- option long changed to wide
- PFS now is per default not wide
- PFS comes after standard cipher lists
- debug output improved (in terms of privacy and additional info)
- little bit more robust for strange keysize and dh bits
- added ecdsa-with-SHA256 to Signature Algorithm
- FIX: no TLS1+SSL3 resulted in no output for BEAST
- FIX#92
- FIX for TLS time (difftime was too small for local clock skew)
- warning for freebsd/macosx w/o ports need now a "yes"
- TLS 1.0 not offered is not bold anymore
- output weirdness fixed for cipher order in spdy
- FIX: 2 occurrances of OPENSSL calls had a hostname instead of an IP address
- FIX: starttls protocol correctly displayed
- NEW added duplicate detection for header flags
- NEW: added four GOST cipher to standard socket handshake
- recommends if openssl 1.0.2 is used and results were strange and IIS6 --> run wqith openssl 1.0.1
- declared some global vars as readonly
to =< 1.0.1) finding the right protocol before
- hints for IIS6+openssl 1.0.2 non-conformity #99
- version bumped up to 2.4rc2
- better formatting for BSD in cipher order
- FIX: 2x bug for cipher order + sslv2
- preambel revisited
- http date
- cipher list in preferences
- GET_REQ11 now closes the connection
- openssl_age comes afeter the banner so that help doesn't need to go thru this
- uname -s ==> SYSTEM
- X-Powered-By is easy to remove (PHP, ASP.NET), thus labelled as yellow
- same X-AspNet-Version (version # itself is brown)
- better addressed address resolution failures ;-)
- bumped up version to 2.4rc1
- feature: integrated TLS+HTTP time into server defaults
- NEW: option: -U/vulnerable
- moved explanation for BREACH into result
- FREAK and CCS are not labled experimental anymore
- unifying of get request headers
- readability of help
- introducng a variable name LONG which for certain funcs shows broad output with hexc, cipher, KX, etc.
- FIX: regression not showing security headers
- introducing VULN_THRESHLD
(timeout was faster then socket resply)
- FIX: CORS header not labeled as green
- NEW: Now also STARTTLS works with all cmd line options and is absolutely doing the same stuff!
(integrated starttls() into parse_hn_port() )
- option --mx needed to be changed because of starttls
- regression fix: exec for socket doesn't play nice with stderr redirect
(probably bash bug)
- added some env options to cmd line as long args (--assuming-http,--ssl_native,
--color, debug, --sneaky, --warnings)
- threw away getent as it doesn't work under Linux && not network && localhost
(replaced by grep)
- SSL-POODLE is not labeled anymore experimental
- HB+CCS are called while checking STARTTLS but given a hint that its not yet supported
- added more env vars to debug output
- cleanups
- FIX regression: capitalized/all lowercase headers weren't detected
- if socksend is blocked (IDS) output looks better and is reported as test didn't succeed
- no secure cookie or Httponly will be marked as brown
- tput color yellow is now brown
- logic of some ENV variables changed (attention!)
- included some ENV as long options (not in the help yet)
- decentralized http check for breach
- if openssl is not executable it bails out better now
- help function now exits
Note that due to the refactoring of some status messages, the output will be slightly different (more verbose) than previous versions
Moved specific status messages to http_header()
Moved specific status messages to breach()
Moved specific status messages to ccs_injection()
Moved specific status messages to heartbleed()
Moved specific status messages to renego()
Moved specific status messages to crime()
Moved specific status messages to tls_poodle()
Moved specific status messages to freak()
Moved specific status messages to beast()
Added some more documentation for functions
Fixed typos in help
Created new function main:
This is the main function of testssl.sh
Refactored major part of the original main function
Created new function startup:
Parses the startup options
Created new function intialize_globals:
Initializes all used global variables
Created new function scanning_defaults:
Sets default scanning options when only one parameter (URI) is given
TODO: Refactor more/duplicate parts of functions
Note: For the new functions, fixed spaces (4) are used instead of tabs
- FIX for SNI output as it doensn';t make sense for non HTTP servives
- lines for RC4 and PFS shortenedA
- display all MX records to test before testing
- removed LOCERR, added CCS_MAX_WAITSOCK, HEARTBLEED_MAX_WAITSOCK
