forked from drwetter/testssl.sh
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
3,068 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,313 @@ | ||
|
|
||
| 2.0 includes: | ||
|
|
||
| * major release, new features: | ||
| * SNI | ||
| * STARTTLS fully supported | ||
| * RC4 check | ||
| * (P)FS check | ||
| * SPDY check | ||
| * color codes make more sense now | ||
| * cipher hexcodes are shown | ||
| * tests ciphers per protocol | ||
| * HSTS | ||
| * web and application server banner | ||
| * server prefereences | ||
| * TLS server extensions | ||
| * server key size | ||
| * cipher suite mapping from openssl to RFC | ||
| * heartbleed check | ||
| * CCS injection check | ||
|
|
||
| --------------------- | ||
| Details: | ||
|
|
||
| 1.106 | ||
| - minor fixes | ||
|
|
||
| 1.105 | ||
| - NEW: working prototype for CCS injection | ||
|
|
||
| 1.104 | ||
| - NEW: everywhere *also* RFC style ciphers -- if the mapping file is found | ||
| - unitary calls to display cipher suites | ||
|
|
||
| 1.103 | ||
| - NEW: telnet support for STARTTLS (works only with a patched openssl version) | ||
| --> not tested (lack of server) | ||
|
|
||
| 1.102 | ||
| - NEW: test for BREACH (experimental) | ||
|
|
||
| 1.101 | ||
| - BUGFIX: muted too verbose output of which on CentOS/RHEL | ||
| - BUGFIX: muted too verbose output of netcat/nc on CentOS/RHEL+Debian | ||
|
|
||
| 1.100 | ||
| - further cleanup | ||
| - starttls now tests allciphers() instead of cipher_per_proto | ||
| (normal use case makes most sense here) | ||
| - ENV J_POSITIV --> SHOW_EACH_C | ||
| - finding mapping-rfc.txt is now a bit smarter | ||
| - preparations for ChaCha20-Poly1305 (would have provided binaries but | ||
| "openssl s_client -connect" with that ciphersuite fails currently with | ||
| a handshake error though client and server hello succeeded!) | ||
|
|
||
| 1.99 | ||
| - BUGFIX: now really really everywhere testing the IP with supplied name | ||
| - locking out openssl < 0.9.8f, new function called "old_fart" ;-) | ||
| - FEATURE: displaying PTR record of IP | ||
| - FEATURE: displaying further IPv4/IPv6 addresses | ||
| - bit of a cleanup | ||
|
|
||
| 1.98 | ||
| - http_header is in total only called once | ||
| - better parsing of default protocol (FIXME shouldn't appear anymore) | ||
|
|
||
| 1.97 | ||
| - reduced sleep time for server hello and payload reply (heartbleed) | ||
|
|
||
| 1.96 | ||
| - NEW: (experimental) heartbleed support with bash sockets (shell only SSL handshake!) | ||
| see also https://testssl.sh/bash-heartbleed.sh | ||
|
|
||
| 1.95 (2.0rc3) | ||
| - changed cmdline options for CRIME and renego vuln to uppercase | ||
| - NEW: displays server key size now | ||
| - NEW: displays TLS server extensions (might kill old openssl versions) | ||
| - brown warning if HSTS < 180 days | ||
| - brown warning if SSLv3 is offered as default protocol | ||
|
|
||
| 1.94 | ||
| - NEW: prototype of mapping to RFC cipher suite names, needed file mapping-rfc.txt in same dir | ||
| as of now only used for 'testssl.sh -V' | ||
| - internal renaming: it was supposed to be "cipherlists" instead of "ciphersuites" | ||
| - additional tests for cipherlists DES, 3DES, ADH | ||
|
|
||
| 1.93 | ||
| - BUGFIX: removed space in Server banner fixed (at the expense of showing just nothing if Server string is empty) | ||
|
|
||
| 1.92 | ||
| - BUGFIX: fixed error of faulty detected empty server string | ||
|
|
||
| 1.91 | ||
| - replaced most lcyan to brown (=not really bad but somehow) | ||
| - empty server string better displayed | ||
| - prefered CBC TLS 1.2 cipher is now brown (lucky13) | ||
|
|
||
| 1.90 | ||
| - fix for netweaver banner (server is lowercase) | ||
