Skip to content

Releases: drwetter/testssl.sh

Version 3.0.1

15 Apr 10:40
Compare
Choose a tag to compare

This is a bugfix release of the stable branch 3.0 with roughly the following changes:

  • Fix hang in BEAST check when there are ciphers starting with SSL_* but which are no SSLv2 cipher (David)
  • Fix bug in setting DISPLAY_CIPHERNAMES when $CIPHERS_BY_STRENGTH_FILE is not a/v. (David)
  • Fix basic auth LF problem (Manuel)
  • Fix printing percent chars (David)
  • Fix minor HTML generation bug (David)
  • Fix security bug: sanitizing DNS input (Dirk)
  • make --ids-friendly work again (Dirk)
  • Update sneaky user agent (Dirk)
  • Update links in code comments (Jaroslav)
  • Cosmetic code updates (David, Dirk)
  • Fix output bug when >1 PTR records returned (Dirk)
  • More output fixes (David, Dirk)

Details see git log.

Version 3.0-1

15 Apr 08:13
27948d8
Compare
Choose a tag to compare

This is a former bugfix release of the stable branch 3.0

The numbering scheme has changed not to use a dash. So please don't use this version. Use 3.0.1 instead

Version 3.0 rc6

11 Dec 20:57
Compare
Choose a tag to compare

This is the sixth release candidate of testssl.sh 3.0 to reflect recent improvements. All distributors and others who use it also for production-like environment are encouraged to switch to this branch as 2.9.5 is not supported anymore. Bug fixing will take place in 3.0* only. This is a stable release.

This release contains some new features and more bug fixes:

  • Socket timeouts (--connect-timeout)
  • IDN/IDN2 servername support
  • pwnedkeys.com support
  • Initial support for certificate compression
  • Initial client certificate support
  • Better indentation for HTTP header outputs
  • Better parsing of HTTP headers
  • Penalize absence of TLS 1.2 anymore if server supports TLS 1.3 only
  • Several improvements related to protocol determination and downgrade responses
  • Some logic related using TLS 1.3 aware OpenSSL binaries more or less automagically
  • Internal improvements to server preference checks
  • Lots of internal and some speed improvements in "pre-flight checks" (comes before outputting any test)
  • Mark TLS 1.0 and TLS 1.1 as deprecated
  • Support newer OpenSSL/LibreSSL versions
  • Improved detection of wrong user input when file was supplied for --csv,--json and --html
  • Update client handshakes with newer client data and deprecate other clients
  • Regression in CAA RR fixed
  • Session resumption fixes
  • Session ticket fixes
  • Fixes for STARTTLS MySQL and PostgreSQL
  • Unit tests for (almost) every STARTTLS protocol supported
  • A lot of minor fixes

This program is licensed under GPLv2. Please note also that if you're using the program for a paid or free public service you need mention where you got this program from.

If you like this program we would appreciate donations (see https://testssl.sh/#donations) for a coffee, beer, wine, whisky -- or if you just say "Thank you". This keeps us motivated further continuing development.

Version 3.0 rc5

25 Apr 07:37
Compare
Choose a tag to compare

This is the fifth release candidate of testssl.sh 3.0 to reflect changes. All distributors and others who use it also for production-like environment are encouraged to switch to this branch as 2.9.5 won't be supported anymore once 3.0 has been released: Bug fixing will take place here only.

We take robustness seriously. This release contains bug fixes mostly.

For all changes, use git log. Excerpt:

  • Modernized client handshakes
  • Further code sanitizing
  • Fixes in CSV files and JSON files creation and some ACE loadbalancer related improvements
  • Fix session tickets and resumption
  • OpenSSL 1.1.1 fixes
  • Darwin OpenSSL binary
  • Updated certificate store
  • Add SSLv2 to SWEET

This program is licensed under GPLv2. Please note also that if you're using the program for a paid or free public service you need mention where you got this program from.

If you like this program we would appreciate donations (see https://testssl.sh/#donations) for a coffee, beer, wine, whisky -- or if you just say "Thank you"

Version 2.9.5-8

23 Apr 20:45
Compare
Choose a tag to compare

This update contains bugfixes. (Changelog: v2.9.5-7...2.9.5) . It is the last release of the 2.9.5 branch.

