forked from rbsec/sslscan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Changelog
573 lines (501 loc) · 19 KB
/
Changelog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
Changelog
=========
Version: 2.0.16
Date : 08/04/2023
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix incorret detection of TLSv1.3 on Server 2019 (credit jtesta)
> Fix incorrect XML certificate output
Version: 2.0.15
Date : 03/07/2022
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Obtain certificate info even if we can't connect properly
Version: 2.0.14
Date : 23/06/2022
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Strip out https:// from lines in a target file
Version: 2.0.13
Date : 03/04/2022
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix TLSv1.3 detection against Server 2022 (credit jtesta)
Version: 2.0.12
Date : 23/02/2022
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Add <not-yet-valid> XML element (credit lucacapacci)
Version: 2.0.11
Date : 16/12/2021
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Add --iana-names option to use IANA/RFC cipher names
> Improve signature algorithm detection
Version: 2.0.10
Date : 27/04/2021
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Add the --connect-timeout option (credit alkalim)
> Fix a typo in output
Version: 2.0.9
Date : 24/03/2021
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Warn on TLSv1.1, as it's now deprecated by RFC 8996
Version: 2.0.8
Date : 12/02/2021
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix a bug with LDAP STARTTLS
> Fix certificate detection on some broken servers
> Fix missing SCSV Fallback in XML output
Version: 2.0.7
Date : 10/02/2021
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Don't show server signature algorithms by default
> Use --show-sigs to display them
Version: 2.0.6
Date : 31/10/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Flag certificates in red if CN is the same as issuer
Version: 2.0.5
Date : 24/10/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix --targets not working properly
Version: 2.0.4
Date : 13/10/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Remove the broken HTTP request scanning option (--http)
Version: 2.0.3
Date : 11/10/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix the extraneous padding of HTTP responses in XML
> Update the HTTP request to HTTP/1.1
> More robust checking the HTTP response is valid
> Display "No response" when no HTTP response is returned
Version: 2.0.2
Date : 04/10/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Add <error> element to XML output
Version: 2.0.1
Date : 20/09/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix SNI name when using --targets
Version: 2.0.0
Date : 22/07/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Documentation updates
Version: 2.0.0-beta6
Date : 02/07/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Report servers that accept any signature algorithm in the XML
Version: 2.0.0-beta5
Date : 30/06/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Remove the "Signature Algorithm:" text and spacing from the XML.
Version: 2.0.0-beta4
Date : 10/06/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Add a new "<certificates>" element to the XML output.
Version: 2.0.0-beta3
Date : 10/06/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix a few compiler warnings.
> Fix a regression where the "strength" attribute was missing.
Version: 2.0.0-beta2
Date : 10/05/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix a bug with servers that return incorrect cipher IDs.
> Portability improvements.
> Fix x86 windows build.
Version: 2.0.0-beta1
Date : 29/02/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Print curve name and key strength for ECC certs
> Various documentation updates
Version: 2.0.0-alpha2
Date : 29/02/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix compilation on old versions of GCC.
> Minor changes to protocol support output.
> Strip a trailing slash from the specified target.
> Various other minor bugfixes.
Version: 2.0.0-alpha1
Date : 22/02/2020
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Major rewrite of backend scanning code.
> Support for additional cipher suites.
> Support for TLSv1.3
> Support for SSLv2 and SSLv3 protocol detection regardless of
OpenSSL.
> Checks for server key exchange groups.
> Checks for server signature algorithms.
Version: 1.11.13
Date : 24/03/2019
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Added strength attribute to XML to reflect colouring in stdout
Version: 1.11.12
Date : 18/10/2018
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Enable colours in Windows console output if supported
> Include SCSV fallback in XML output
> Various bugfixes
Version: 1.11.11
Date : 31/12/2017
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Added -4 and -6 options to force IPv4 and IPv6.
> Fix build on Solaris and Windows.
> Fix cross-compiling.
Version: 1.11.10
Date : 04/05/2017
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Build against Peter Mosmans' branch of OpenSSL
> Support for ChaCha ciphers
> NOTE: you will need to run `make clean && make static`.
