|
3 | 3 |
|
4 | 4 | ### Features implemented / improvements in 3.2 |
5 | 5 |
|
6 | | -* Rating (SSL Labs, not complete) |
| 6 | +* Rating (SSL Labs) |
7 | 7 | * Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default) |
8 | 8 | * Remove "negotiated cipher / protocol" |
9 | 9 | * Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol |
10 | | -* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also |
11 | | -* Improved compatibility with OpenSSL 3.0 and higher versions |
| 10 | +* Faster startup, other performance improvements |
| 11 | +* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, benefit: also performance gain |
| 12 | +* Added GHCR.io docker image builds |
| 13 | +* Improved compatibility with OpenSSL 3.0 and higher versions like OpenSSL 3.5 |
12 | 14 | * Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore |
| 15 | +* Reduced the set of openssl-bad binaries via github to Linux and FreeBSD, no kerberos binaries anymore, no Linux 32 Bit |
13 | 16 | * Renamed PFS/perfect forward secrecy --> FS/forward secrecy |
14 | 17 | * Cipher list straightening |
15 | 18 | * Support RFC 9150 cipher suites |
16 | 19 | * Improved mass testing |
17 | 20 | * Better align colors of ciphers with standard cipherlists |
18 | 21 | * Save a few cycles for ROBOT |
19 | 22 | * Several ciphers more colorized |
| 23 | +* Added support for way more ciphers like all AEAD ciphers known so far |
20 | 24 | * Percent output char problem fixed |
21 | 25 | * Several display/output fixes |
22 | 26 | * BREACH check: list all compression methods and add brotli |
23 | 27 | * Test for old winshock vulnerability |
24 | 28 | * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP) |
25 | 29 | * STARTTLS: XMPP server support, plus a new set of OpenSSL-bad binaries |
26 | 30 | * STARTTLS sieve support, plus again a new set of OpenSSL-bad binaries |
| 31 | +* STARTTLS LDAP support, AD + STARTTLS logic is there but experimental |
27 | 32 | * Several code improvements to STARTTLS, also better detection when no STARTTLS is offered |
| 33 | +* STARTTLS telnet (TN3270/telnet) support |
28 | 34 | * Detect throtteling via STARTTLS smtp |
29 | 35 | * Renegotiation checks more reliable against different servers |
30 | 36 | * STARTTLS on active directory service support |
|
33 | 39 | * Added support for certificates with EdDSA signatures and public keys |
34 | 40 | * Extract CA list shows supported certification authorities sent by the server |
35 | 41 | * Wildcard certificates: detection and warning |
| 42 | +* Test for support for RFC 8879 certificate compression |
| 43 | +* Show intermediate cert validity / bad OCSP |
| 44 | +* If a TLS 1.3 host is tested and e.g. /usr/bin/openssl supports it, it'll automagically switch to it |
36 | 45 | * TLS 1.2 and TLS 1.3 sig algs added |
| 46 | +* TLS 1.3: decrypting server response |
37 | 47 | * Check for ffdhe groups |
38 | 48 | * Check for six KEMs in draft-connolly-tls-mlkem-key-agreement/draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00 |
39 | 49 | * Check for ML-DSA signatures (draft-tls-westerbaan-mldsa) |
40 | 50 | * Show server supported signature algorithms |
| 51 | +* Support for EdDSA (Ed25519/Ed448): sigalgo extension, check whether server offers EdDSA certificates, recognize EdDSA signatures |
41 | 52 | * --add-ca can also now be a directory with \*.pem files |
42 | 53 | * Warning of 398 day limit for certificates issued after 2020/9/1 |
43 | 54 | * Added environment variable for amount of attempts for ssl renegotiation check |
|
46 | 57 | * Headerflag X-XSS-Protection is now labeled as INFO |
47 | 58 | * Search for more HTTP security headers on the server |
48 | 59 | * Strict parser for HSTS |
49 | | -* DNS via proxy improvements |
| 60 | +* DNS via proxy improvements, also IPv6 support for proxy |
50 | 61 | * Client simulation runs in wide mode which is even better readable |
51 | 62 | * Added --reqheader to support custom headers in HTTP requests |
52 | | -* Test for support for RFC 8879 certificate compression |
53 | 63 | * Deprecating --fast and --ssl-native (warning only but still av) |
54 | | -* Compatible to GNU grep 3.8 |
| 64 | +* Compatible to GNU grep >=3.8, bash 5.x |
55 | 65 | * Don't use external pwd command anymore |
56 | 66 | * Doesn't hang anymore when there's no local resolver |
| 67 | +* Display whether server requests/requires a Client Certificate |
57 | 68 | * Added --mtls feature to support client authentication |
58 | | -* If a TLS 1.3 host is tested and e.g. /usr/bin/openssl supports it, it'll automagically will switch to it |
| 69 | +* CI run against a target with known configuration as a change canary |
| 70 | +* Updated client handshakes as new browsers and OpenSSL 3.5.x show KEMs |
| 71 | +* Start using client handshakes include ja3/ja4 so that similar handshakes will be recognized |
59 | 72 |
|
60 | 73 |
|
61 | 74 | ### Features implemented / improvements in 3.0 |
|
0 commit comments