2.0 includes: * major release, new features: * SNI * STARTTLS fully supported * RC4 check * (P)FS check * SPDY check * color codes make more sense now * cipher hexcodes are shown * tests ciphers per protocol * HSTS * web and application server banner * server prefereences * TLS server extensions * server key size * cipher suite mapping from openssl to RFC * heartbleed check * CCS injection check --------------------- Details: 1.106 - minor fixes 1.105 - NEW: working prototype for CCS injection 1.104 - NEW: everywhere *also* RFC style ciphers -- if the mapping file is found - unitary calls to display cipher suites 1.103 - NEW: telnet support for STARTTLS (works only with a patched openssl version) --> not tested (lack of server) 1.102 - NEW: test for BREACH (experimental) 1.101 - BUGFIX: muted too verbose output of which on CentOS/RHEL - BUGFIX: muted too verbose output of netcat/nc on CentOS/RHEL+Debian 1.100 - further cleanup - starttls now tests allciphers() instead of cipher_per_proto (normal use case makes most sense here) - ENV J_POSITIV --> SHOW_EACH_C - finding mapping-rfc.txt is now a bit smarter - preparations for ChaCha20-Poly1305 (would have provided binaries but "openssl s_client -connect" with that ciphersuite fails currently with a handshake error though client and server hello succeeded!) 1.99 - BUGFIX: now really really everywhere testing the IP with supplied name - locking out openssl < 0.9.8f, new function called "old_fart" ;-) - FEATURE: displaying PTR record of IP - FEATURE: displaying further IPv4/IPv6 addresses - bit of a cleanup 1.98 - http_header is in total only called once - better parsing of default protocol (FIXME shouldn't appear anymore) 1.97 - reduced sleep time for server hello and payload reply (heartbleed) 1.96 - NEW: (experimental) heartbleed support with bash sockets (shell only SSL handshake!) see also https://testssl.sh/bash-heartbleed.sh 1.95 (2.0rc3) - changed cmdline options for CRIME and renego vuln to uppercase - NEW: displays server key size now - NEW: displays TLS server extensions (might kill old openssl versions) - brown warning if HSTS < 180 days - brown warning if SSLv3 is offered as default protocol 1.94 - NEW: prototype of mapping to RFC cipher suite names, needed file mapping-rfc.txt in same dir as of now only used for 'testssl.sh -V' - internal renaming: it was supposed to be "cipherlists" instead of "ciphersuites" - additional tests for cipherlists DES, 3DES, ADH 1.93 - BUGFIX: removed space in Server banner fixed (at the expense of showing just nothing if Server string is empty) 1.92 - BUGFIX: fixed error of faulty detected empty server string 1.91 - replaced most lcyan to brown (=not really bad but somehow) - empty server string better displayed - prefered CBC TLS 1.2 cipher is now brown (lucky13) 1.90 - fix for netweaver banner (server is lowercase) - no server banner is no disadvantage (color code) - 1 more blank proto check - server preference is better displayed 1.89 - reordered! : protocols + cipher come first - colorized prefered server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green) - SSLv3 is now light cyan - NEW: -P|--preference now in help menu - light cyan is more appropriate than red for HSTS 1.88 - NEW: prototype for protocol and cipher preference - prototype for session ticket 1.87 - changed just the version string to rc1 1.86 - NEW: App banner now production, except 2 liners - DEBUG: 1 is now true as everywhere else - CRIME+Renego prettier - last optical polish for RC4, PFS 1.85 - NEW: appbanner (also 2 lines like asp.net) - OSSL_VER_MAJOR/MINOR/APPENDIX - less bold because bold headlines as bold should be reserved for emphasize findings - tabbed output also for protocols and cipher classes - unify neat printing 1.84 - NEW: deprecating openssl version <0.98 - displaying a warning >= 0.98 < 1.0 - NEW: neat print also for all ciphers (-E,-e) 1.83 - BUGFIX: results from unit test: logical error in PFS+RC4 fixed - headline of -V / PFS+RC4 ciphers unified 1.82 - NEW: output for -V now better (bits seperate, spacing improved) 1.81 - output for RC4+PFS now better (with headline, bits seperate, spacing improved) - both also sorted by encr. strength .. umm ..err bits! 1.80 - order of finding supplied binary extended (first one wins): 1. use supplied variable $OPENSSL 2. use "openssl" in same path as testssl.sh 3. use "openssl.`uname -m`" in same path as testssl.sh 4. use anything in system $PATH (return value of "which" 1.79 - STARTTLS options w/o trailing 's' now (easier) - commented code for CRIME SPDY - issue a warning for openssl < 0.9.7 ( that version won't work anyway probably) - NPN protos as a global var - pretty print with fixed columns: PFS, RC4, allciphers, cipher_per_proto 1.78 - -E, -e now sorted by encryption strength (note: it's only encr key length) - -V now pretty prints all local ciphers - -V now pretty prints all local ciphers matching pattern (plain string, no regex) - bugfix: SSLv2 cipher hex codes has 3 bytes! 1.77 - removed legacy code (PROD_REL var) 1.76 - bash was gone!! desaster for Ubuntu, fixed - starttls+rc4 check: bottom line was wrong - starttls had too much output (certificate) at first a/v check 1.75 - location is now https://testssl.sh - be nice: banner, version, help also works for BSD folks (on dash) - bug in server banner fixed - sneaky referer and user agent possible 1.74 - Debian 7 fix - ident obsoleted 1.72 - removed obsolete GREP - SWURL/SWCONTACT - output for positive RC4 better 1.71 - workaround for buggy bash (RC4) - colors improved - blue is now reserved for headline - magenta for local probs - in RC4 removal of SSL protocol provided by openssl 1.70 - DEBUG in http_headers now as expected -