Version: 1.11.9
Date : 09/04/2017
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Add support for STARTTLS on mysql (--starttls-mysql)
> Display SNI information in XML output
> Fix some compiler warnings
> Mark SHA-1 certificates as weak
> Fix build on some platforms
Version: 1.11.8
Date : 06/11/2016
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Support alternate SNI hostnames (--sni=)
> Allow building with no support for TLS SCSV Fallback
Version: 1.11.7
Date : 13/06/2016
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Check for TLS Fallback SCSV
> Allow xml to be output on stdout (--xml=-)
Version: 1.11.6
Date : 09/04/2016
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Re-eanble support for weak (<1024) DH keys in OpenSSL
Version: 1.11.5
Date : 24/03/2016
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix bug in heartbleed check (credit nuxi)
> Makefile improvements and fixes for OSX and FreeBSD
> Optimize OpenSSL clone
> Implement --show-times to display handshake times in milliseconds
Version: 1.11.4
Date : 06/03/2016
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix compression detection (credit nuxi)
> Added support for PostgreSQL (credit nuxi)
Version: 1.11.3
Date : 03/03/2016
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL
Version: 1.11.2
Date : 02/03/2016
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Makefile improvements
> Update OpenSSL from Git when statically building
> Use enable-ssl2 and enable-weak-ciphers when building statically
Version: 1.11.1
Date : 11/12/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Show cipher IDs with --show-cipher-ids (credit maurice2k)
> Warn when building agsinst system OpenSSL rather than statically
> Allow building statically on OSX (experimental)
Version: 1.11.0
Date : 24/09/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Rewrote ciphersuite scanning engine to be much faster
> Ciphers are now output in order of server preference
> Most secure protocols are scanned first (TLSv1.2 -> SSLv2)
> All protocols are tried when trying to obtain the certificate
> Obselete --failed and --no-preferred-ciphers options removed
> Flag TLSv1.0 ciphers in output
> Flag 56 bit ciphers as red, not yellow
> Fix building on OpenBSD (credit Stuart Henderson)
> Fix incorrect output when server prefers NULL ciphers
Version: 1.10.6
Date : 06/08/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix --sleep only working for whole seconds (credit dmke)
> Fix compiling against OpenSSL 0.9.8 (credit aclemons)
> Flag expired certificates (credit jacktrice)
Version: 1.10.5
Date : 07/07/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Added IRC STARTTLS support (--starttls-irc, credit jkent)
> Highlight weak RSA keys in output
> Added option to show OCSP status (--ocsp, credit kelbyludwig)
> Fix a segfault with certificate parsing
Version: 1.10.4
Date : 21/06/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Display cipher details by default (hide with --no-cipher-details)
> Fix scanning multiple targets if one fails (credit shellster)
> Fix bug with --no-color and --failed (credit yasulib)
> Minor bugfixes to output
Version: 1.10.3
Date : 22/05/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Flag weak DHE keys in --cipher-details
> Report DHE key bits in XML
> Change ECDHE key bits to "ecdhebits" rather than "dhebits" in XML
Version: 1.10.2
Date : 12/05/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Wrap TLS extensions in CDATA blocks in XML output.
> Fix incorrect TLS versions in heartbleed checks
Version: 1.10.1
Date : 06/04/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fix XML output to use "TLSv1.0" in preferred ciphers, not "TLSv1"
> Added --cipher-details option to display EC curves and EDH keys
Note that this feature requires OpenSSL >= 1.0.2
> Update static build options to compile against OpenSSL 1.0.2
Version: 1.10.0
Date : 28/02/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Experimental build support (credit jtesta).
> Support XMPP server-to-server connections (--xmpp-server).
Version: 1.9.11
Date : 03/02/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Makefile updates to assist packaging in Kali.
> Fix missing static build number when compiling from tarball.
Version: 1.9.10
Date : 24/01/2015
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Display certificate CN, Altnames and Issuer in default output.
> Flag certificates where CN == issuer, or CN = *
> Highlight GCM ciphersuites as good
Version: 1.9.9
Date : 22/01/2015
Author : kyprizel <[email protected]>
Changes: The following are a list of changes
> Added --show-client-cas option to determine trusted CAs
for client authentication
> Added --no-preferred option to disable any output except specified
Version: 1.9.8
Date : 08/12/2014
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Added --sleep option to pause between request
> Only check for heartbleed against specified TLS version
> Added --sleep option to pause between request
> Fix issues compiling against OpenSSL 0.9.8
> Highlight CBC ciphersuites on SSLv3 (POODLE)
> Experimental build support on OSX (credit MikeSchroll)
Version: 1.9.7
Date : 26/10/2014
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Added option for static compilation with OpenSSL (credit dmke)
> Added "sslmethod" attribute to Heartbleed XML output (credit dmke)
> Split headers into sslscan.h (credit dmke)
Version: 1.9.6
Date : 10/10/2014
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Highlight NULL ciphers in output.
