Skip to content

Release version 3.2rc3

Latest
Compare
Choose a tag to compare
@drwetter drwetter released this 10 Oct 10:33
· 208 commits to 3.2 since this release
v3.2rc3
30e0c84

While a few minor things are planned for the 3.2 final version here's a release of our RC which includes a log of fixes and at least the following improvements over 3.0.x:

  • Rating (SSL Labs only at the moment)
  • Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default)
  • Remove "negotiated cipher / protocol"
  • Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
  • Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also
  • Improved compatibility with OpenSSL 3.0
  • Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
  • Renamed PFS/perfect forward secrecy --> FS/forward secrecy
  • Cipher list straightening
  • Improved mass testing
  • Better align colors of ciphers with standard cipherlists
  • Save a few cycles for ROBOT
  • Several ciphers more colorized
  • Percent output char problem fixed
  • Several display/output fixes
  • BREACH check: list all compression methods and add brotli
  • Test for old winshock vulnerability
  • Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
  • STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries
  • Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
  • STARTTLS on active directory service support
  • Security fixes: DNS and other input from servers
  • Don't penalize missing trust in rating when CA not in Java store
  • Added support for certificates with EdDSA signatures and public keys
  • Extract CA list shows supported certification authorities sent by the server
  • TLS 1.2 and TLS 1.3 sig algs added
  • Check for ffdhe groups
  • Show server supported signature algorithms
  • --add-ca can also now be a directory with *.pem files
  • Warning of 398 day limit for certificates issued after 2020/9/1
  • Added environment variable for amount of attempts for ssl renegotiation check
  • Added --user-agent argument to support using a custom User Agent
  • Added --overwrite argument to support overwriting output files without warning
  • Headerflag X-XSS-Protection is now labeled as INFO
  • Strict parser for HSTS
  • DNS via proxy improvements
  • Client simulation runs in wide mode which is even better readable
  • Added --reqheader to support custom headers in HTTP requests
  • Test for support for RFC 8879 certificate compression
  • Deprecating --fast and --ssl-native (warning but still av)
  • Compatible to GNU grep 3.8
  • Don't use external pwd command anymore
  • Doesn't hang anymore when there's no local resolver

Thanks to all who contributed! See CREDITS.md file.

You are encouraged to switch to 3.2.