testssl.sh/CHANGELOG.txt
Dirk Wetter e8c40f8c1d
2014-07-16 19:06:26 +02:00

340 lines
9.4 KiB
Plaintext

2.0 includes:
* major release, new features:
* SNI
* STARTTLS fully supported
* RC4 check
* (P)FS check
* SPDY check
* color codes make more sense now
* cipher hexcodes are shown
* tests ciphers per protocol
* HSTS
* web and application server banner
* server prefereences
* TLS server extensions
* server key size
* cipher suite mapping from openssl to RFC
* heartbleed check
* CCS injection check
---------------------
Details:
1.112
- IPv6 display fix
1.111
- NEW: tested unter FreeBSD (works with exception of xxd in CCS)
- getent now works under Linux and FreeBSD
- sed -i in hsts sacrificed for compatibility
- reomved query for IP for finishing banner, is now called once in parse_hn_port
- GOST warning after banner
- empty build date is not displayed anymore
- long build date strings minimized
- FIXED: IPv6 address are displayed again
1.110
- NEW: adding Russian GOST cipher support by providing a config file on the fly
- adding the compile date of openssl in the banner
1.109
- minor IPv6 fixes
1.108
- NEW: Major rewrite of output functions. Now using printf instead of "echo -e" for BSD and MacOSX compatibility
1.107
- improved IP address stuff
1.106
- minor fixes
1.105
- NEW: working prototype for CCS injection
1.104
- NEW: everywhere *also* RFC style ciphers -- if the mapping file is found
- unitary calls to display cipher suites
1.103
- NEW: telnet support for STARTTLS (works only with a patched openssl version)
--> not tested (lack of server)
1.102
- NEW: test for BREACH (experimental)
1.101
- BUGFIX: muted too verbose output of which on CentOS/RHEL
- BUGFIX: muted too verbose output of netcat/nc on CentOS/RHEL+Debian
1.100
- further cleanup
- starttls now tests allciphers() instead of cipher_per_proto
(normal use case makes most sense here)
- ENV J_POSITIV --> SHOW_EACH_C
- finding mapping-rfc.txt is now a bit smarter
- preparations for ChaCha20-Poly1305 (would have provided binaries but
"openssl s_client -connect" with that ciphersuite fails currently with
a handshake error though client and server hello succeeded!)
1.99
- BUGFIX: now really really everywhere testing the IP with supplied name
- locking out openssl < 0.9.8f, new function called "old_fart" ;-)
- FEATURE: displaying PTR record of IP
- FEATURE: displaying further IPv4/IPv6 addresses
- bit of a cleanup
1.98
- http_header is in total only called once
- better parsing of default protocol (FIXME shouldn't appear anymore)
1.97
- reduced sleep time for server hello and payload reply (heartbleed)
1.96
- NEW: (experimental) heartbleed support with bash sockets (shell only SSL handshake!)
see also https://testssl.sh/bash-heartbleed.sh
1.95 (2.0rc3)
- changed cmdline options for CRIME and renego vuln to uppercase
- NEW: displays server key size now
- NEW: displays TLS server extensions (might kill old openssl versions)
- brown warning if HSTS < 180 days
- brown warning if SSLv3 is offered as default protocol
1.94
- NEW: prototype of mapping to RFC cipher suite names, needed file mapping-rfc.txt in same dir
as of now only used for 'testssl.sh -V'
- internal renaming: it was supposed to be "cipherlists" instead of "ciphersuites"
- additional tests for cipherlists DES, 3DES, ADH
1.93
- BUGFIX: removed space in Server banner fixed (at the expense of showing just nothing if Server string is empty)
1.92
- BUGFIX: fixed error of faulty detected empty server string
1.91
- replaced most lcyan to brown (=not really bad but somehow)
- empty server string better displayed
- prefered CBC TLS 1.2 cipher is now brown (lucky13)
1.90
- fix for netweaver banner (server is lowercase)
- no server banner is no disadvantage (color code)
- 1 more blank proto check
- server preference is better displayed
1.89
- reordered! : protocols + cipher come first
- colorized prefered server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green)
- SSLv3 is now light cyan
- NEW: -P|--preference now in help menu
- light cyan is more appropriate than red for HSTS
1.88
- NEW: prototype for protocol and cipher preference
- prototype for session ticket
1.87
- changed just the version string to rc1
1.86
- NEW: App banner now production, except 2 liners
- DEBUG: 1 is now true as everywhere else
- CRIME+Renego prettier
- last optical polish for RC4, PFS
1.85
- NEW: appbanner (also 2 lines like asp.net)
- OSSL_VER_MAJOR/MINOR/APPENDIX
- less bold because bold headlines as bold should be reserved for emphasize findings
- tabbed output also for protocols and cipher classes
- unify neat printing
1.84
- NEW: deprecating openssl version <0.98
- displaying a warning >= 0.98 < 1.0
- NEW: neat print also for all ciphers (-E,-e)
1.83
- BUGFIX: results from unit test: logical error in PFS+RC4 fixed
- headline of -V / PFS+RC4 ciphers unified
1.82
- NEW: output for -V now better (bits seperate, spacing improved)
1.81
- output for RC4+PFS now better (with headline, bits seperate, spacing improved)
- both also sorted by encr. strength .. umm ..err bits!
