SHA256
1
0
forked from pool/sslscan
sslscan/sslscan.changes
2024-02-26 18:49:40 +00:00

380 lines
14 KiB
Plaintext

-------------------------------------------------------------------
Sat Jan 27 13:27:05 UTC 2024 - Dirk Müller <dmueller@suse.com>
- update to 2.1.3:
* Enable quiet shutdown for scanning
* Fix Docked build on non-x64 architectures
-------------------------------------------------------------------
Sat Nov 25 16:47:33 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 2.1.2:
* Fix certificate and cipher enumeration when unsafe
renegotiation is required
-------------------------------------------------------------------
Fri Nov 10 15:21:49 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 2.1.1:
* Work around several dodgy TLS implementations
-------------------------------------------------------------------
Thu Sep 14 12:41:24 UTC 2023 - Andrea Manzini <andrea.manzini@suse.com>
- update to 2.1.0:
* Build against OpenSSL 3.0 instead of 1.1.0 (credit jtesta)
-------------------------------------------------------------------
Sun Apr 16 17:56:03 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 2.0.16:
* Fix incorret detection of TLSv1.3 on Server 2019
* Fix incorrect XML certificate output
-------------------------------------------------------------------
Tue Aug 2 11:31:57 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 2.0.15:
* Obtain certificate info even if we can't connect properly
* Strip out https:// from lines in a target file
* Fix TLSv1.3 detection against Server 2022 (credit jtesta)
-------------------------------------------------------------------
Sun Mar 27 19:36:15 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 2.0.12:
* Add <not-yet-valid> XML element (credit lucacapacci)
-------------------------------------------------------------------
Tue Jan 4 18:30:00 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 2.0.11:
* Add --iana-names option to use IANA/RFC cipher names
* Improve signature algorithm detection
-------------------------------------------------------------------
Tue May 11 21:50:32 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 2.0.10:
* Add the --connect-timeout option (credit alkalim)
* Fix a typo in output
* Warn on TLSv1.1, as it's now deprecated by RFC 8996
* Fix a bug with LDAP STARTTLS
* Fix certificate detection on some broken servers
* Fix missing SCSV Fallback in XML output
* Don't show server signature algorithms by default
* Use --show-sigs to display them
-------------------------------------------------------------------
Fri Dec 18 10:01:53 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Upgrade to version 2.0.6
* Add <error> element to XML output
* Fix the extraneous padding of HTTP responses in XML
* Update the HTTP request to HTTP/1.1
* More robust checking the HTTP response is valid
* Display "No response" when no HTTP response is returned
* Remove the broken HTTP request scanning option (--http)
* Fix --targets not working properly
* Flag certificates in red if CN is the same as issuer
-------------------------------------------------------------------
Mon Sep 28 10:16:55 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Upgrade to version 2.0.1
* Correctly set SNI name when using --targets. Fixes gh#rbsec/sslscan#215
-------------------------------------------------------------------
Thu Jul 23 12:25:27 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Upgrade to version 2.0.0
Version 2 of sslscan includes a major rewrite of the backend scanning code,
which means that it is no longer reliant on the version of OpenSSL for many
checks. This means that it is possible to support legacy protocols (SSLv2 and
SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL
that it has been compiled against. It is still recommended to build statically
where possible, but dynamically built version should be significantly more
useful.
Note that there are also some breaking changes to the XML output, which are
documented in the readme file.
This rewrite been made possible largely by the work of jtesta, who has been
responsible for most of the backend rewrite.
- Cleaned up spec file
-------------------------------------------------------------------
Wed Jul 22 14:11:33 UTC 2020 - Wolfgang Frisch <wolfgang.frisch@suse.com>
- Upgrade to version 2.0.0-beta6
* Various bugfixes
* Added -4 and -6 options to force IPv4 and IPv6.
* Added strength attribute to XML to reflect colouring in stdout
* Checks for server signature algorithms.
* Checks for server key exchange groups.
* Support for SSLv2 and SSLv3 protocol detection regardless of OpenSSL
* Support for TLSv1.3
* Support for additional cipher suites.
* Print curve name and key strength for ECC certs
* Fix a bug with servers that return incorrect cipher IDs.
* Add a new "<certificates>" element to the XML output.
* Remove the "Signature Algorithm:" text and spacing from the XML.
