* Tue May 11 2021 Dirk Müller <dmueller@suse.com>
- update to 2.0.10:
* Add the --connect-timeout option (credit alkalim)
* Fix a typo in output
* Warn on TLSv1.1, as it's now deprecated by RFC 8996
* Fix a bug with LDAP STARTTLS
* Fix certificate detection on some broken servers
* Fix missing SCSV Fallback in XML output
* Don't show server signature algorithms by default
* Use --show-sigs to display them
* Fri Dec 18 2020 Johannes Weberhofer <jweberhofer@weberhofer.at>
- Upgrade to version 2.0.6
* Add <error> element to XML output
* Fix the extraneous padding of HTTP responses in XML
* Update the HTTP request to HTTP/1.1
* More robust checking the HTTP response is valid
* Display "No response" when no HTTP response is returned
* Remove the broken HTTP request scanning option (--http)
* Fix --targets not working properly
* Flag certificates in red if CN is the same as issuer
* Mon Sep 28 2020 Johannes Weberhofer <jweberhofer@weberhofer.at>
- Upgrade to version 2.0.1
* Correctly set SNI name when using --targets. Fixes gh#rbsec/sslscan#215
* Thu Jul 23 2020 Johannes Weberhofer <jweberhofer@weberhofer.at>
- Upgrade to version 2.0.0
Version 2 of sslscan includes a major rewrite of the backend scanning code,
which means that it is no longer reliant on the version of OpenSSL for many
checks. This means that it is possible to support legacy protocols (SSLv2 and
SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL
that it has been compiled against. It is still recommended to build statically
where possible, but dynamically built version should be significantly more
useful.
Note that there are also some breaking changes to the XML output, which are
documented in the readme file.
This rewrite been made possible largely by the work of jtesta, who has been
responsible for most of the backend rewrite.
- Cleaned up spec file
* Wed Jul 22 2020 Wolfgang Frisch <wolfgang.frisch@suse.com>
- Upgrade to version 2.0.0-beta6
* Various bugfixes
* Added -4 and -6 options to force IPv4 and IPv6.
* Added strength attribute to XML to reflect colouring in stdout
* Checks for server signature algorithms.
* Checks for server key exchange groups.
* Support for SSLv2 and SSLv3 protocol detection regardless of OpenSSL
* Support for TLSv1.3
* Support for additional cipher suites.
* Print curve name and key strength for ECC certs
* Fix a bug with servers that return incorrect cipher IDs.
* Add a new "<certificates>" element to the XML output.
* Remove the "Signature Algorithm:" text and spacing from the XML.
* Report servers that accept any signature algorithm in the XML
- Rebased fedora-sslscan-patents.patch
- OpenSSL dependency bumped to >= 1.1
Version: 1.11.10-bp150.2.4
* Fri Feb 02 2018 jweberhofer@weberhofer.at
- Simplified requirements
* Thu Feb 01 2018 jweberhofer@weberhofer.at
- Use openssl<1.1 for suse_version >= 1500
* Mon Dec 25 2017 jweberhofer@weberhofer.at
- Fix building on factory (use openssl 1.0.0)
- Upgrade to version 1.11.10
* Support for ChaCha ciphers
* Add support for STARTTLS on mysql (--starttls-mysql)
* Display SNI information in XML output
* Mark SHA-1 certificates as weak
* Mon Dec 18 2017 jweberhofer@weberhofer.at
- Fixed building on SLES systems
* Mon Nov 28 2016 jweberhofer@weberhofer.at
- Upgrade to version 1.11.8
* Support alternate SNI hostnames (--sni=)
* Allow building with no support for TLS SCSV Fallback
- Removed SSL_MODE_SEND_FALLBACK_SCSV (integrated upstream)
* Mon Oct 31 2016 manfred.h@gmx.net
- SSL_MODE_SEND_FALLBACK_SCSV.patch: Add patch to treat SSL_MODE_SEND_FALLBACK_SCSV conditionally.
* Thu Oct 27 2016 jweberhofer@weberhofer.at
- Highlighted features:
* Support for
- STARTTLS: POP3, IMAP, FTP, XMPP
- PostgreSQL
- IPv6 addresses
- TLSv1.1 and TLSv1.2
- XMPP server-to-server connections
* Added check for
- OpenSSL Heartbleed
- POODLE
* Highlight the following issues
- weak RSA and DHE keys in output
- SSLv2, SSLv3, RC4 ciphers
- anonymous ADH and AECDH ciphers
- weak (n <= 40 bit) and medium (40 < n <= 56 bit)
* Certificates
- Display certificate signing algorithm highlighting weak algorithms.
- Display certificate key strength highlighting weak keys.
