Version 3.0
This is the final release of 3.0.
After making several RCs it's now time to do a release. Here are the major changes with respect to 2.9.5:
- Full support of TLS 1.3, shows also drafts supported
- Extended protocol downgrade checks
- ROBOT check
- Better TLS extension support
- Better OpenSSL 1.1.1 and higher versions support as well as LibreSSL >3
- More robustness for OpenBSD
- DNS over Proxy and other proxy improvements
- Decoding of unencrypted BIG IP cookies
- Initial client certificate support
- Warning of 825 day limit for certificates issued after 2018/3/1
- Socket timeouts (
--connect-timeout
) - IDN/IDN2 servername/URI + emoji support, supposed libidn/idn2 is installed and DNS resolver is recent) support
- Initial support for certificate compression
- Better JSON output: renamed IDs and findings shorter/better parsable, also includes certficate
- JSON output now valid also for non-responding servers
- Testing now per default 370 ciphers
- Further improving the robustness of TLS sockets (sending and parsing)
- Support of supplying timeout value for
openssl connect
-- useful for batch/mass scanning - File input for serial or parallel mass testing can be also in nmap grep(p)able (-oG) format
- LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2)
- PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3)
- Check for session resumption (Ticket, ID)
- TLS Robustness check GREASE and more
- Server preference distinguishes between TLS 1.3 and lower protocols
- Mark TLS 1.0 and TLS 1.1 as deprecated
- Does a few startup checks which make later tests easier and faster (
determine_optimal_\*()
) - Expect-CT header detection
--phone-out
does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL--phone-out
checks whether the private key has been compromised via https://pwnedkeys.com/- Missing SAN warning
- Added support for private CAs
- Way better handling of connectivity problems (counting those, if threshold exceeded -> bye)
- Fixed TCP fragmentation
- Added
--ids-friendly
switch - Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors.
- Better error msg suppression (not fully installed OpenSSL)
- Better parsing of HTTP headers & better output of longer HTTP headers
- Display more HTTP security headers
- HTTP Basic Auth support for HTTP header
- experimental "eTLS" detection
- Dockerfile and repo @ docker hub with that file (see above)
- Java Root CA store added
- Better support for XMPP via STARTTLS & faster
- Certificate check for to-name in stream of XMPP
- Support for NNTP and LMTP via STARTTLS, fixes for MySQL and PostgresQL
- Support for SNI and STARTTLS
- More robustness for any STARTTLS protocol (fall back to plaintext while in TLS caused problems)
- Renegotiation checks improved, also no false potive for Node.js anymore
- Major update of client simulations with self-collected up-to-date data
- Update of CA certificate stores
- Lots of bug fixes
- More travis/CI checks -- still place for improvements
- Bigger man page review
Each release candidate actually brought a load of improvements.
If you like this program we would appreciate donations (see https://testssl.sh/#donations) for a coffee, beer, wine, single malt -- or if you just say "Thank you". This keeps us motivated further continuing the development.
"Us" is mainly David Cooper, without him the program haven not been boldy going where it is now and myself. Also we received a lot of contributions for which are very thankful for. Please keep on contributing!
Legal disclaimer: This program is licensed under GPLv2. Please note also that if you're using the program for a paid or free public service you need mention where you got this program from.