Note please: It is highly recommended to switch to >=3.0rc4 now (see tag in the 2.9dev branch) now. There are a few known bugs in 2.9.5 which won't be backported as it requires a larger effort. Besides another leap forward in features (bigger ones: TLS 1.3 and ROBOT check) 3.0rc4+ is also working with OpenSSL 1.1.1.

Version 3.0 rc4

19 Feb 09:44
Compare
Choose a tag to compare

This is the fourth release candidate of testssl.sh 3.0 to reflect changes. All distributors and others who use it also for production-like environment are encouraged to switch to this branch as 2.9.5 won't be supported anymore once 3.0 has been released: Bug fixing will take place here only.

We take robustness seriously. This release contains bug fixes mostly.

For all changes, use git log.

Changes, TL;DR:

Documentation fixes and additions 
Add new openssl helper binaries (except Darwin 64Bit, see https://github.com/drwetter/testssl.sh/issues/390#issuecomment-455661148) 
Bug fix: Scan continues if one of multiple IP addresses per hostname has a problem 
"eTLS" detection ("visibility information")
Minimize initial warning "doesn't seem to be a TLS/SSL enabled server" by using sockets
Several improvement for SSLv2 only servers
Handle different cipher preference < TLS 1.3 vs. TLS 1.3
Clarify & improve Standard Cipher check (potentially breaking change)
Improve SWEET32 test
Finding certificates is faster and independent on openssl 

This program is licensed under GPLv2. Please note also that if you're using the program for a paid or free public service you need mention where you got this program from.

If you like this program we would appreciate donations (see https://testssl.sh/#donations) or just saying "Thank you"

Version 3.0 rc3

30 Nov 20:42
ab55c26
Compare
Choose a tag to compare

This is the third release candidate of testssl.sh 3.0 to reflect the recent changes. All distributors and others who use it also for production-like environment are encouraged to switch to this branch as 2.9.5 won't be supported anymore once 3.0 has been released: Bug fixing will take place only here.

Changes, TL;DR:

  • add SSLv2 ciphers *total ciphers now being tested for: 370)
  • updated client simulation data
  • TLS 1.3 improvements
  • STARTTLS NNTP support
  • STARTTLS XMPP faster and more reliable
  • include DH groups (primes) in pfs section
  • Fix TCP fragmentation under remaining OS: FreeBSD / Mac OS X
  • further bugfixes and clarifications

Please note that if you're using the program for a paid or free public service you need mention where you got this program from.

Version 3.0 rc2

09 Oct 10:45
Compare
Choose a tag to compare

This is a release of the second release candidate of testssl.sh 3.0 to reflect he recent changes. All distributors and others who use it also for production-like environment are encouraged to switch to this branch as 2.9.5 won't be supported anymore once 3.0 has been released.

Changes, TL;DR:

  • Partly addressing TCP fragmentation
  • Name check for XMPP servers
  • Support for STARTTLS LMTP
  • TLS 1.3 fixes
  • OpenSSL 1.1.1 fixes

Changes, logs: 3.0rc1...2.9dev

Version 2.9.5-7

07 Sep 15:11
Compare
Choose a tag to compare

This update contains a few bugfixes only. (Changelog: v2.9.5-5...2.9.5) . It is likely the last release of the 2.9.5 branch. This replaces 2.9.5-6 which was accidentally pointing to the wrong branch.

In general it is highly recommended to switch to 3.0rcX now (see tag in the 2.9dev branch). Besides another leap forward in features (bigger ones: TLS 1.3 and ROBOT check) 3.0rcX is also working with OpenSSL 1.1.1. There are a few known bugs in the 3.0 branch which need to be resolved, they also appear in 2.9.5. Not sure whether the fixes will be backported.

Version 3.0 rc1

16 Sep 15:36
Compare
Choose a tag to compare

This is a release of the first release candidate of testssl.sh 3.0.

It comes with numerous new features like ROBOT check, proper TLS 1.3 detection in every check and last but not least it provides good compatibility to the freshly released OpenSSL 1.1.1 version.

All distributors and others who use it also for production-like environment are encouraged to switch to this branch as 2.9.5 won't be supported anymore once 3.0 has been released.