http://open-source-security-software.net/project/sslyze/releases.atom Recent releases for sslyze 2024-11-14T22:12:41.241509+00:00 python-feedgen sslyze 0.10.0 sslyze 0.10.0 2014-09-21T23:54:40+00:00 ### Changelog - PluginOpenSSLCipherSuites now displays the size of the handshake's Diffie-Hellmann parameters - SSLyze on Windows is now packaged as a single .exe file - PluginCertInfo now displays the server's full certificate chain instead of its leaf certificate only, in both the console and XML results - PluginHSTS now properly detects HSTS headers when receiving HTTP redirections - New plugin to check if a server is affected by Chrome's deprecation of SHA1-signed certificates. See --chrome_sha1 - Clarified the console output of most plugins and checks - Bug fixes for XML output and client certificate support - Updated OpenSSL to 1.0.1i - Updated Microsoft, Apple and Mozilla trust stores 2014-09-21T23:54:40+00:00 sslyze 0.9.0 sslyze 0.9.0 2014-09-23T05:28:55+00:00 ### Changelog - Experimental support for Heartbleed detection; see --heartbleed. Heartbleed detection has also been added to --regular scans - Capped the maximum number of concurrent connections to around 30 per server in order to avoid DOSing the scanned servers. Scans are slightly slower but a lot less aggressive, resulting in better scan results with less timeout and connection errors - Support for Basic Authentication when tunneling scans through an HTTPS proxy with --https_tunnel - Bug fixes for IPv6 and XMPP support - Updated OpenSSL to 1.0.1g - Updated the Apple, Microsoft, Mozilla and Java trust stores - Cleaned up the text output of PluginOpenSSLCipherSuites 2014-09-23T05:28:55+00:00 sslyze 0.8.0 sslyze 0.8.0 2014-09-23T05:35:58+00:00 ### Changelog - Additional certificate chain validation using the Apple, Microsoft and Java trust stores in addition to Mozilla's - Added support for StartTLS RDP; see --starttls=rdp - Greatly improved the reliability and accuracy of scan results by adding an exponential backoff algorithm to retry failed network connections. This will especially impact scans against servers that stop properly answering after several concurrent connections have already been opened. The number of retry attempts can be controlled using --nb_retries - Bug fixes including: - Better results when the server requested a client certificate but none was supplied - Clarified text and XML output - Better HTTP Strict Transport Security plugin - Fixed PluginCompression false negatives 2014-09-23T05:35:58+00:00 sslyze 0.7.0 sslyze 0.7.0 2014-09-23T05:37:41+00:00 ### Changelog - Complete rewrite of the OpenSSL wrapper as a C extension - SSLyze is now statically linked with the latest version of OpenSSL instead of using the system’s (potentially outdated/broken) OpenSSL library - All of SSLyze’s features are now available on all supported platforms (including SSL 2.0, TLS 1.1 and TLS 1.2) - Scans are slightly faster - Python 2.6 is no longer supported - Support for StartTLS FTP, POP, IMAP, LDAP and “auto”. See —starttls - Support for OCSP Stapling. See —certinfo - Other various improvements that results in SSLyze being more stable/robust 2014-09-23T05:37:41+00:00 sslyze 0.6.0 sslyze 0.6.0 2014-09-23T05:38:37+00:00 ### Changelog - Added support for Server Name Indication; see –sni - Partial results are returned when the server requires client authentication but no client certificate was provided - Preliminary IPv6 support - Various bug fixes and better support of client authentication and HTTPS tunneling 2014-09-23T05:38:37+00:00 sslyze 0.5.0 sslyze 0.5.0 2014-09-23T05:40:30+00:00 ### Changelog - XML output including full certificate parsing; see --xml_out - The list of servers to scan can be provided using a text file; see --targets_in - Improved certificate verification with hostname validation and EV certificates support - Clarified output and lots of bug fixes - OS X Mountain Lion is now officially supported - Support for compression / CRIME testing 2014-09-23T05:40:30+00:00 sslyze 0.11.0 sslyze 0.11.0 2015-04-12T17:44:59+00:00 ### Changelog - Added support for Postgres StartTLS - Added the --ca_file option for specifying a local trust store to validate the server's certificate - Added the --quiet option to hide any text output when using --xml_out - Improved the formatting of