> Highlight SSLv3 ciphers.
> Added --rdp option to support RDP servers (credit skettler).
> Added --timeout option to set socket timeout (default 3s).
Version: 1.9.5
Date : 13/09/2014
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Renamed --get-certificate option to --show-certficate.
> Display certificate signing algorithm highlighting weak algorithms.
> Display certificate key strength highlighting weak keys.
> Bumped XML version to 1.9.5 due to minor changes.
Version: 1.9.4
Date : 22/05/2014
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Check for SSLv2 and SSLv3 ciphers over STARTTLS.
Version: 1.9.3
Date : 20/05/2014
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Fixed broken STARTTLS SMTP check.
Version: 1.9.2
Date : 09/04/2014
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Added check for OpenSSL Heartbleed (CVE-2014-0160).
Version: 1.9.1
Date : 06/03/2014
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Added --tlsall option to only scan TLS ciphersuites.
> Scan all TLS versions by default for STARTTLS services.
> Added support for IPv6 addresses using square bracket notation [:1].
> Highlight anonymous (ADH and AECDH) ciphers in output.
> Added option to disable colour in output (--no-colour).
> Removed undocumented -p output option.
> Removed old references to titania.co.uk domain.
Version: 1.9
Date : 30/12/2013
Author : rbsec <[email protected]>
Changes: The following are a list of changes
> Highlight SSLv2 ciphers
> Highlight weak (n <= 40 bit) and medium (40 < n <= 56 bit) ciphers
> Highlight RC4 ciphers
> Highlight anonymous (ADH) ciphers
> Hide certificate information by default
> Hide rejected ciphers by default (display with --failed).
> Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan).
> Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan).
> Supports IPv6 hostnames (can be forced with --ipv6).
> Check for TLS compression (CRIME, disable with --no-compression)
Version: 1.8.4
Date : xx/xx/2010
Author : Jacob Appelbaum <[email protected]>
Changes: The following are a list of changes
> Add demo targets in Makefile
> Refactoring of code by Adam Langley
> Add SNI patch from Tim Brown
> Bug fixes from craSH and Cygwin build improvements
Version: 1.8.3
Date : 11/08/2010
Author : Jacob Appelbaum <[email protected]>
Changes: The following are a list of changes
> Improve new protocol setup support for STARTTLS:
POP3, IMAP, FTP, and XMPP
This modeled after the support found in OpenSSL's s_client
> Add verbose option to print more info
> Add default ports when a STARTTLS setup flag is called without
any port at all
Version: 1.8.2
Date : 19/06/2009
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Fixed output with HTML disabled
> Fixed XML critical
Version: 1.8.1
Date : 25/05/2009
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Fixed some compiler warnings.
Version: 1.8.0
Date : 19/05/2009
Author : Ian Ventura-Whiting (Fizz)
Thanks : John Nichols
Changes: The following are a list of changes
since the previous version:
> Added SSL implementation workaround
option.
> Added HTTP connection testing.
> Fixed Certification validation XML
output.
Version: 1.7.1
Date : 20/04/2008
Author : Ian Ventura-Whiting (Fizz)
Thanks : Mark Lowe
Changes: The following are a list of changes
since the previous version:
> Added HELO for SMTP checks
> Increased read buffer size
Version: 1.7
Date : 18/04/2008
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added STARTTLS SMTP capability
> Fixed XML output format bug
Version: 1.6
Date : 30/12/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added man page.
> Improved certificate checking
> Added Makefile
Version: 1.5
Date : 25/09/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Update to the license to make it
BINARY compatible with OpenSSL. Its
then easier for the packagers.
Version: 1.4
Date : 03/09/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added Server Certificate ouput.
> Added support for client certs.
> Added support for private keys
and password.
> Added support for PKCS#12.
> Fixed xml output.
Version: 1.3
Date : 06/08/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added XML file output option.
> Improved help text.
> Added program URL.
Version: 1.2
Date : 16/07/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Removed unused variable
> Other minor changes.
Version: 1.1
Date : 13/07/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Correction in banner text
> Host:Port now directly from the
command-line.
Version: 1.0
Date : 13/07/2007
Author : Ian Ventura-Whiting (Fizz)
Notes : Initial version of sslscan