mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 12:59:44 +01:00
397 lines
12 KiB
Plaintext
397 lines
12 KiB
Plaintext
|
|
2.6 New:
|
|
* display matching host key (HPKP)
|
|
* LOGJAM 1: check DHE_EXPORT cipher
|
|
* LOGJAM 2: displays DH(/ECDH) bits in wide mode on negotiated ciphers
|
|
* "wide mode" option for checks like RC4, BEAST. PFS. Displays hexcode, kx, strength, DH bits, RFC name
|
|
* binary directory provides out of the box better binaries (Linux 32+64 Bit, Darwin 64 bit, FreeBSD 64 bit)
|
|
* OS X binaries (@jvehent, new builds: @jpluimers)
|
|
* ARM binary (@f-s)
|
|
* FreeBSD binary
|
|
* TLS_FALLBACK_SCSV check -- thx @JonnyHightower
|
|
* (HTTP) proxy support! Also with sockets -- thx @jnewbigin
|
|
* Extended validation certificate detection
|
|
* Run in default mode through all ciphers at the end of a default run
|
|
* will test multiple IP adresses of one supplied server name in one shot, --ip= restricts it accordingly
|
|
* new mass testing file option --file option where testssl.sh commands are being read from, see https://twitter.com/drwetter/status/627619848344989696
|
|
* TLS time and HTTP time stamps
|
|
* TLS time displayed also for STARTTLS protocols
|
|
* support of sockets for STARTTLS protocols
|
|
* TLS 1.0-1.1 as socket checks per default in production
|
|
* further detection of security relevant headers (reverse proxy, IPv4 addresses), proprietary banners (OWA, Liferay etc.)
|
|
* can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML streams).
|
|
* quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
|
|
* lots of fixes, code improvements, even more robust
|
|
|
|
Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
|
|
|
|
2.4 New:
|
|
* "only one cmd line option at a time" is completely gone
|
|
* several tuning parameters on the cmd line (only available through environment variables b4): --assuming-http, --ssl-native, --sneaky, --warnings, --color, -- debug, --long
|
|
* certificate information
|
|
* more HTTP header infos (cookies+security headers)
|
|
* protocol check via bash sockets for SSLv2+v3
|
|
* debug handling significantly improved (verbosity/each function leaves files in $TEMPDIR)
|
|
* BEAST check
|
|
* FREAK check
|
|
* check for Secure Client-Initiated Renegotiation
|
|
* lots of cosmetic and maintainability code cleanups
|
|
* bugfixing
|
|
|
|
Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh
|
|
|
|
|
|
2.2. new features as:
|
|
* works fully under BSD (openssl >=1.0)
|
|
* single cipher check (-x) with pattern of hexcode/cipher
|
|
* check for POODLE SSL
|
|
* HPKP check
|
|
* OCSP stapling
|
|
* GOST and CHACHA20 POLY1305 cipher support
|
|
* service detection (HTTP, IMAP, POP, SMTP)
|
|
* runs now with all colors, b/w screen, no escape codes at all
|
|
* protocol check better
|
|
* job control removes stalling
|
|
* RFC <---> OpenSSL name space mapping of ciphers everywhere
|
|
* includes a lot of fixes
|
|
|
|
Full changelog @ https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
|
|
|
|
|
|
2.0 major release, new features:
|
|
* SNI
|
|
* STARTTLS fully supported
|
|
* RC4 check
|
|
* (P)FS check
|
|
* SPDY check
|
|
* color codes make more sense now
|
|
* cipher hexcodes are shown
|
|
* tests ciphers per protocol
|
|
* HSTS
|
|
* web and application server banner
|
|
* server prefereences
|
|
* TLS server extensions
|
|
* server key size
|
|
* cipher suite mapping from openssl to RFC
|
|
* heartbleed check
|
|
* CCS injection check
|
|
|
|
---------------------
|
|
Details:
|
|
|
|
1.112
|
|
- IPv6 display fix
|
|
|
|
1.111
|
|
- NEW: tested unter FreeBSD (works with exception of xxd in CCS)
