS * More robustness for any STARTTLS protocol (fall back to plaintext while in TLS caused problems) * Renegotiation checks improved, also no false potive for Node.js anymore * Major update of client simulations with self-collected up-to-date data * Update of CA certificate stores * Lots of bug fixes * More travis/CI checks -- still place for improvements * Bigger man page review - specfile cleanup - Add testssl.sh.rpmlintrc ------------------------------------------------------------------- Wed Dec 11 21:11:28 UTC 2019 - Matthias Fehring - Update to testssl.sh 2.9.96 (aka 3.0rc6) * Socket timeouts (--connect-timeout) * IDN/IDN2 servername support * pwnedkeys.com support * Initial support for certificate compression * Initial client certificate support * Better indentation for HTTP header outputs * Better parsing of HTTP headers * Penalize absence of TLS 1.2 anymore if server supports TLS 1.3 only * Several improvements related to protocol determination and downgrade responses * Some logic related using TLS 1.3 aware OpenSSL binaries more or less automagically * Internal improvements to server preference checks * Lots of internal and some speed improvements in "pre-flight checks" (comes before outputting any test) * Mark TLS 1.0 and TLS 1.1 as deprecated * Support newer OpenSSL/LibreSSL versions * Improved detection of wrong user input when file was supplied for --csv,--json and --html * Update client handshakes with newer client data and deprecate other clients * Regression in CAA RR fixed * Session resumption fixes * Session ticket fixes * Fixes for STARTTLS MySQL and PostgreSQL * Unit tests for (almost) every STARTTLS protocol supported * A lot of minor fixes ------------------------------------------------------------------- Sat Apr 27 09:55:54 UTC 2019 - Matthias Fehring - Update to testssl.sh 2.9.95 (aka 3.0rc5) * Modernized client handshakes * Further code sanitizing * Fixes in CSV files and JSON files creation and some ACE loadbalancer related improvements * Fix session tickets and resumption * OpenSSL 1.1.1 fixes * Darwin OpenSSL binary * Updated certificate store * Add SSLv2 to SWEET - update testssl.sh-2.9.92-set-install-dir.patch to testssl.sh-2.9.95-set-install-dir.patch ------------------------------------------------------------------- Tue Feb 19 10:43:36 UTC 2019 - Matthias Fehring - Update to testssl.sh 2.9.94 (aka 3.0rc4) * Documentation fixes and additions * Add new openssl helper binaries * Bug fix: Scan continues if one of multiple IP addresses per hostname has a problem * "eTLS" detection ("visibility information") * Minimize initial warning "doesn't seem to be a TLS/SSL enabled server" by using sockets * Several improvement for SSLv2 only servers * Handle different cipher preference < TLS 1.3 vs. TLS 1.3 * Clarify & improve Standard Cipher check (potentially breaking change) * Improve SWEET32 test * Finding certificates is faster and independent on openssl ------------------------------------------------------------------- Sat Dec 1 15:58:11 UTC 2018 - Matthias Fehring - Update to testssl.sh 2.9.93 (aka 3.0rc3) * add SSLv2 ciphers *total ciphers now being tested for: 370) * updated client simulation data * TLS 1.3 improvements * STARTTLS NNTP support * STARTTLS XMPP faster and more reliable * include DH groups (primes) in pfs section * Fix TCP fragmentation under remaining OS: FreeBSD / Mac OS X * further bugfixes and clarifications ------------------------------------------------------------------- Wed Nov 28 09:52:06 UTC 2018 - Matthias Fehring - initial package version 2.9.92 (aka 3.0rc2)