- Flag expired certificates
* Most secure protocols are scanned first
* Display cipher details by default
- rebased fedora-sslscan-patents.patch
- removed obsolete patches
- Upgraded to version 1.11.7
* Check for TLS Fallback SCSV
* Allow xml to be output on stdout (--xml=-)
- Version 1.11.6
* Re-eanble support for weak (<1024) DH keys in OpenSSL
- Version 1.11.5
* Fix bug in heartbleed check (credit nuxi)
* Makefile improvements and fixes for OSX and FreeBSD
* Optimize OpenSSL clone
* Implement --show-times to display handshake times in milliseconds
- Version 1.11.4
* Fix compression detection (credit nuxi)
* Added support for PostgreSQL (credit nuxi)
- Version 1.11.3
* Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL
- Version 1.11.2
* Makefile improvements
* Update OpenSSL from Git when statically building
* Use enable-ssl2 and enable-weak-ciphers when building statically
- Version 1.11.1
* Show cipher IDs with --show-cipher-ids (credit maurice2k)
* Warn when building agsinst system OpenSSL rather than statically
* Allow building statically on OSX (experimental)
- Version 1.11.0
* Rewrote ciphersuite scanning engine to be much faster
* Ciphers are now output in order of server preference
* Most secure protocols are scanned first (TLSv1.2 -> SSLv2)
* All protocols are tried when trying to obtain the certificate
* Obselete --failed and --no-preferred-ciphers options removed
* Flag TLSv1.0 ciphers in output
* Flag 56 bit ciphers as red, not yellow
* Fix building on OpenBSD (credit Stuart Henderson)
* Fix incorrect output when server prefers NULL ciphers
- Version 1.10.6
* Fix --sleep only working for whole seconds (credit dmke)
* Fix compiling against OpenSSL 0.9.8 (credit aclemons)
* Flag expired certificates (credit jacktrice)
- Version 1.10.5
* Added IRC STARTTLS support (--starttls-irc, credit jkent)
* Highlight weak RSA keys in output
* Added option to show OCSP status (--ocsp, credit kelbyludwig)
* Fix a segfault with certificate parsing
- Version 1.10.4
* Display cipher details by default (hide with --no-cipher-details)
* Fix scanning multiple targets if one fails (credit shellster)
* Fix bug with --no-color and --failed (credit yasulib)
* Minor bugfixes to output
- Version 1.10.3
* Flag weak DHE keys in --cipher-details
* Report DHE key bits in XML
* Change ECDHE key bits to "ecdhebits" rather than "dhebits" in XML
- Version 1.10.2
* Wrap TLS extensions in CDATA blocks in XML output.
* Fix incorrect TLS versions in heartbleed checks
- Version 1.10.1
* Fix XML output to use "TLSv1.0" in preferred ciphers, not "TLSv1"
* Added --cipher-details option to display EC curves and EDH keys
Note that this feature requires OpenSSL >= 1.0.2
* Update static build options to compile against OpenSSL 1.0.2
- Version 1.10.0
* Experimental build support (credit jtesta).
* Support XMPP server-to-server connections (--xmpp-server).
- Version 1.9.11
* Makefile updates to assist packaging in Kali.
* Fix missing static build number when compiling from tarball.
- Version 1.9.10
* Display certificate CN, Altnames and Issuer in default output.
* Flag certificates where CN == issuer, or CN = *
* Highlight GCM ciphersuites as good
- Version 1.9.9
* Added --show-client-cas option to determine trusted CAs
for client authentication
* Added --no-preferred option to disable any output except specified
- Version 1.9.8
* Added --sleep option to pause between request
* Only check for heartbleed against specified TLS version
* Added --sleep option to pause between request
* Fix issues compiling against OpenSSL 0.9.8
* Highlight CBC ciphersuites on SSLv3 (POODLE)
* Experimental build support on OSX (credit MikeSchroll)
- Version 1.9.7
* Added option for static compilation with OpenSSL (credit dmke)
* Added "sslmethod" attribute to Heartbleed XML output (credit dmke)
* Split headers into sslscan.h (credit dmke)
- Version 1.9.6
* Highlight NULL ciphers in output.
* Highlight SSLv3 ciphers.
* Added --rdp option to support RDP servers (credit skettler).
* Added --timeout option to set socket timeout (default 3s).
- Version 1.9.5
* Renamed --get-certificate option to --show-certficate.
* Display certificate signing algorithm highlighting weak algorithms.
* Display certificate key strength highlighting weak keys.
* Bumped XML version to 1.9.5 due to minor changes.
- Version 1.9.4
* Check for SSLv2 and SSLv3 ciphers over STARTTLS.
- Version 1.9.3
* Fixed broken STARTTLS SMTP check.
- Version 1.9.2
* Added check for OpenSSL Heartbleed (CVE-2014-0160).
- Version 1.9.1
* Added --tlsall option to only scan TLS ciphersuites.
* Scan all TLS versions by default for STARTTLS services.
* Added support for IPv6 addresses using square bracket notation [:1].
* Highlight anonymous (ADH and AECDH) ciphers in output.
* Added option to disable colour in output (--no-colour).
* Removed undocumented -p output option.
* Removed old references to titania.co.uk domain.
- Version 1.9
* Highlight SSLv2 ciphers
* Highlight weak (n <= 40 bit) and medium (40 < n <= 56 bit) ciphers
* Highlight RC4 ciphers
* Highlight anonymous (ADH) ciphers
* Hide certificate information by default
* Hide rejected ciphers by default (display with --failed).
* Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan).
* Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan).
* Supports IPv6 hostnames (can be forced with --ipv6).
* Check for TLS compression (CRIME, disable with --no-compression)
- Version 1.8.4
* Add demo targets in Makefile
* Refactoring of code by Adam Langley
* Add SNI patch from Tim Brown
* Bug fixes from craSH and Cygwin build improvements
- Version 1.8.3
* Improve new protocol setup support for STARTTLS: POP3, IMAP, FTP, and
XMPP This modeled after the support found in OpenSSL's s_client
* Add verbose option to print more info
* Add default ports when a STARTTLS setup flag is called without any port at all
* Sun Apr 27 2014 lars@linux-schulserver.de
- enable parallel build
* Tue Sep 11 2012 frank.lichtenheld@sophos.com
- add TLSv1.1 and TLSv1.2 support for OpenSSL >= 1.0.1
* Fri Aug 10 2012 frank.lichtenheld@sophos.com
- import patch from fedora to allow building on fedora
* Thu Aug 09 2012 frank.lichtenheld@sophos.com
- initial packaging
* patches taken from Debian packaging