the XML output to make it easier to parse and more useful; this will break any tool that was processing the XML output from previous versions, but an XML Schema Definition is now available in SSLyze's root folder - Bug fixes for EC certificates, HSTS, XMPP and LDAP - Updated OpenSSL to 1.0.2a - Updated Microsoft, Apple and Mozilla trust stores 2015-04-12T17:44:59+00:00 sslyze 0.12.0 sslyze 0.12.0 2015-09-24T06:46:21+00:00 ### Changelog - Added the Google trust store for certificate validation and updated the Apple, Microsoft and Mozilla stores. - A full (client) certificate chain can now be supplied when using client certificates. - Added the ability to print the XML output to the console using --xml_out -. - Various bug fixes including TLS errors that were mistakenly reported as network timeouts. - Updated list of OIDs for identifying EV certificates. - Updated OpenSSL to 1.0.2d, which fixes issues with certificate path validation when using --certinfo. 2015-09-24T06:46:21+00:00 sslyze 0.13.3 sslyze 0.13.3 2016-02-02T06:11:42+00:00 ### Changelog - Major rewrite and cleanup in order to: - Turn SSLyze into a Python module, allowing scans to be run and processed directly from Python - Add SSLyze to [PyPi](https://pypi.python.org/pypi/SSLyze) - These changes should make it easy to build tools and scripts on top of SSLyze - Renamed the command line tool to _sslyze_cli.py_ to avoid conflicts with the `sslyze` module - Added the `--fallback` command to check support for the `TLS_FALLBACK_SCSV` cipher suite, which prevents downgrade attacks - Added the `--openssl_ccs` command to check for the OpenSSL CCS Injection vulnerability - Renamed the `--certinfo=basic` and `--certinfo=full` commands to `--certinfo_basic` and `--certinfo_full` - Removed the `--chrome_sha1` command and merged the SHA1 deprecation check into `--certinfo_basic` - Fixed support for client authentication - Extended support for scanning through a CONNECT proxy to StartTLS protocols - Modified cipher suite plugin to return RFC cipher names instead of OpenSSL cipher names 2016-02-02T06:11:42+00:00 sslyze 0.13.4 sslyze 0.13.4 2016-02-14T20:12:38+00:00 ### Changelog - Added `--json_out` command for writing results to a file as JSON. - Bug fixes with client authentication and connectivity testing. - The `--certinfo_basic` command now also checks that the server certificate chain's order is valid. 2016-02-14T20:12:38+00:00 sslyze 0.13.5 sslyze 0.13.5 2016-03-12T22:26:57+00:00 - Various bugs fixes. 2016-03-12T22:26:57+00:00 sslyze 0.13.6 sslyze 0.13.6 2016-06-04T22:23:10+00:00 - Added the Android Open Source Project's trust store when using `--certinfo`. - Bug fixes for IPv6 support, `--nb_retries`, `--nb_timeout` and UTF-8 and internationalized names in certificates. - `--hsts` no longer raises an exception when the server sends back a redirection to HTTP. 2016-06-04T22:23:10+00:00 sslyze 0.14.0 sslyze 0.14.0 2016-09-01T04:56:58+00:00 - `--certinfo_basic` will now return the server's "verified" certificate chain, if the server's certificate is trusted; the chain contains every certificate from the server's leaf certificate up to a root certificate included in the Mozilla store. - Renamed `--hsts` to `--http_headers`; the command will now return HTTP Public Key Pinning information including the server's HPKP header value and the HPKP pins for each certificate in the server's verified certificate chain. - Bug fixes for IPv6 support, exotic certificates, SHA-1 deprecation check and scanning through an HTTP proxy. 2016-09-01T04:56:58+00:00 sslyze 0.14.1 sslyze 0.14.1 2016-10-16T02:46:39+00:00 - Bug fixes for `--http_headers`, `--tlsv1_2` and `--json_out`. - Updated version of OpenSSL. - The command line tool was moved from `./sslyze_cli.py` to `./sslyze/__main__.py` and can be called using `python -m sslyze`. - When sending HTTP requests, SSLyze's `User-Agent` header now contains `SSLyze` for easier identification. 2016-10-16T02:46:39+00:00 sslyze 0.14.2 sslyze 0.14.2 2016-12-19T02:53:12+00:00 - The cipher suite tests (such as `--tlsv1_2`) will only return a preferred cipher suite if the server has a cipher suite preference (as opposed to following the client's preference). - Bug fixes for `--https_tunnel` and `-starttls=postgres`. - Refactored how the CLI tool generates its output to make it extendable. 