|
|
- getent now works under Linux and FreeBSD
|
|
- sed -i in hsts sacrificed for compatibility
|
|
- reomved query for IP for finishing banner, is now called once in parse_hn_port
|
|
- GOST warning after banner
|
|
- empty build date is not displayed anymore
|
|
- long build date strings minimized
|
|
- FIXED: IPv6 address are displayed again
|
|
|
|
1.110
|
|
- NEW: adding Russian GOST cipher support by providing a config file on the fly
|
|
- adding the compile date of openssl in the banner
|
|
|
|
1.109
|
|
- minor IPv6 fixes
|
|
|
|
1.108
|
|
- NEW: Major rewrite of output functions. Now using printf instead of "echo -e" for BSD and MacOSX compatibility
|
|
|
|
1.107
|
|
- improved IP address stuff
|
|
|
|
1.106
|
|
- minor fixes
|
|
|
|
1.105
|
|
- NEW: working prototype for CCS injection
|
|
|
|
1.104
|
|
- NEW: everywhere *also* RFC style ciphers -- if the mapping file is found
|
|
- unitary calls to display cipher suites
|
|
|
|
1.103
|
|
- NEW: telnet support for STARTTLS (works only with a patched openssl version)
|
|
--> not tested (lack of server)
|
|
|
|
1.102
|
|
- NEW: test for BREACH (experimental)
|
|
|
|
1.101
|
|
- BUGFIX: muted too verbose output of which on CentOS/RHEL
|
|
- BUGFIX: muted too verbose output of netcat/nc on CentOS/RHEL+Debian
|
|
|
|
1.100
|
|
- further cleanup
|
|
- starttls now tests allciphers() instead of cipher_per_proto
|
|
(normal use case makes most sense here)
|
|
- ENV J_POSITIV --> SHOW_EACH_C
|
|
- finding mapping-rfc.txt is now a bit smarter
|
|
- preparations for ChaCha20-Poly1305 (would have provided binaries but
|
|
"openssl s_client -connect" with that ciphersuite fails currently with
|
|
a handshake error though client and server hello succeeded!)
|
|
|
|
1.99
|
|
- BUGFIX: now really really everywhere testing the IP with supplied name
|
|
- locking out openssl < 0.9.8f, new function called "old_fart" ;-)
|
|
- FEATURE: displaying PTR record of IP
|
|
- FEATURE: displaying further IPv4/IPv6 addresses
|
|
- bit of a cleanup
|
|
|
|
1.98
|
|
- http_header is in total only called once
|
|
- better parsing of default protocol (FIXME shouldn't appear anymore)
|
|
|
|
1.97
|
|
- reduced sleep time for server hello and payload reply (heartbleed)
|
|
|
|
1.96
|
|
- NEW: (experimental) heartbleed support with bash sockets (shell only SSL handshake!)
|
|
see also https://testssl.sh/bash-heartbleed.sh
|
|
|
|
1.95 (2.0rc3)
|
|
- changed cmdline options for CRIME and renego vuln to uppercase
|
|
- NEW: displays server key size now
|
|
- NEW: displays TLS server extensions (might kill old openssl versions)
|
|
- brown warning if HSTS < 180 days
|
|
- brown warning if SSLv3 is offered as default protocol
|
|
|
|
1.94
|
|
- NEW: prototype of mapping to RFC cipher suite names, needed file mapping-rfc.txt in same dir
|
|
as of now only used for 'testssl.sh -V'
|
|
- internal renaming: it was supposed to be "cipherlists" instead of "ciphersuites"
|
|
- additional tests for cipherlists DES, 3DES, ADH
|
|
|
|
1.93
|
|
- BUGFIX: removed space in Server banner fixed (at the expense of showing just nothing if Server string is empty)
|
|
|
|
1.92
|
|
- BUGFIX: fixed error of faulty detected empty server string
|
|
|
|
1.91
|
|
- replaced most lcyan to brown (=not really bad but somehow)
|
|
- empty server string better displayed
|
|
- prefered CBC TLS 1.2 cipher is now brown (lucky13)
|
|
|
|
1.90
|
|
- fix for netweaver banner (server is lowercase)
|
|
- no server banner is no disadvantage (color code)
|
|
- 1 more blank proto check
|
|
- server preference is better displayed
|
|
|
|
1.89
|
|