| - no server banner is no disadvantage (color code) | ||
| - 1 more blank proto check | ||
| - server preference is better displayed | ||
|
|
||
| 1.89 | ||
| - reordered! : protocols + cipher come first | ||
| - colorized prefered server preference (e.g. CBC+RC4 is light red now, TLSv1.2 green) | ||
| - SSLv3 is now light cyan | ||
| - NEW: -P|--preference now in help menu | ||
| - light cyan is more appropriate than red for HSTS | ||
|
|
||
| 1.88 | ||
| - NEW: prototype for protocol and cipher preference | ||
| - prototype for session ticket | ||
|
|
||
| 1.87 | ||
| - changed just the version string to rc1 | ||
|
|
||
| 1.86 | ||
| - NEW: App banner now production, except 2 liners | ||
| - DEBUG: 1 is now true as everywhere else | ||
| - CRIME+Renego prettier | ||
| - last optical polish for RC4, PFS | ||
|
|
||
| 1.85 | ||
| - NEW: appbanner (also 2 lines like asp.net) | ||
| - OSSL_VER_MAJOR/MINOR/APPENDIX | ||
| - less bold because bold headlines as bold should be reserved for emphasize findings | ||
| - tabbed output also for protocols and cipher classes | ||
| - unify neat printing | ||
|
|
||
| 1.84 | ||
| - NEW: deprecating openssl version <0.98 | ||
| - displaying a warning >= 0.98 < 1.0 | ||
| - NEW: neat print also for all ciphers (-E,-e) | ||
|
|
||
| 1.83 | ||
| - BUGFIX: results from unit test: logical error in PFS+RC4 fixed | ||
| - headline of -V / PFS+RC4 ciphers unified | ||
|
|
||
| 1.82 | ||
| - NEW: output for -V now better (bits seperate, spacing improved) | ||
|
|
||
| 1.81 | ||
| - output for RC4+PFS now better (with headline, bits seperate, spacing improved) | ||
| - both also sorted by encr. strength .. umm ..err bits! | ||
|
|
||
| 1.80 | ||
| - order of finding supplied binary extended (first one wins): | ||
| 1. use supplied variable $OPENSSL | ||
| 2. use "openssl" in same path as testssl.sh | ||
| 3. use "openssl.`uname -m`" in same path as testssl.sh | ||
| 4. use anything in system $PATH (return value of "which" | ||
|
|
||
| 1.79 | ||
| - STARTTLS options w/o trailing 's' now (easier) | ||
| - commented code for CRIME SPDY | ||
| - issue a warning for openssl < 0.9.7 ( that version won't work anyway probably) | ||
| - NPN protos as a global var | ||
| - pretty print with fixed columns: PFS, RC4, allciphers, cipher_per_proto | ||
|
|
||
| 1.78 | ||
| - -E, -e now sorted by encryption strength (note: it's only encr key length) | ||
| - -V now pretty prints all local ciphers | ||
| - -V <pattern> now pretty prints all local ciphers matching pattern (plain string, no regex) | ||
| - bugfix: SSLv2 cipher hex codes has 3 bytes! | ||
|
|
||
| 1.77 | ||
| - removed legacy code (PROD_REL var) | ||
|
|
||
| 1.76 | ||
| - bash was gone!! desaster for Ubuntu, fixed | ||
| - starttls+rc4 check: bottom line was wrong | ||
| - starttls had too much output (certificate) at first a/v check | ||
|
|
||
| 1.75 | ||
| - location is now https://testssl.sh | ||
| - be nice: banner, version, help also works for BSD folks (on dash) | ||
| - bug in server banner fixed | ||
| - sneaky referer and user agent possible | ||
|
|
||
| 1.74 | ||
| - Debian 7 fix | ||
| - ident obsoleted | ||
|
|
||
| 1.72 | ||
| - removed obsolete GREP | ||
| - SWURL/SWCONTACT | ||
| - output for positive RC4 better | ||
|
|
||
| 1.71 | ||
| - workaround for buggy bash (RC4) | ||
| - colors improved | ||
| - blue is now reserved for headline | ||
| - magenta for local probs | ||
| - in RC4 removal of SSL protocol provided by openssl | ||
|
|
||
| 1.70 | ||
| - DEBUG in http_headers now as expected | ||
| - <?xml marker as HTML body understood | ||
|
|
||
| 1.69 | ||
| - HTTP 1.1 header | ||
| - removed in each cipher the proto openssl is returning | ||