2016-12-19T02:53:12+00:00 sslyze 1.0.0 sslyze 1.0.0 2017-02-13T05:41:12+00:00 - Significant refactoring to simplify and enhance SSLyze's Python API. It is now fully documented and should be considered stable; see http://nabla-c0d3.github.io/sslyze/documentation/. - Renamed `--certinfo_basic` command to `--certinfo` for consistency with other plugins. - The `--certinfo` command will now use any trust store that successfully validated the server's certificate chain to run further checks against the server's chain (such as the chain order, or the presence of a SHA1-signed certificate), instead of only trying with the Mozilla trust store. - The `--certinfo` command will now properly validate OCSP Stapling even if it is not trusted by any trust store. - Various bug fixes. - Significant internal changes including: - A revamped plugin system that is a lot simpler to maintain and extend. - Simplified interface for building custom output generators within the CLI tool. - Progress toward Python3 compatibility. - With a clean, fully documented Python API, SSLyze is now ready for a 1.0.0 release! 2017-02-13T05:41:12+00:00 sslyze 1.1.0 sslyze 1.1.0 2017-04-16T04:00:22+00:00 * **Added support for Python 3.3+** on Linux and MacOS. Windows will be supported later. * Added support for scanning for cipher suites on servers that require client authentication. * Certificate transparency SCTs via OCSP Stapling will be now displayed when running a `CertificateInfoScanCommand`. * Removed custom code for parsing X509 certificates, which was the source of numerous bugs and crashes when running a `CertificateInfoScanCommand`: * Certificates returned by the SSLyze Python API are now parsed using the [cryptography](https://github.com/pyca/cryptography) library, making further processing a lot easier and cleaner. * Certificates returned in the XML and JSON output when using `--certinfo` are no longer parsed. XML/JSON consumers should instead parse the PEM-formatted certificate available in the output using their language/framework's X509 libraries. * The `--print_full_certificate` option when using `--certinfo` is no longer available. * Bug fixes for the Heartbleed check. * Added unit tests for SSL 2.0, SSL 3.0, Heartbleed and OpenSSL CCS injection checks. 2017-04-16T04:00:22+00:00 sslyze 1.1.1 sslyze 1.1.1 2017-05-23T03:25:51+00:00 * Bug fixes for EC certificates. * Bug fixes for the Heartbleed check. 2017-05-23T03:25:51+00:00 sslyze 1.1.2 sslyze 1.1.2 2017-07-22T22:59:04+00:00 * Full rewrite of the Heartbleed and CCS checks to fix timeouts and other errors, and to improve maintainability. * Improvements to the XML output when running the `--certinfo` command. 2017-07-22T22:59:04+00:00 sslyze 1.1.3 sslyze 1.1.3 2017-09-06T05:56:29+00:00 * Added support for Python 3.6 on Windows. This is also **the last release to support Python 2.7 on Windows**. Python 2 and 3 will still be supported on other platforms (Linux, macOS). * Added a pre-compiled executable for running SSLyze on Windows without having to install Python. * Fixed bugs with StartTLS scans. * Further improved stability of the new implementation of the Heartbleed and OpenSSL CCS checks. * Added basic certificate fields (Subject, Issuer, etc.) to the XML output. 2017-09-06T05:56:29+00:00 sslyze 1.1.4 sslyze 1.1.4 2017-09-06T16:26:12+00:00 * Switch pre-compiled Windows executable from 64 bits to 32 bits for better compatibility. * Fix dependency version in the setup.py file. 2017-09-06T16:26:12+00:00 sslyze 1.1.5 sslyze 1.1.5 2017-11-08T23:38:09+00:00 * Fixed JSON output when using Python 2.7 (#246). * Fixed CLI output for showing whether a certificate is EV or not (#245). * Fixed `ConcurrentScanner` when using Python 3.6 (#251). 2017-11-08T23:38:09+00:00 sslyze 1.2.0 sslyze 1.2.0 2017-11-25T22:44:10+00:00 * Added support for TLS 1.3 (draft 18) scanning using OpenSSL 1.1.1 dev. * `python -m sslyze --tlsv1_3 tls13.crypto.mozilla.org` * Added support for new-style ChaCha20 cipher suites. * Added some of the certificate fields to the JSON output (#258). * Bug fix for Python 3 (#251, #256), OCSP Stapling (#254), IPv6 and the Heartbleed/CCS checks (#257). 