- reordered! : protocols + cipher come first
|
|
- colorized prefered server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green)
|
|
- SSLv3 is now light cyan
|
|
- NEW: -P|--preference now in help menu
|
|
- light cyan is more appropriate than red for HSTS
|
|
|
|
1.88
|
|
- NEW: prototype for protocol and cipher preference
|
|
- prototype for session ticket
|
|
|
|
1.87
|
|
- changed just the version string to rc1
|
|
|
|
1.86
|
|
- NEW: App banner now production, except 2 liners
|
|
- DEBUG: 1 is now true as everywhere else
|
|
- CRIME+Renego prettier
|
|
- last optical polish for RC4, PFS
|
|
|
|
1.85
|
|
- NEW: appbanner (also 2 lines like asp.net)
|
|
- OSSL_VER_MAJOR/MINOR/APPENDIX
|
|
- less bold because bold headlines as bold should be reserved for emphasize findings
|
|
- tabbed output also for protocols and cipher classes
|
|
- unify neat printing
|
|
|
|
1.84
|
|
- NEW: deprecating openssl version <0.98
|
|
- displaying a warning >= 0.98 < 1.0
|
|
- NEW: neat print also for all ciphers (-E,-e)
|
|
|
|
1.83
|
|
- BUGFIX: results from unit test: logical error in PFS+RC4 fixed
|
|
- headline of -V / PFS+RC4 ciphers unified
|
|
|
|
1.82
|
|
- NEW: output for -V now better (bits seperate, spacing improved)
|
|
|
|
1.81
|
|
- output for RC4+PFS now better (with headline, bits seperate, spacing improved)
|
|
- both also sorted by encr. strength .. umm ..err bits!
|
|
|
|
1.80
|
|
- order of finding supplied binary extended (first one wins):
|
|
1. use supplied variable $OPENSSL
|
|
2. use "openssl" in same path as testssl.sh
|
|
3. use "openssl.`uname -m`" in same path as testssl.sh
|
|
4. use anything in system $PATH (return value of "which"
|
|
|
|
1.79
|
|
- STARTTLS options w/o trailing 's' now (easier)
|
|
- commented code for CRIME SPDY
|
|
- issue a warning for openssl < 0.9.7 ( that version won't work anyway probably)
|
|
- NPN protos as a global var
|
|
- pretty print with fixed columns: PFS, RC4, allciphers, cipher_per_proto
|
|
|
|
1.78
|
|
- -E, -e now sorted by encryption strength (note: it's only encr key length)
|
|
- -V now pretty prints all local ciphers
|
|
- -V <pattern> now pretty prints all local ciphers matching pattern (plain string, no regex)
|
|
- bugfix: SSLv2 cipher hex codes has 3 bytes!
|
|
|
|
1.77
|
|
- removed legacy code (PROD_REL var)
|
|
|
|
1.76
|
|
- bash was gone!! desaster for Ubuntu, fixed
|
|
- starttls+rc4 check: bottom line was wrong
|
|
- starttls had too much output (certificate) at first a/v check
|
|
|
|
1.75
|
|
- location is now https://testssl.sh
|
|
- be nice: banner, version, help also works for BSD folks (on dash)
|
|
- bug in server banner fixed
|
|
- sneaky referer and user agent possible
|
|
|
|
1.74
|
|
- Debian 7 fix
|
|
- ident obsoleted
|
|
|
|
1.72
|
|
- removed obsolete GREP
|
|
- SWURL/SWCONTACT
|
|
- output for positive RC4 better
|
|
|
|
1.71
|
|
- workaround for buggy bash (RC4)
|
|
- colors improved
|
|
- blue is now reserved for headline
|
|
- magenta for local probs
|
|
- in RC4 removal of SSL protocol provided by openssl
|
|
|
|
1.70
|
|
- DEBUG in http_headers now as expected
|
|
- <?xml marker as HTML body understood
|
|
|
|
1.69
|
|
- HTTP 1.1 header
|
|
- removed in each cipher the proto openssl is returning
|
|
+ NEW: cipher_per_proto
|
|
|
|
1.68
|
|
- header parser for openssl
|
|
- HSTS
|
|
- server banner string
|
|
- vulnerabilities closer+condensed
|
|
|
|
1.68
|
|
- header parser for openssl
|
|
- HSTS
|
|
- server banner string
|
|
- vulnerabilities closer+condensed
|
|
|
|
1.67
|
|
- signal green if no SSLv3
|
|
- cipher hex code now in square brackets
|
|
|
|
|
|
[..]