| + NEW: cipher_per_proto | ||
|
|
||
| 1.68 | ||
| - header parser for openssl | ||
| - HSTS | ||
| - server banner string | ||
| - vulnerabilities closer+condensed | ||
|
|
||
| 1.68 | ||
| - header parser for openssl | ||
| - HSTS | ||
| - server banner string | ||
| - vulnerabilities closer+condensed | ||
|
|
||
| 1.67 | ||
| - signal green if no SSLv3 | ||
| - cipher hex code now in square brackets | ||
|
|
||
|
|
||
| [..] | ||
|
|
||
|
|
||
| 1.36 | ||
| * fixed issue while connecting to non-webservers | ||
|
|
||
| 1.35 | ||
| * fixed portability issue on Ubuntu | ||
|
|
||
| 1.34 | ||
| * ip(v4) address in output, helps to tell different systems apart later on | ||
| * local hostname in output | ||
|
|
||
| 1.31 (Halloween Release) | ||
| * bugfix: SSLv2 was kind of borken | ||
| * now it works for sure but ssl protocol are kind of ugly | ||
|
|
||
| 1.30b (25.10.2012) | ||
| * bugfix: TLS 1.1/1.2 may lead to false negatives | ||
| * bugfix: CMDLINE -a/-e was misleading, now similar to help menu | ||
|
|
||
| 1.3 (10/13/2012) | ||
| * can test now for cipher suites only | ||
| * can test now for protocols suites only | ||
| * tests for tls v1.1/v1.2 of local openssl supports it | ||
| * commandline "all "is rename to "each-cipher" | ||
| * banner when it's done | ||
|
|
||
| 1.21a (10/4/2012) | ||
| * tests whether openssl has support for zlib compiled so that it avoids a false negative | ||
|
|
||
| 1.21 (10/4/2012) | ||
| * CRIME support | ||
|
|
||
| 1.20b | ||
| * bugfixed release | ||
|
|
||
| 1.20a | ||
| * code cleanup | ||
| * showciphers variable introduced: only show ciphers if this is set (it is by | ||
| default now and there's a comment | ||
| * openssl version + path to it in the banner | ||
|
|
||
|
|
||
| 1.20 | ||
| * bugfix (ssl in ssl handshake failure is sometimes too much) | ||
| * date in output | ||
| * autodetection of CVS version removed | ||
|
|
||
| 1.19 | ||
| * bugfix | ||
|
|
||
| 1.18 | ||
| * Rearragement of arguments: URL comes now always last! | ||
| * small code cleanups for readability | ||
| * individual cipher test is now with bold headline, not blue | ||
| * NOPARANOID flag tells whether medium grade ciphers are ok. NOW they are (=<1.17 was paranoid) | ||
|
|
||
| 1.17 | ||
| * SSL tests now for renegotiation vulnerabilty! | ||
| * version detection of testssl.sh | ||
| * program has a banner | ||
| * fixed bug leading to a file named "1" | ||
| * comment for 128Bit ciphers | ||
|
|
||
| 1.16 | ||
| * major code cleanups | ||
| * cmd line options: port is now in first argument!! | ||
| * help is more verbose | ||
| * check whether on other server side is ssl server listening | ||
| * https:// can be now supplied also on the command line | ||
| * test all ciphers now | ||
| * new cleanup routine | ||
| * -a does not do standard test afterward, you need to run testssl a second | ||
| time w/o -a if you want this | ||
|
|
||
| 1.12 | ||
| * tests also medium grade ciphers (which you should NOT use) | ||
| * tests now also high grade ciphers which you SHOULD ONLY use | ||
| * switch for more verbose output of cipher for those cryptographically interested . | ||
| in rows: SSL version, Key eXchange, Authentication, Encryption and Message Authentication Code | ||
| * this is per default enabled (provide otherwise "" as VERB_CLIST) | ||
| * as a courtesy I am providing 64+32 Linux binaries for testing 56 Bit ciphers | ||
|
|
||
| 1.11 | ||
| * Hint for howto enable 56 Bit Ciphers | ||
| * possible to specify where openssl is (hardcoded, $ENV, last resort: auto) | ||
| * warns if netcat is not there | ||
|
|
||
| 1.10 | ||
| * somewhat first released version |
Oops, something went wrong.