2017-11-25T22:44:10+00:00 sslyze 1.3.0 sslyze 1.3.0 2017-12-18T05:46:25+00:00 * Added a new plugin to scan for the ROBOT vulnerability (https://robotattack.org/). The check can be run using: * The CLI tool: `python -m sslyze --robot www.google.com` * SSLyze's Python API using the `RobotScanCommand`, as described at https://nabla-c0d3.github.io/blog/2017/12/17/sslyze-robot-scan/. * The `--certinfo` and `CertificateInfoScanCommand` commands now return information about the OCSP Must-Staple and Certificate Transparency X509 extensions of the server's certificate. * The `--certinfo` command now returns the content of the server certificate's SubjectAltName in the JSON and XML outputs (#265). * Fixed several memory leaks in the nassl C extension. The memory usage of the SSLyze process will grow a lot slower over time (#196). * Fixed bug when running the `--reneg` command on Python 3 (#264). * Switched minimum version of Python to 3.4. 2017-12-18T05:46:25+00:00 sslyze 1.3.1 sslyze 1.3.1 2017-12-19T07:04:29+00:00 * Bug fix for the ROBOT check (#270). The check can be run using: * The CLI tool: python -m sslyze --robot www.google.com * SSLyze's Python API using the RobotScanCommand, as described at https://nabla-c0d3.github.io/blog/2017/12/17/sslyze-robot-scan/. 2017-12-19T07:04:29+00:00 sslyze 1.3.2 sslyze 1.3.2 2017-12-24T03:06:57+00:00 * Added missing IANA names for some cipher suites (#276). * Improved speed when testing for TLS 1.3 cipher suites using `--tlsv1_3`. * Updated the trust stores used when running `--certinfo`. * Bug fix for OCSP responses containing non-UTF8 characters when running `--certinfo`. * On Linux, [nassl](https://pypi.python.org/pypi/nassl) is now available as a binary wheel in order to avoid build and OpenSSL issues (#241). * Project license modified to AGPL. 2017-12-24T03:06:57+00:00 sslyze 1.3.4 sslyze 1.3.4 2018-02-02T04:16:28+00:00 * Bug fixes for the ROBOT check to address false positives (#282). * The trust stores used by SSLyze can now be updated via the CLI (`--update_trust_stores`) or via the Python API (`TrustStoresRepository.update_default()`) (#225). * Added support for the Expect CT HTTP header (#285) when using `-http_headers`. 2018-02-02T04:16:28+00:00 sslyze 1.4.0 sslyze 1.4.0 2018-03-11T02:11:26+00:00 * **Last major release to support Python 2.7 and 3.4**. * The Python API has changed slightly when doing connectivity testing. * A guide on how to update your code is available [here](https://gist.github.com/nabla-c0d3/91d6544018e75efe4385b2f4409854ab). The migration should only require changing a few lines of code. * When using the Python API, more specialized errors (ie. subclasses of `ServerConnectivityError`) are returned when connectivity testing failed, so that it is easier to know what went wrong. Your existing code should still work the same. * Replaced the ` --timeout` and `--nb_retries` CLI options with `--slow_connection`, for when the connection is slow or the server cannot support many concurrent connections. * Updated TLS 1.3 support to draft 23. * Bug fixes for client authentication. * Bug fixes Alpine Linux. 2018-03-11T02:11:26+00:00 sslyze 1.4.1 sslyze 1.4.1 2018-03-19T02:09:46+00:00 * Added detection of Symantec-issued certificates when using `--certinfo` or `CertificateInfoScanCommand` (#288); such certificates will stop working in future versions of Chrome. * Bug fixes for when scanning through a proxy. 2018-03-19T02:09:46+00:00 sslyze 1.4.2 sslyze 1.4.2 2018-05-20T00:02:49+00:00 * Added the Java trust store as an additional store for validating the server's certificate (#287). * Various bug fixes (#312, #313, #314, #315, #316) 2018-05-20T00:02:49+00:00 sslyze 1.4.3 sslyze 1.4.3 2018-08-03T16:09:10+00:00 * Fixed a bug where the results for OCSP Stapling support would be inconsistent (#324). * Fixed a crash on Python 2.7. 