Skip to content

Releases: nabla-c0d3/sslyze

5.0.3

13 Mar 21:10
Compare
Choose a tag to compare
  • Fixed a crash when no valid server strings had been supplied via the command line (#557).
  • Fixed a crash when serializing the result of running --http_headers to JSON (#554).
  • Checking the server's scan results against the Mozilla configurations can be disabled using --mozilla_config=disable (#551).

5.0.2

01 Jan 14:41
d46120a
Compare
Choose a tag to compare
  • Added support for Python 3.10 (#464).

5.0.1

19 Dec 18:31
Compare
Choose a tag to compare
  • Renamed --mozilla-config to --mozilla_config for consistency.
  • Fixed a bug when using --reneg against servers using specific versions of GnuTLS.
  • Added support for cryptography 36.0.0 (#542).
  • Fixed JSON output when using --json_out=- to print JSON to the console (#543).

5.0.0

26 Nov 23:47
fbfc52d
Compare
Choose a tag to compare

This major release focuses on improving the reliability of the scans, simplifying the Python API and JSON output, and adding support for checking a server's TLS configuration against Mozilla's recommended configuration.

  • SSLyze will now check the server's scan results against the Mozilla "intermediate" configuration (#453).
    • Which Mozilla configuration to use can be configured via --mozilla-config={old, intermediate, modern}.
    • The --mozilla-config option replaces --regular, which has been removed.
  • SSLyze can now be run as a CI/CD step; see the README for more information.
  • The Python API has been significantly simplified (#512). The changes focus on:
    • Reducing how much code is needed in order to run a scan.
    • Improving the typing of the result objects, in order to simplify code that processes scan results.
    • API-breaking changes: Starting a scan and processing the results is now done differently; see the documentation.
  • The JSON output has been significantly simplified.
    • The JSON output's format now fully matches the format of the results within the Python API.
    • An auto-generated JSON schema is also now available at ./json_output_schema.json (#487).
    • The Python documentation can now be used to understand the format for both Python results and JSON results.
  • SSLyze now provides a fully-typed Python API for parsing the JSON output of previously-run scans (#487).
    • parsed_json_result = SslyzeOutputAsJson.parse_file("result.json")
    • This can be used for example to process the results of SSLyze scans in a separate Python program.
  • HTTP headers testing: the Public-Key-Pins headers are no longer checked by SSLyze, as the pinning feature has been removed from most browsers (#506).
    • API-breaking changes:
      • The public_key_pins_header and public_key_pins_report_only_header fields have been removed from HttpHeadersScanResult.
  • Session resumption testing: the --resum scan command has been updated to provide better insights into how the server supports session resumption (#53).
    • The command will now attempt multiple resumptions using TLS tickets, similarly to what it already does for resumptions with Session IDs. Previously, it would only perform a single resumption attempt when testing TLS Tickets.
    • The new command --resum_attempts can be used in order to configure how many session resumptions --resum will attempt; it is set to 5 by default.
      • python -m sslyze --resum --resum_attempts=20 www.google.com
    • API-breaking changes:
      • The fields within SessionResumptionSupportScanResult have been renamed and updated,
      • The --resum_rate command, ScanCommand.SESSION_RESUMPTION_RATE and the SessionResumptionRateScanResult class have been removed. The --resum_attempts command and SessionResumptionSupportExtraArguments class should be used instead.
  • Misc bug fixes for when scanning servers with exotic TLS or network configurations (#531, #532, #533).

4.1.0

29 Mar 00:46
Compare
Choose a tag to compare
  • SSLyze's memory usage has been significantly reduced when scanning a lot of servers concurrently (#511).
    • This will make it easier to deploy SSLyze to environments where memory is limited, such as AWS Lambda.
    • For example, when queuing 100 server scans, memory usage will now reach a maximum of 150 MB, instead of 1400 MB in previous versions of SSLyze.
  • Fixed errors when running http_headers on specific server software (#517, #516).
  • Removed usage of pipenv and switched back to a requirements.txt.

4.0.4

22 Feb 05:20
Compare
Choose a tag to compare
  • Fixed errors when running --elliptic_curves on specific server software (#490).
  • Better error reporting when running --http_headers on a server that doesn't speak HTTP (#499, #500).
    • See also the new HttpHeadersScanResult.http_error_trace field in the Python API.

4.0.3

15 Feb 20:27
Compare
Choose a tag to compare
  • Updated the JSON output to be more stable, to allow diffing the JSON output of successive scans against the same server (#491).
  • Fixed errors when scanning a server that only supports TLS 1.3 (#488).
  • Fixed error when running --robot on an nginx server configured to require client authentication (#484).
  • Fixed crash due to malformed HTTP headers (#498).
  • Better reporting when scanning unresponsive servers (#501).
  • Fixed error when an invalid certificate is deployed on the server (#495).
  • Fixed error when running --reneg on Indy TCP server (#483).

4.0.2

31 Jan 23:26
Compare
Choose a tag to compare
  • Fixed an issue with servers requiring client authentication and SSLyze reporting some TLS versions as unsupported (#472).
  • Fixed a crash when parsing an OCSP response with no "Next Update" field (#481).
  • Updated the trust stores.

4.0.1

20 Jan 04:11
Compare
Choose a tag to compare
  • Updated the version of cryptography in the setup.py (#467).
  • Fixed a crash when displaying non-successful OCSP responses (#477).

4.0.0

19 Jan 03:14
Compare
Choose a tag to compare
  • Added support for Python 3.9 (#468).
  • Fixed a crash when parsing OCSP responses (#471).
    • API-breaking change: the ocsp_response field in CertificateInfoScanResult is now an OCSPResponse instance from the cryptography.x509.ocsp module.
    • JSON-breaking change: Significantly improved the JSON output for certificates and OCSP responses, when using --certinfo.
  • Fixed a false positive when testing for client-initiated renegotiation DoS attacks on some servers (#473).
    • API-breaking change: the accepts_client_renegotiation field in SessionRenegotiationScanResult was removed, and the more accurate is_vulnerable_to_client_renegotiation_dos field was added.
  • The ability to detect the server’s “preferred” cipher suite was removed for being too unreliable, and will be replaced by full cipher suite order detection in a future release (#456).
    • API-breaking change: the cipher_suite_preferred_by_server in CipherSuitesScanResult was removed.
  • Fixed a crash when scanning a server with an exotic/invalid TLS configuration (#466).
  • Fixed support for older versions of macOS.
  • Added support for the latest version of cryptography (#467).