1.80
- order of finding supplied binary extended (first one wins):
1. use supplied variable $OPENSSL
2. use "openssl" in same path as testssl.sh
3. use "openssl.`uname -m`" in same path as testssl.sh
4. use anything in system $PATH (return value of "which"
1.79
- STARTTLS options w/o trailing 's' now (easier)
- commented code for CRIME SPDY
- issue a warning for openssl < 0.9.7 ( that version won't work anyway probably)
- NPN protos as a global var
- pretty print with fixed columns: PFS, RC4, allciphers, cipher_per_proto
1.78
- -E, -e now sorted by encryption strength (note: it's only encr key length)
- -V now pretty prints all local ciphers
- -V <pattern> now pretty prints all local ciphers matching pattern (plain string, no regex)
- bugfix: SSLv2 cipher hex codes has 3 bytes!
1.77
- removed legacy code (PROD_REL var)
1.76
- bash was gone!! desaster for Ubuntu, fixed
- starttls+rc4 check: bottom line was wrong
- starttls had too much output (certificate) at first a/v check
1.75
- location is now https://testssl.sh
- be nice: banner, version, help also works for BSD folks (on dash)
- bug in server banner fixed
- sneaky referer and user agent possible
1.74
- Debian 7 fix
- ident obsoleted
1.72
- removed obsolete GREP
- SWURL/SWCONTACT
- output for positive RC4 better
1.71
- workaround for buggy bash (RC4)
- colors improved
- blue is now reserved for headline
- magenta for local probs
- in RC4 removal of SSL protocol provided by openssl
1.70
- DEBUG in http_headers now as expected
- <?xml marker as HTML body understood
1.69
- HTTP 1.1 header
- removed in each cipher the proto openssl is returning
+ NEW: cipher_per_proto
1.68
- header parser for openssl
- HSTS
- server banner string
- vulnerabilities closer+condensed
1.68
- header parser for openssl
- HSTS
- server banner string
- vulnerabilities closer+condensed
1.67
- signal green if no SSLv3
- cipher hex code now in square brackets
[..]
1.36
* fixed issue while connecting to non-webservers
1.35
* fixed portability issue on Ubuntu
1.34
* ip(v4) address in output, helps to tell different systems apart later on
* local hostname in output
1.31 (Halloween Release)
* bugfix: SSLv2 was kind of borken
* now it works for sure but ssl protocol are kind of ugly
1.30b (25.10.2012)
* bugfix: TLS 1.1/1.2 may lead to false negatives
* bugfix: CMDLINE -a/-e was misleading, now similar to help menu
1.3 (10/13/2012)
* can test now for cipher suites only
* can test now for protocols suites only
* tests for tls v1.1/v1.2 of local openssl supports it
* commandline "all "is rename to "each-cipher"
* banner when it's done
1.21a (10/4/2012)
* tests whether openssl has support for zlib compiled so that it avoids a false negative
1.21 (10/4/2012)
* CRIME support
1.20b
* bugfixed release
1.20a
* code cleanup
* showciphers variable introduced: only show ciphers if this is set (it is by
default now and there's a comment
* openssl version + path to it in the banner
1.20
* bugfix (ssl in ssl handshake failure is sometimes too much)
* date in output
* autodetection of CVS version removed
1.19
* bugfix
1.18
* Rearragement of arguments: URL comes now always last!
* small code cleanups for readability
* individual cipher test is now with bold headline, not blue
* NOPARANOID flag tells whether medium grade ciphers are ok. NOW they are (=<1.17 was paranoid)
1.17
* SSL tests now for renegotiation vulnerabilty!
* version detection of testssl.sh
* program has a banner
* fixed bug leading to a file named "1"
* comment for 128Bit ciphers
1.16
* major code cleanups
* cmd line options: port is now in first argument!!
* help is more verbose
* check whether on other server side is ssl server listening
* https:// can be now supplied also on the command line
* test all ciphers now
* new cleanup routine
* -a does not do standard test afterward, you need to run testssl a second
time w/o -a if you want this
1.12
* tests also medium grade ciphers (which you should NOT use)
* tests now also high grade ciphers which you SHOULD ONLY use
* switch for more verbose output of cipher for those cryptographically interested .
in rows: SSL version, Key eXchange, Authentication, Encryption and Message Authentication Code
* this is per default enabled (provide otherwise "" as VERB_CLIST)
* as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers
1.11
* Hint for howto enable 56 Bit Ciphers
* possible to specify where openssl is (hardcoded, $ENV, last resort: auto)
* warns if netcat is not there
1.10
* somewhat first released version