2018-08-03T16:09:10+00:00 sslyze 2.0.0 sslyze 2.0.0 2018-08-27T05:37:35+00:00 * *Temporary: Only Linux and macOS are supported for this release, but Windows support will be enabled soon*. * Dropped support for Python 2 and older versions of Python 3; **only Python 3.6 and 3.7 are supported**. * Future releases with only support the latest two versions of Python available at the time of the release. * Added support for the final/official release of TLS 1.3 (RFC 8446). * The plugin can be tested against Cloudflare: `python -m sslyze --tls_1_3 www.cloudflare.com` * Added beta support for [TLS 1.3 early data (0-RTT) testing](https://tools.ietf.org/html/draft-ietf-httpbis-replay); see `--early_data` and `EarlyDataScanCommand`. * The plugin can be tested against Cloudflare: `python -m sslyze --early_data www.cloudflare.com` * Significantly improved [the documentation for the Python API](https://nabla-c0d3.github.io/sslyze/documentation/). * Bug fixes (#328, #320, #319). * Switched to a more modern Python tool chain (pipenv, pytest, pyinvoke). * Removed legacy Python 2/3 code and ported the code base to Python 3 only. 2018-08-27T05:37:35+00:00 sslyze 2.0.1 sslyze 2.0.1 2018-09-23T18:31:16+00:00 * Brought back Windows support (Python 64 bits only). * Updated OpenSSL to the final 1.1.1 release. * SSLyze can now be installed via Docker (#332). 2018-09-23T18:31:16+00:00 sslyze 2.0.2 sslyze 2.0.2 2018-12-03T01:23:23+00:00 * Bug fixes for scanning servers that support TLS 1.3 (#347, #348). * Added more precise exceptions when the `ServerConnectivityTester` fails to connect to the server (#343). * Added the OpenJDK trust store when validating the server's certificate. 2018-12-03T01:23:23+00:00 sslyze 2.0.3 sslyze 2.0.3 2018-12-06T19:08:34+00:00 * Bug fix for parsing Expect-CT headers. 2018-12-06T19:08:34+00:00 sslyze 2.0.4 sslyze 2.0.4 2019-01-27T02:09:18+00:00 * Various bug fixes (#356, #357, #358). 2019-01-27T02:09:18+00:00 sslyze 2.0.5 sslyze 2.0.5 2019-01-31T21:15:31+00:00 * Various bug fixes (#362) 2019-01-31T21:15:31+00:00 sslyze 2.0.6 sslyze 2.0.6 2019-01-31T21:23:29+00:00 * Updated [cryptography](https://cryptography.io/) module to 2.5. 2019-01-31T21:23:29+00:00 sslyze 2.1.1 sslyze 2.1.1 2019-06-03T02:34:29+00:00 * Major cleanup of `CertificateInfoPlugin` and `HttpHeadersPlugin`; the results returned by these plugins when using the Python API or the JSON or XML outputs have changed slightly, and should be easier to understand and use. * However, existing code that parses these results will break. * Fixed bug where SSLyze was unable to build the verified chain for a given server; OpenSSL is now used directly to build the verified chain (#355). * Fixed bug with IPv6 support (#371). * Fixed crash in the `RobotPlugin` (#361). * Converted the test suite to `pytest`. 2019-06-03T02:34:29+00:00 sslyze 2.1.2 sslyze 2.1.2 2019-06-07T05:37:42+00:00 * Fixed misc bugs introduced by the previous release (#374, #375, #376). 2019-06-07T05:37:42+00:00 sslyze 2.1.3 sslyze 2.1.3 2019-06-12T23:41:47+00:00 * Tweaked the ROBOT check to reduce the chance SSLyze returning a false positive. 2019-06-12T23:41:47+00:00 sslyze 2.1.4 sslyze 2.1.4 2019-09-01T21:25:22+00:00 * Fixed crash when scanning servers that only support old versions of SSL/TLS (#386). 2019-09-01T21:25:22+00:00 sslyze 3.0.0 sslyze 3.0.0 2020-03-30T00:05:00+00:00 Big internal refactoring focused on modernizing the code base (dataclasses, type annotations, etc.) and improving the speed and reliability of the scan results. * The Python API and the format of the outputs have been drastically improved and simplified, but are not backward-compatible with older versions of SSLyze. * Python 3.8 is now supported, and Python 3.6 is no longer supported. * Huge improvements to the reliability of the scans: * The number of concurrent connections per single server can now be controlled and is set to 5 by default (#385). * This limit is enforced regardless of the number of scan commands queued for the server, and drastically reduces the number of scans that fail due to a slow server or a slow connection. * Various improvements to cipher suites scanning: * The size of the cipher's suite key is now always returned. * The (EC) Diffie-Helmann parameters negotiated during the TLS handshake are now returned (#394). * Various improvements to server certificate checks: * Servers that expose multiple leaf certificates and chains are now supported (#326). * Bug fix for Symantec CA deprecation (#406). * SSLyze is now compatible with [PEP 561](https://mypy.readthedocs.io/en/latest/installed_packages.html#installed-packages) for type checking with mypy. * Various improvements to the JSON output: * The format of the JSON output now exactly matches the format of the Python output (which is [fully documented](https://nabla-c0d3.github.io/sslyze/documentation/)). * Better parsing of Subject and Issuer fields in certificates (#404). * Support for XML output was removed. 