|
|
|
|
|
|
1.36
|
|
* fixed issue while connecting to non-webservers
|
|
|
|
1.35
|
|
* fixed portability issue on Ubuntu
|
|
|
|
1.34
|
|
* ip(v4) address in output, helps to tell different systems apart later on
|
|
* local hostname in output
|
|
|
|
1.31 (Halloween Release)
|
|
* bugfix: SSLv2 was kind of borken
|
|
* now it works for sure but ssl protocol are kind of ugly
|
|
|
|
1.30b (25.10.2012)
|
|
* bugfix: TLS 1.1/1.2 may lead to false negatives
|
|
* bugfix: CMDLINE -a/-e was misleading, now similar to help menu
|
|
|
|
1.3 (10/13/2012)
|
|
* can test now for cipher suites only
|
|
* can test now for protocols suites only
|
|
* tests for tls v1.1/v1.2 of local openssl supports it
|
|
* commandline "all "is rename to "each-cipher"
|
|
* banner when it's done
|
|
|
|
1.21a (10/4/2012)
|
|
* tests whether openssl has support for zlib compiled so that it avoids a false negative
|
|
|
|
1.21 (10/4/2012)
|
|
* CRIME support
|
|
|
|
1.20b
|
|
* bugfixed release
|
|
|
|
1.20a
|
|
* code cleanup
|
|
* showciphers variable introduced: only show ciphers if this is set (it is by
|
|
default now and there's a comment
|
|
* openssl version + path to it in the banner
|
|
|
|
|
|
1.20
|
|
* bugfix (ssl in ssl handshake failure is sometimes too much)
|
|
* date in output
|
|
* autodetection of CVS version removed
|
|
|
|
1.19
|
|
* bugfix
|
|
|
|
1.18
|
|
* Rearragement of arguments: URL comes now always last!
|
|
* small code cleanups for readability
|
|
* individual cipher test is now with bold headline, not blue
|
|
* NOPARANOID flag tells whether medium grade ciphers are ok. NOW they are (=<1.17 was paranoid)
|
|
|
|
1.17
|
|
* SSL tests now for renegotiation vulnerabilty!
|
|
* version detection of testssl.sh
|
|
* program has a banner
|
|
* fixed bug leading to a file named "1"
|
|
* comment for 128Bit ciphers
|
|
|
|
1.16
|
|
* major code cleanups
|
|
* cmd line options: port is now in first argument!!
|
|
* help is more verbose
|
|
* check whether on other server side is ssl server listening
|
|
* https:// can be now supplied also on the command line
|
|
* test all ciphers now
|
|
* new cleanup routine
|
|
* -a does not do standard test afterward, you need to run testssl a second
|
|
time w/o -a if you want this
|
|
|
|
1.12
|
|
* tests also medium grade ciphers (which you should NOT use)
|
|
* tests now also high grade ciphers which you SHOULD ONLY use
|
|
* switch for more verbose output of cipher for those cryptographically interested .
|
|
in rows: SSL version, Key eXchange, Authentication, Encryption and Message Authentication Code
|
|
* this is per default enabled (provide otherwise "" as VERB_CLIST)
|
|
* as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers
|
|
|
|
1.11
|
|
* Hint for howto enable 56 Bit Ciphers
|
|
* possible to specify where openssl is (hardcoded, $ENV, last resort: auto)
|
|
* warns if netcat is not there
|
|
|
|
1.10
|
|
* somewhat first released version
|