* Report servers that accept any signature algorithm in the XML
- Rebased fedora-sslscan-patents.patch
- OpenSSL dependency bumped to >= 1.1
-------------------------------------------------------------------
Fri Feb 2 12:34:34 UTC 2018 - jweberhofer@weberhofer.at
- Simplified requirements
-------------------------------------------------------------------
Thu Feb 1 16:46:03 UTC 2018 - jweberhofer@weberhofer.at
- Use openssl<1.1 for suse_version >= 1500
-------------------------------------------------------------------
Mon Dec 25 06:30:34 UTC 2017 - jweberhofer@weberhofer.at
- Fix building on factory (use openssl 1.0.0)
- Upgrade to version 1.11.10
* Support for ChaCha ciphers
* Add support for STARTTLS on mysql (--starttls-mysql)
* Display SNI information in XML output
* Mark SHA-1 certificates as weak
-------------------------------------------------------------------
Mon Dec 18 06:03:17 UTC 2017 - jweberhofer@weberhofer.at
- Fixed building on SLES systems
-------------------------------------------------------------------
Mon Nov 28 23:49:30 UTC 2016 - jweberhofer@weberhofer.at
- Upgrade to version 1.11.8
* Support alternate SNI hostnames (--sni=)
* Allow building with no support for TLS SCSV Fallback
- Removed SSL_MODE_SEND_FALLBACK_SCSV (integrated upstream)
-------------------------------------------------------------------
Mon Oct 31 13:51:36 UTC 2016 - manfred.h@gmx.net
- SSL_MODE_SEND_FALLBACK_SCSV.patch: Add patch to treat SSL_MODE_SEND_FALLBACK_SCSV conditionally.
-------------------------------------------------------------------
Thu Oct 27 09:12:12 UTC 2016 - jweberhofer@weberhofer.at
- Highlighted features:
* Support for
- STARTTLS: POP3, IMAP, FTP, XMPP
- PostgreSQL
- IPv6 addresses
- TLSv1.1 and TLSv1.2
- XMPP server-to-server connections
* Added check for
- OpenSSL Heartbleed
- POODLE
* Highlight the following issues
- weak RSA and DHE keys in output
- SSLv2, SSLv3, RC4 ciphers
- anonymous ADH and AECDH ciphers
- weak (n <= 40 bit) and medium (40 < n <= 56 bit)
* Certificates
- Display certificate signing algorithm highlighting weak algorithms.
- Display certificate key strength highlighting weak keys.
- Flag expired certificates
* Most secure protocols are scanned first
* Display cipher details by default
- rebased fedora-sslscan-patents.patch
- removed obsolete patches
- Upgraded to version 1.11.7
* Check for TLS Fallback SCSV
* Allow xml to be output on stdout (--xml=-)
- Version 1.11.6
* Re-eanble support for weak (<1024) DH keys in OpenSSL
- Version 1.11.5
* Fix bug in heartbleed check (credit nuxi)
* Makefile improvements and fixes for OSX and FreeBSD
* Optimize OpenSSL clone
* Implement --show-times to display handshake times in milliseconds
- Version 1.11.4
* Fix compression detection (credit nuxi)
* Added support for PostgreSQL (credit nuxi)
- Version 1.11.3
* Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL
- Version 1.11.2
* Makefile improvements
* Update OpenSSL from Git when statically building
* Use enable-ssl2 and enable-weak-ciphers when building statically
- Version 1.11.1
* Show cipher IDs with --show-cipher-ids (credit maurice2k)
* Warn when building agsinst system OpenSSL rather than statically
* Allow building statically on OSX (experimental)
- Version 1.11.0
* Rewrote ciphersuite scanning engine to be much faster
* Ciphers are now output in order of server preference
* Most secure protocols are scanned first (TLSv1.2 -> SSLv2)
* All protocols are tried when trying to obtain the certificate
* Obselete --failed and --no-preferred-ciphers options removed
* Flag TLSv1.0 ciphers in output
* Flag 56 bit ciphers as red, not yellow
* Fix building on OpenBSD (credit Stuart Henderson)
* Fix incorrect output when server prefers NULL ciphers
- Version 1.10.6
* Fix --sleep only working for whole seconds (credit dmke)
* Fix compiling against OpenSSL 0.9.8 (credit aclemons)
* Flag expired certificates (credit jacktrice)
- Version 1.10.5
* Added IRC STARTTLS support (--starttls-irc, credit jkent)
* Highlight weak RSA keys in output
* Added option to show OCSP status (--ocsp, credit kelbyludwig)
* Fix a segfault with certificate parsing
- Version 1.10.4
* Display cipher details by default (hide with --no-cipher-details)
* Fix scanning multiple targets if one fails (credit shellster)
* Fix bug with --no-color and --failed (credit yasulib)
* Minor bugfixes to output
- Version 1.10.3
* Flag weak DHE keys in --cipher-details
* Report DHE key bits in XML
* Change ECDHE key bits to "ecdhebits" rather than "dhebits" in XML
- Version 1.10.2
* Wrap TLS extensions in CDATA blocks in XML output.