2020-03-30T00:05:00+00:00 sslyze 3.0.1 sslyze 3.0.1 2020-04-03T03:44:27+00:00 * Fixed installation errors with Python 3.8 (#421). * Added a a pre-built Windows executable: [sslyze-3.0.1-exe.zip](https://github.com/nabla-c0d3/sslyze/releases/download/3.0.1/sslyze-3.0.1-exe.zip). 2020-04-03T03:44:27+00:00 sslyze 3.0.2 sslyze 3.0.2 2020-04-19T16:54:57+00:00 * Improved check for HTTP security headers by adding support for HTTP redirections (#393 ). * Fixed bug causing some results to not be returned when scanning multiple servers (#429 ). * Added support for more versions of the cryptography package for better compatibility (#428 ). * Fixed crash when scanning a server with a certificate that has duplicate X509 extensions (#420 ) 2020-04-19T16:54:57+00:00 sslyze 3.0.3 sslyze 3.0.3 2020-04-27T03:22:58+00:00 * Fixed bug with Heartbleed and CCS Injection checks (#202 ) * Fix crashes with servers that have connectivity issues (#433, #430 ) 2020-04-27T03:22:58+00:00 sslyze 3.0.4 sslyze 3.0.4 2020-05-10T22:25:42+00:00 * Fixed crashes when running SSLyze on localized (ie. non-english) versions of Windows (#434). 2020-05-10T22:25:42+00:00 sslyze 3.0.6 sslyze 3.0.6 2020-05-31T16:14:17+00:00 * Fixed a crash when scanning Amazon Cloudfront for Heartbleed and CCS Injection (#437). * The Python API now exposes a `JsonEncoder` to make it easy to serialize a `ServerScanResult` to JSON (#439). 2020-05-31T16:14:17+00:00 sslyze 3.0.7 sslyze 3.0.7 2020-06-13T20:17:29+00:00 * Fixed crashes when scanning Amazon Cloudfront due to TLS 1.3 (#445). * Fixed a crash when scanning a server with an Ed25519 certificate (#444). * The CLI will now run `--regular` if no scan options were supplied: `python -m sslyze google.com` (#440) 2020-06-13T20:17:29+00:00 sslyze 3.0.8 sslyze 3.0.8 2020-06-28T17:43:14+00:00 * Significantly reduced memory usage when using SSLyze in a Python application. 2020-06-28T17:43:14+00:00 sslyze 3.1.0 sslyze 3.1.0 2020-11-11T04:54:46+00:00 * Added support for scanning for supported elliptic curves (#447): ``` $ python -m sslyze --elliptic_curves www.cloudflare.com * Elliptic Curve Key Exchange: Supported curves: prime256v1, secp384r1, secp521r1, X25519 Rejected curves: sect163r2, secp160r1, sect233k1, X448, secp160r2, sect233r1, secp192k1, sect239k1, secp224k1, sect193r1, sect283k1, secp224r1, sect163k1, sect283r1, secp256k1, secp160k1, sect409k1, prime192v1, sect409r1, sect163r1, sect193r2, sect571k1, sect571r1 ``` * Added support for cryptography 3.x (#455). * Fixed various crashes (#458, #459). 2020-11-11T04:54:46+00:00 sslyze 4.0.0 sslyze 4.0.0 2021-01-19T03:14:35+00:00 * Added support for Python 3.9 (#468). * Fixed a crash when parsing OCSP responses (#471). * **API-breaking change:** the `ocsp_response` field in `CertificateInfoScanResult` is now an `OCSPResponse` instance from the `cryptography.x509.ocsp` module. * **JSON-breaking change:** Significantly improved the JSON output for certificates and OCSP responses, when using `--certinfo`. * Fixed a false positive when testing for client-initiated renegotiation DoS attacks on some servers (#473). * **API-breaking change:** the `accepts_client_renegotiation` field in `SessionRenegotiationScanResult` was removed, and the more accurate `is_vulnerable_to_client_renegotiation_dos` field was added. * The ability to detect the server’s “preferred” cipher suite was removed for being too unreliable, and will be replaced by full cipher suite order detection in a future release (#456). * **API-breaking change:** the `cipher_suite_preferred_by_server` in `CipherSuitesScanResult` was removed. * Fixed a crash when scanning a server with an exotic/invalid TLS configuration (#466). * Fixed support for older versions of macOS. * Added support for the latest version of cryptography (#467). 2021-01-19T03:14:35+00:00 sslyze 4.0.1 sslyze 4.0.1 2021-01-20T04:11:41+00:00 * Updated the version of cryptography in the setup.py (#467). * Fixed a crash when displaying non-successful OCSP responses (#477). 2021-01-20T04:11:41+00:00 sslyze 4.0.2 sslyze 4.0.2 2021-01-31T23:26:43+00:00 * Fixed an issue with servers requiring client authentication and SSLyze reporting some TLS versions as unsupported (#472). * Fixed a crash when parsing an OCSP response with no "Next Update" field (#481). * Updated the trust stores. 