diff --git a/CHANGELOG.stable-releases.txt b/CHANGELOG.stable-releases.txt deleted file mode 100644 index c7b1fa5..0000000 --- a/CHANGELOG.stable-releases.txt +++ /dev/null @@ -1,396 +0,0 @@ - -2.6 New: - * display matching host key (HPKP) - * LOGJAM 1: check DHE_EXPORT cipher - * LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers - * "wide mode" option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name - * binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit) - * OS X binaries (@jvehent, new builds: @jpluimers) - * ARM binary (@f-s) - * FreeBSD binary - * TLS_FALLBACK_SCSV check -- thx @JonnyHightower - * (HTTP) proxy support! Also with sockets -- thx @jnewbigin - * Extended validation certificate detection - * Run in default mode through all ciphers at the end of a default run - * will test multiple IP adresses of one supplied server name in one shot, --ip= restricts it accordingly - * new mass testing file option --file option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696 - * TLS time and HTTP time stamps - * TLS time displayed also for STARTTLS protocols - * support of sockets for STARTTLS protocols - * TLS 1.0-1.1 as socket checks per default in production - * further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.) - * can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams). - * quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/) - * lots of fixes, code improvements, even more robust - -Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh - -2.4 New: - * "only one cmd line option at a time" is completely gone - * several tuning parameters on the cmd line (only available through environment variables b4): --assuming-http, --ssl-native, --sneaky, --warnings, --color, -- debug, --long - * certificate information - * more HTTP header infos (cookies+security headers) - * protocol check via bash sockets for SSLv2+v3 - * debug handling significantly improved (verbosity/each function leaves files in $TEMPDIR) - * BEAST check - * FREAK check - * check for Secure Client-Initiated Renegotiation - * lots of cosmetic and maintainability code cleanups - * bugfixing - -Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh - - -2.2. new features as: - * works fully under BSD (openssl >=1.0) - * single cipher check (-x) with pattern of hexcode/cipher - * check for POODLE SSL - * HPKP check - * OCSP stapling - * GOST and CHACHA20 POLY1305 cipher support - * service detection (HTTP, IMAP, POP, SMTP) - * runs now with all colors, b/w screen, no escape codes at all - * protocol check better - * job control removes stalling - * RFC <---> OpenSSL name space mapping of ciphers everywhere - * includes a lot of fixes - -Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh - - -2.0 major release, new features: - * SNI - * STARTTLS fully supported - * RC4 check - * (P)FS check - * SPDY check - * color codes make more sense now - * cipher hexcodes are shown - * tests ciphers per protocol - * HSTS - * web and application server banner - * server prefereences - * TLS server extensions - * server key size - * cipher suite mapping from openssl to RFC - * heartbleed check - * CCS injection check - ---------------------- -Details: - -1.112 -- IPv6 display fix - -1.111 -- NEW: tested unter FreeBSD (works with exception of xxd in CCS) -- getent now works under Linux and FreeBSD -- sed -i in hsts sacrificed for compatibility -- reomved query for IP for finishing banner, is now called once in parse_hn_port -- GOST warning after banner -- empty build date is not displayed anymore -- long build date strings minimized -- FIXED: IPv6 address are displayed again - -1.110 -- NEW: adding Russian GOST cipher support by providing a config file on the fly -- adding the compile date of openssl in the banner - -1.109 -- minor IPv6 fixes - -1.108 -- NEW: Major rewrite of output functions. Now using printf instead of "echo -e" for BSD and MacOSX compatibility - -1.107 -- improved IP address stuff - -1.106 -- minor fixes - -1.105 -- NEW: working prototype for CCS injection - -1.104 -- NEW: everywhere *also* RFC style ciphers -- if the mapping file is found -- unitary calls to display cipher suites - -1.103 -- NEW: telnet support for STARTTLS (works only with a patched openssl version) - --> not tested (lack of server) - -1.102 -- NEW: test for BREACH (experimental) - -1.101 -- BUGFIX: muted too verbose output of which on CentOS/RHEL -- BUGFIX: muted too verbose output of netcat/nc on CentOS/RHEL+Debian - -1.100 -- further cleanup - - starttls now tests allciphers() instead of cipher_per_proto - (normal use case makes most sense here) - - ENV J_POSITIV --> SHOW_EACH_C -- finding mapping-rfc.txt is now a bit smarter -- preparations for ChaCha20-Poly1305 (would