* Fix incorrect TLS versions in heartbleed checks
- Version 1.10.1
* Fix XML output to use "TLSv1.0" in preferred ciphers, not "TLSv1"
* Added --cipher-details option to display EC curves and EDH keys
Note that this feature requires OpenSSL >= 1.0.2
* Update static build options to compile against OpenSSL 1.0.2
- Version 1.10.0
* Experimental build support (credit jtesta).
* Support XMPP server-to-server connections (--xmpp-server).
- Version 1.9.11
* Makefile updates to assist packaging in Kali.
* Fix missing static build number when compiling from tarball.
- Version 1.9.10
* Display certificate CN, Altnames and Issuer in default output.
* Flag certificates where CN == issuer, or CN = *
* Highlight GCM ciphersuites as good
- Version 1.9.9
* Added --show-client-cas option to determine trusted CAs
for client authentication
* Added --no-preferred option to disable any output except specified
- Version 1.9.8
* Added --sleep option to pause between request
* Only check for heartbleed against specified TLS version
* Added --sleep option to pause between request
* Fix issues compiling against OpenSSL 0.9.8
* Highlight CBC ciphersuites on SSLv3 (POODLE)
* Experimental build support on OSX (credit MikeSchroll)
- Version 1.9.7
* Added option for static compilation with OpenSSL (credit dmke)
* Added "sslmethod" attribute to Heartbleed XML output (credit dmke)
* Split headers into sslscan.h (credit dmke)
- Version 1.9.6
* Highlight NULL ciphers in output.
* Highlight SSLv3 ciphers.
* Added --rdp option to support RDP servers (credit skettler).
* Added --timeout option to set socket timeout (default 3s).
- Version 1.9.5
* Renamed --get-certificate option to --show-certficate.
* Display certificate signing algorithm highlighting weak algorithms.
* Display certificate key strength highlighting weak keys.
* Bumped XML version to 1.9.5 due to minor changes.
- Version 1.9.4
* Check for SSLv2 and SSLv3 ciphers over STARTTLS.
- Version 1.9.3
* Fixed broken STARTTLS SMTP check.
- Version 1.9.2
* Added check for OpenSSL Heartbleed (CVE-2014-0160).
- Version 1.9.1
* Added --tlsall option to only scan TLS ciphersuites.
* Scan all TLS versions by default for STARTTLS services.
* Added support for IPv6 addresses using square bracket notation [:1].
* Highlight anonymous (ADH and AECDH) ciphers in output.
* Added option to disable colour in output (--no-colour).
* Removed undocumented -p output option.
* Removed old references to titania.co.uk domain.
- Version 1.9
* Highlight SSLv2 ciphers
* Highlight weak (n <= 40 bit) and medium (40 < n <= 56 bit) ciphers
* Highlight RC4 ciphers
* Highlight anonymous (ADH) ciphers
* Hide certificate information by default
* Hide rejected ciphers by default (display with --failed).
* Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan).
* Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan).
* Supports IPv6 hostnames (can be forced with --ipv6).
* Check for TLS compression (CRIME, disable with --no-compression)
- Version 1.8.4
* Add demo targets in Makefile
* Refactoring of code by Adam Langley
* Add SNI patch from Tim Brown
* Bug fixes from craSH and Cygwin build improvements
- Version 1.8.3
* Improve new protocol setup support for STARTTLS: POP3, IMAP, FTP, and
XMPP This modeled after the support found in OpenSSL's s_client
* Add verbose option to print more info
* Add default ports when a STARTTLS setup flag is called without any port at all
-------------------------------------------------------------------
Sun Apr 27 17:35:29 UTC 2014 - lars@linux-schulserver.de
- enable parallel build
-------------------------------------------------------------------
Tue Sep 11 14:16:02 UTC 2012 - frank.lichtenheld@sophos.com
- add TLSv1.1 and TLSv1.2 support for OpenSSL >= 1.0.1
-------------------------------------------------------------------
Fri Aug 10 21:09:50 UTC 2012 - frank.lichtenheld@sophos.com
- import patch from fedora to allow building on fedora
-------------------------------------------------------------------
Thu Aug 9 20:01:09 UTC 2012 - frank.lichtenheld@sophos.com
- initial packaging
* patches taken from Debian packaging