2021-01-31T23:26:43+00:00 sslyze 4.0.3 sslyze 4.0.3 2021-02-15T20:27:10+00:00 * Updated the JSON output to be more stable, to allow diffing the JSON output of successive scans against the same server (#491). * Fixed errors when scanning a server that only supports TLS 1.3 (#488). * Fixed error when running `--robot` on an nginx server configured to require client authentication (#484). * Fixed crash due to malformed HTTP headers (#498). * Better reporting when scanning unresponsive servers (#501). * Fixed error when an invalid certificate is deployed on the server (#495). * Fixed error when running `--reneg` on Indy TCP server (#483). 2021-02-15T20:27:10+00:00 sslyze 4.0.4 sslyze 4.0.4 2021-02-22T05:20:03+00:00 * Fixed errors when running `--elliptic_curves` on specific server software (#490). * Better error reporting when running `--http_headers` on a server that doesn't speak HTTP (#499, #500). * See also the new `HttpHeadersScanResult.http_error_trace` field in the Python API. 2021-02-22T05:20:03+00:00 sslyze 4.1.0 sslyze 4.1.0 2021-03-29T00:46:55+00:00 * SSLyze's memory usage has been **significantly reduced** when scanning a lot of servers concurrently (#511). * This will make it easier to deploy SSLyze to environments where memory is limited, such as AWS Lambda. * For example, when queuing 100 server scans, memory usage will now reach a maximum of **150 MB**, instead of **1400 MB** in previous versions of SSLyze. * Fixed errors when running `http_headers` on specific server software (#517, #516). * Removed usage of pipenv and switched back to a `requirements.txt`. 2021-03-29T00:46:55+00:00 sslyze 5.0.0 sslyze 5.0.0 2021-11-26T23:47:52+00:00 This major release focuses on improving the reliability of the scans, simplifying the Python API and JSON output, and adding support for checking a server's TLS configuration against Mozilla's recommended configuration. * SSLyze will now check the server's scan results against the Mozilla "intermediate" configuration (#453). * Which Mozilla configuration to use can be configured via `--mozilla-config={old, intermediate, modern}`. * The `--mozilla-config` option replaces `--regular`, which has been removed. * SSLyze can now be run as a CI/CD step; see the README for more information. * The Python API has been significantly simplified (#512). The changes focus on: * Reducing how much code is needed in order to run a scan. * Improving the typing of the result objects, in order to simplify code that processes scan results. * **API-breaking changes**: Starting a scan and processing the results is now done differently; see the [documentation](https://nabla-c0d3.github.io/sslyze/documentation/running-a-scan-in-python.html). * The JSON output has been significantly simplified. * The JSON output's format now fully matches the format of the results within the Python API. * An auto-generated JSON schema is also now available at *./json_output_schema.json* (#487). * The [Python documentation](https://nabla-c0d3.github.io/sslyze/documentation/) can now be used to understand the format for both Python results and JSON results. * SSLyze now provides a fully-typed Python API for [parsing the JSON output](https://nabla-c0d3.github.io/sslyze/documentation/json-output.html) of previously-run scans (#487). * `parsed_json_result = SslyzeOutputAsJson.parse_file("result.json")` * This can be used for example to process the results of SSLyze scans in a separate Python program. * HTTP headers testing: the Public-Key-Pins headers are no longer checked by SSLyze, as the pinning feature has been removed from most browsers (#506). * **API-breaking changes**: * The `public_key_pins_header` and `public_key_pins_report_only_header` fields have been removed from `HttpHeadersScanResult`. * Session resumption testing: the `--resum` scan command has been updated to provide better insights into how the server supports session resumption (#53). * The command will now attempt multiple resumptions using TLS tickets, similarly to what it already does for resumptions with Session IDs. Previously, it would only perform a single resumption attempt when testing TLS Tickets. * The new command `--resum_attempts` can be used in order to configure how many session resumptions `--resum` will attempt; it is set to 5 by default. * `python -m sslyze --resum --resum_attempts=20 www.google.com` * **API-breaking changes**: * The fields within `SessionResumptionSupportScanResult` have been renamed and updated, * The `--resum_rate` command, `ScanCommand.SESSION_RESUMPTION_RATE` and the `SessionResumptionRateScanResult` class have been removed. The `--resum_attempts` command and `SessionResumptionSupportExtraArguments` class should be used instead. * Misc bug fixes for when scanning servers with exotic TLS or network configurations (#531, #532, #533). 