have provided binaries but - "openssl s_client -connect" with that ciphersuite fails currently with - a handshake error though client and server hello succeeded!) - -1.99 -- BUGFIX: now really really everywhere testing the IP with supplied name -- locking out openssl < 0.9.8f, new function called "old_fart" ;-) -- FEATURE: displaying PTR record of IP -- FEATURE: displaying further IPv4/IPv6 addresses -- bit of a cleanup - -1.98 -- http_header is in total only called once -- better parsing of default protocol (FIXME shouldn't appear anymore) - -1.97 -- reduced sleep time for server hello and payload reply (heartbleed) - -1.96 -- NEW: (experimental) heartbleed support with bash sockets (shell only SSL handshake!) - see also https://testssl.sh/bash-heartbleed.sh - -1.95 (2.0rc3) -- changed cmdline options for CRIME and renego vuln to uppercase -- NEW: displays server key size now -- NEW: displays TLS server extensions (might kill old openssl versions) -- brown warning if HSTS < 180 days -- brown warning if SSLv3 is offered as default protocol - -1.94 -- NEW: prototype of mapping to RFC cipher suite names, needed file mapping-rfc.txt in same dir - as of now only used for 'testssl.sh -V' -- internal renaming: it was supposed to be "cipherlists" instead of "ciphersuites" -- additional tests for cipherlists DES, 3DES, ADH - -1.93 -- BUGFIX: removed space in Server banner fixed (at the expense of showing just nothing if Server string is empty) - -1.92 -- BUGFIX: fixed error of faulty detected empty server string - -1.91 -- replaced most lcyan to brown (=not really bad but somehow) -- empty server string better displayed -- prefered CBC TLS 1.2 cipher is now brown (lucky13) - -1.90 -- fix for netweaver banner (server is lowercase) -- no server banner is no disadvantage (color code) -- 1 more blank proto check -- server preference is better displayed - -1.89 -- reordered! : protocols + cipher come first -- colorized prefered server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green) -- SSLv3 is now light cyan -- NEW: -P|--preference now in help menu -- light cyan is more appropriate than red for HSTS - -1.88 -- NEW: prototype for protocol and cipher preference -- prototype for session ticket - -1.87 -- changed just the version string to rc1 - -1.86 - - NEW: App banner now production, except 2 liners - - DEBUG: 1 is now true as everywhere else - - CRIME+Renego prettier - - last optical polish for RC4, PFS - -1.85 - - NEW: appbanner (also 2 lines like asp.net) - - OSSL_VER_MAJOR/MINOR/APPENDIX - - less bold because bold headlines as bold should be reserved for emphasize findings - - tabbed output also for protocols and cipher classes - - unify neat printing - -1.84 - - NEW: deprecating openssl version <0.98 - - displaying a warning >= 0.98 < 1.0 - - NEW: neat print also for all ciphers (-E,-e) - -1.83 -- BUGFIX: results from unit test: logical error in PFS+RC4 fixed -- headline of -V / PFS+RC4 ciphers unified - -1.82 -- NEW: output for -V now better (bits seperate, spacing improved) - -1.81 -- output for RC4+PFS now better (with headline, bits seperate, spacing improved) -- both also sorted by encr. strength .. umm ..err bits! - -1.80 -- order of finding supplied binary extended (first one wins): - 1. use supplied variable $OPENSSL - 2. use "openssl" in same path as testssl.sh - 3. use "openssl.`uname -m`" in same path as testssl.sh - 4. use anything in system $PATH (return value of "which" - -1.79 -- STARTTLS options w/o trailing 's' now (easier) -- commented code for CRIME SPDY -- issue a warning for openssl < 0.9.7 ( that version won't work anyway probably) -- NPN protos as a global var -- pretty print with fixed columns: PFS, RC4, allciphers, cipher_per_proto - -1.78 -- -E, -e now sorted by encryption strength (note: it's only encr key length) -- -V now pretty prints all local ciphers -- -V now pretty prints all local ciphers matching pattern (plain string, no regex) -- bugfix: SSLv2 cipher hex codes has 3 bytes! - -1.77 -- removed legacy code (PROD_REL var) - -1.76 -- bash was gone!! desaster for Ubuntu, fixed -- starttls+rc4 check: bottom line was wrong -- starttls had too much output (certificate) at first a/v check - -1.75 -- location is now https://testssl.sh -- be nice: banner, version, help also works for BSD folks (on dash) -- bug in server banner fixed -- sneaky referer and user agent possible - -1.74 -- Debian 7 fix -- ident obsoleted - -1.72 -- removed obsolete GREP -- SWURL/SWCONTACT -- output for positive RC4 better - -1.71 -- workaround for buggy bash (RC4) -- colors improved - - blue is now reserved for headline - - magenta for local probs - - in RC4 removal of SSL protocol provided by openssl - -1.70 -- DEBUG in http_headers now as expected --