diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2014-10-24 20:44:10 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2014-10-24 20:44:10 -0200 |
commit | 840a5fc308496b5d0fe309e58a2aa250a54ff0b0 (patch) | |
tree | 9014fd16762ed1ef7003e20ff982fdeed7189a5d /CHANGELOG.testssl.sh.txt | |
parent | e290b35bf445e317b28f57e0a3bc7ab6c743ce73 (diff) | |
download | ssl-wrapper-840a5fc308496b5d0fe309e58a2aa250a54ff0b0.tar.gz ssl-wrapper-840a5fc308496b5d0fe309e58a2aa250a54ff0b0.tar.bz2 |
Adding testssl
Diffstat (limited to 'CHANGELOG.testssl.sh.txt')
-rw-r--r-- | CHANGELOG.testssl.sh.txt | 339 |
1 files changed, 339 insertions, 0 deletions
diff --git a/CHANGELOG.testssl.sh.txt b/CHANGELOG.testssl.sh.txt new file mode 100644 index 0000000..c5cb89e --- /dev/null +++ b/CHANGELOG.testssl.sh.txt @@ -0,0 +1,339 @@ + +2.0 includes: + +* major release, new features: + * SNI + * STARTTLS fully supported + * RC4 check + * (P)FS check + * SPDY check + * color codes make more sense now + * cipher hexcodes are shown + * tests ciphers per protocol + * HSTS + * web and application server banner + * server prefereences + * TLS server extensions + * server key size + * cipher suite mapping from openssl to RFC + * heartbleed check + * CCS injection check + +--------------------- +Details: + +1.112 +- IPv6 display fix + +1.111 +- NEW: tested unter FreeBSD (works with exception of xxd in CCS) +- getent now works under Linux and FreeBSD +- sed -i in hsts sacrificed for compatibility +- reomved query for IP for finishing banner, is now called once in parse_hn_port +- GOST warning after banner +- empty build date is not displayed anymore +- long build date strings minimized +- FIXED: IPv6 address are displayed again + +1.110 +- NEW: adding Russian GOST cipher support by providing a config file on the fly +- adding the compile date of openssl in the banner + +1.109 +- minor IPv6 fixes + +1.108 +- NEW: Major rewrite of output functions. Now using printf instead of "echo -e" for BSD and MacOSX compatibility + +1.107 +- improved IP address stuff + +1.106 +- minor fixes + +1.105 +- NEW: working prototype for CCS injection + +1.104 +- NEW: everywhere *also* RFC style ciphers -- if the mapping file is found +- unitary calls to display cipher suites + +1.103 +- NEW: telnet support for STARTTLS (works only with a patched openssl version) + --> not tested (lack of server) + +1.102 +- NEW: test for BREACH (experimental) + +1.101 +- BUGFIX: muted too verbose output of which on CentOS/RHEL +- BUGFIX: muted too verbose output of netcat/nc on CentOS/RHEL+Debian + +1.100 +- further cleanup + - starttls now tests allciphers() instead of cipher_per_proto + (normal use case makes most sense here) + - ENV J_POSITIV --> SHOW_EACH_C +- finding mapping-rfc.txt is now a bit smarter +- preparations for ChaCha20-Poly1305 (would have provided binaries but + "openssl s_client -connect" with that ciphersuite fails currently with + a handshake error though client and server hello succeeded!) + +1.99 +- BUGFIX: now really really everywhere testing the IP with supplied name +- locking out openssl < 0.9.8f, new function called "old_fart" ;-) +- FEATURE: displaying PTR record of IP +- FEATURE: displaying further IPv4/IPv6 addresses +- bit of a cleanup + +1.98 +- http_header is in total only called once +- better parsing of default protocol (FIXME shouldn't appear anymore) + +1.97 +- reduced sleep time for server hello and payload reply (heartbleed) + +1.96 +- NEW: (experimental) heartbleed support with bash sockets (shell only SSL handshake!) + see also https://testssl.sh/bash-heartbleed.sh + +1.95 (2.0rc3) +- changed cmdline options for CRIME and renego vuln to uppercase +- NEW: displays server key size now +- NEW: displays TLS server extensions (might kill old openssl versions) +- brown warning if HSTS < 180 days +- brown warning if SSLv3 is offered as default protocol + +1.94 +- NEW: prototype of mapping to RFC cipher suite names, needed file mapping-rfc.txt in same dir + as of now only used for 'testssl.sh -V' +- internal renaming: it was supposed to be "cipherlists" instead of "ciphersuites" +- additional tests for cipherlists DES, 3DES, ADH + +1.93 +- BUGFIX: removed space in Server banner fixed (at the expense of showing just nothing if Server string is empty) + +1.92 +- BUGFIX: fixed error of faulty detected empty server string + +1.91 +- replaced most lcyan to brown (=not really bad but somehow) +- empty server string better displayed +- prefered CBC TLS 1.2 cipher is now brown (lucky13) + +1.90 +- fix for netweaver banner (server is lowercase) +- no server banner is no disadvantage (color code) +- 1 more blank proto check +- server preference is better displayed + +1.89 +- reordered! : protocols + cipher come first +- colorized prefered server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green) +- SSLv3 is now light cyan +- NEW: -P|--preference now in help menu +- light cyan is more appropriate than red for HSTS + +1.88 +- NEW: prototype for protocol and cipher preference +- prototype for session ticket + +1.87 +- changed just the version string to rc1 + +1.86 + - NEW: App banner now production, except 2 liners + - DEBUG: 1 is now true as everywhere else + - CRIME+Renego prettier + - last optical polish for RC4, PFS + +1.85 + - NEW: appbanner (also 2 lines like asp.net) + - OSSL_VER_MAJOR/MINOR/APPENDIX + - less bold because bold headlines as bold should be reserved for emphasize findings + - tabbed output also for protocols and cipher classes + - unify neat printing + +1.84 + - NEW: deprecating openssl version <0.98 + - displaying a warning >= 0.98 < 1.0 + - NEW: neat print also for all ciphers (-E,-e) + +1.83 +- BUGFIX: results from unit test: logical error in PFS+RC4 fixed +- headline of -V / PFS+RC4 ciphers unified + +1.82 +- NEW: output for -V now better (bits seperate, spacing improved) + +1.81 +- output for RC4+PFS now better (with headline, bits seperate, spacing improved) +- both also sorted by encr. strength .. umm ..err bits! + +1.80 +- order of finding supplied binary extended (first one wins): + 1. use supplied variable $OPENSSL + 2. use "openssl" in same path as testssl.sh + 3. use "openssl.`uname -m`" in same path as testssl.sh + 4. use anything in system $PATH (return value of "which" + +1.79 +- STARTTLS options w/o trailing 's' now (easier) +- commented code for CRIME SPDY +- issue a warning for openssl < 0.9.7 ( that version won't work anyway probably) +- NPN protos as a global var +- pretty print with fixed columns: PFS, RC4, allciphers, cipher_per_proto + +1.78 +- -E, -e now sorted by encryption strength (note: it's only encr key length) +- -V now pretty prints all local ciphers +- -V <pattern> now pretty prints all local ciphers matching pattern (plain string, no regex) +- bugfix: SSLv2 cipher hex codes has 3 bytes! + +1.77 +- removed legacy code (PROD_REL var) + +1.76 +- bash was gone!! desaster for Ubuntu, fixed +- starttls+rc4 check: bottom line was wrong +- starttls had too much output (certificate) at first a/v check + +1.75 +- location is now https://testssl.sh +- be nice: banner, version, help also works for BSD folks (on dash) +- bug in server banner fixed +- sneaky referer and user agent possible + +1.74 +- Debian 7 fix +- ident obsoleted + +1.72 +- removed obsolete GREP +- SWURL/SWCONTACT +- output for positive RC4 better + +1.71 +- workaround for buggy bash (RC4) +- colors improved + - blue is now reserved for headline + - magenta for local probs + - in RC4 removal of SSL protocol provided by openssl + +1.70 +- DEBUG in http_headers now as expected +- <?xml marker as HTML body understood + +1.69 +- HTTP 1.1 header +- removed in each cipher the proto openssl is returning ++ NEW: cipher_per_proto + +1.68 +- header parser for openssl +- HSTS +- server banner string +- vulnerabilities closer+condensed + +1.68 +- header parser for openssl +- HSTS +- server banner string +- vulnerabilities closer+condensed + +1.67 +- signal green if no SSLv3 +- cipher hex code now in square brackets + + +[..] + + +1.36 +* fixed issue while connecting to non-webservers + +1.35 +* fixed portability issue on Ubuntu + +1.34 +* ip(v4) address in output, helps to tell different systems apart later on +* local hostname in output + +1.31 (Halloween Release) +* bugfix: SSLv2 was kind of borken +* now it works for sure but ssl protocol are kind of ugly + +1.30b (25.10.2012) +* bugfix: TLS 1.1/1.2 may lead to false negatives +* bugfix: CMDLINE -a/-e was misleading, now similar to help menu + +1.3 (10/13/2012) +* can test now for cipher suites only +* can test now for protocols suites only +* tests for tls v1.1/v1.2 of local openssl supports it +* commandline "all "is rename to "each-cipher" +* banner when it's done + +1.21a (10/4/2012) +* tests whether openssl has support for zlib compiled so that it avoids a false negative + +1.21 (10/4/2012) +* CRIME support + +1.20b +* bugfixed release + +1.20a +* code cleanup +* showciphers variable introduced: only show ciphers if this is set (it is by + default now and there's a comment +* openssl version + path to it in the banner + + +1.20 +* bugfix (ssl in ssl handshake failure is sometimes too much) +* date in output +* autodetection of CVS version removed + +1.19 +* bugfix + +1.18 +* Rearragement of arguments: URL comes now always last! +* small code cleanups for readability +* individual cipher test is now with bold headline, not blue +* NOPARANOID flag tells whether medium grade ciphers are ok. NOW they are (=<1.17 was paranoid) + +1.17 +* SSL tests now for renegotiation vulnerabilty! +* version detection of testssl.sh +* program has a banner +* fixed bug leading to a file named "1" +* comment for 128Bit ciphers + +1.16 +* major code cleanups +* cmd line options: port is now in first argument!! +* help is more verbose +* check whether on other server side is ssl server listening +* https:// can be now supplied also on the command line +* test all ciphers now +* new cleanup routine +* -a does not do standard test afterward, you need to run testssl a second + time w/o -a if you want this + +1.12 +* tests also medium grade ciphers (which you should NOT use) +* tests now also high grade ciphers which you SHOULD ONLY use +* switch for more verbose output of cipher for those cryptographically interested . + in rows: SSL version, Key eXchange, Authentication, Encryption and Message Authentication Code +* this is per default enabled (provide otherwise "" as VERB_CLIST) +* as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers + +1.11 +* Hint for howto enable 56 Bit Ciphers +* possible to specify where openssl is (hardcoded, $ENV, last resort: auto) +* warns if netcat is not there + +1.10 +* somewhat first released version |