2021-11-26T23:47:52+00:00 sslyze 5.0.1 sslyze 5.0.1 2021-12-19T18:31:40+00:00 * Renamed `--mozilla-config` to `--mozilla_config` for consistency. * Fixed a bug when using `--reneg` against servers using specific versions of GnuTLS. * Added support for cryptography 36.0.0 (#542). * Fixed JSON output when using `--json_out=-` to print JSON to the console (#543). 2021-12-19T18:31:40+00:00 sslyze 5.0.2 sslyze 5.0.2 2022-01-01T14:41:20+00:00 * Added support for Python 3.10 (#464). 2022-01-01T14:41:20+00:00 sslyze 5.0.3 sslyze 5.0.3 2022-03-13T21:10:47+00:00 * Fixed a crash when no valid server strings had been supplied via the command line (#557). * Fixed a crash when serializing the result of running `--http_headers` to JSON (#554). * Checking the server's scan results against the Mozilla configurations can be disabled using `--mozilla_config=disable` (#551). 2022-03-13T21:10:47+00:00 sslyze 5.0.4 sslyze 5.0.4 2022-04-30T12:35:49+00:00 * Reduced memory usage, and fixed a memory leak when running multiple scans in a row via the Python API (https://github.com/nabla-c0d3/sslyze/issues/560). 2022-04-30T12:35:49+00:00 sslyze 5.0.5 sslyze 5.0.5 2022-05-14T12:17:29+00:00 * Fixed an error when scanning a server with a specific behavior regarding client authentication (#555). * Fixed an error when using `--openssl_ccs` on specific servers (#548). * Added support for cryptography 37.0.0 (#565). * Updated the embedded trust stores. 2022-05-14T12:17:29+00:00 sslyze 5.0.6 sslyze 5.0.6 2022-10-15T11:15:25+00:00 * Fixed a bug where no scans were run when using specific combinations of CLI options (#575). * Added support for more TLS stacks when connecting and scanning for elliptic curves (#579, #562). * Better CLI output when connectivity to the server is flaky (#534). * Added support for pydantic 1.10 (#576). * Documented how to export results to JSON via the Python API (#571). 2022-10-15T11:15:25+00:00 sslyze 5.1.0 sslyze 5.1.0 2023-01-17T20:53:50+00:00 * Added support for Python 3.11 (#582). * Added support for Brainpool curves when running `--elliptic_curves` (#545). * Added support for validating certificates with IP addresses in their Subject Alternative Name (#544). * Fixed memory leaks when performing certificate validation by switching to pyOpenSSL (#566). * Fixed a crash with pydantic v1.10.3 (#586). * Removed check for the Expect-CT HTTP header when running `--http_headers` as the header has been deprecated (#584). * Fixed a crash when exporting results to JSON when an HTTP proxy was used (#581). 2023-01-17T20:53:50+00:00 sslyze 5.1.1 sslyze 5.1.1 2023-01-18T20:10:09+00:00 * Fixed compatibility with specific versions of pydantic (#590). 2023-01-18T20:10:09+00:00 sslyze 5.1.2 sslyze 5.1.2 2023-03-09T21:19:22+00:00 * Updated cryptography to v39 (#596). * Updated the trust stores. 2023-03-09T21:19:22+00:00 sslyze 5.1.3 sslyze 5.1.3 2023-04-01T13:44:31+00:00 * Added native support for Apple Silicon (https://github.com/nabla-c0d3/nassl/pull/107). * Fixed a crash when using older versions of PyOpenSSL (#600). 2023-04-01T13:44:31+00:00 sslyze 5.2.0 sslyze 5.2.0 2023-09-24T14:58:30+00:00 * Fixed crashes affecting specific Linux distributions such as Red Hat Linux and CentOS (#556, #621). * Fixed a bug when probing TLS 1.3 servers that require client authentication (#612). * Fixed a crash when using the JSON output with the `MozillaTlsConfigurationChecker` (#614). * Added support for pydantic 2.x (#611). * Added support for cryptography 40 and 41 (#610). * Updated Windows executable to use Python 3.11 (#588). * Updated Mozilla configuration recommendations to v5.7 (#608). * Better handling of servers that only support SSL v2.0 (#601). * *WARNING: This is the last release to support Python 3.7.* * *WARNING: This is the last release to support pydantic 1.x,* 2023-09-24T14:58:30+00:00