forked from OWASP/O-Saft
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGES
438 lines (369 loc) · 11 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
Version: 14.1.4
BUGFIX
* bugfix: regex for pubkey_value on windows
* bugfix: empty len_public_key and len_sidump on windows corrected
UPDATE
* documentation improved
Version: 14.1.3
BUGFIX
* bugfix: avoid perl warning for +cipher
* bugfix: avoid perl warning in Net::SSLinfo::do_openssl()
Version: 14.1.2
BUGFIX
* bugfix: avoid perl warning in Net::SSLinfo::do_openssl()
Version: 14.1.1
NEW
* option --win-CR implemented
Version: 13.12.31
BUGFIX
* bugfix: separator in output for --trace-corrected
* bugfix: no checks for master_key and session_id to avoid perl warnings
* bugfix: initialization of check values corrected
UPDATE
* Net::SSLeay initialization inside BEGIN{}
* use Net::SSLeay::set_tlsext_host_name() for SNI
Version: 13.12.30
BUGFIX
* check for +ev improved
NEW
* +dv command and checks added
Version: 13.12.29
BUGFIX
* bugfix: missing \n added when printing checks with --legacy=full
UPDATE
* check for CN= in checkev()
* +ev improved
* special handling for +ev removed (use --legacy=full now)
Version: 13.12.28
NEW
* +chain_verify command added
* documentation according +verify, +selsigned added
Version: 13.12.27
NEW
* options --ca-file --ca-path --ca-depth implemented
Version: 13.12.26
BUGFIX
* print hostname correctly with --showhost
* reset checks when multiple hosts are given
* --tracekey and --showhost was missing for +check
Version: 13.12.25
NEW
* --usr option for o-saft-usr.pm implemented
* new file o-saft-usr.pm
Version: 13.12.24
NEW
* --tab option added
* contrib file
Version: 13.12.21
UPDATE
* --help=cfg_{check,data,text} and --cfg_{check,data,text}= implemented the same way
Version: 13.12.20
UPDATE
* don't read external files in CGI mode
Version: 13.12.19
UPDATE
* formal changes
* --yeast implemented to call _yeast_data()
* _yeast_data() improved; documentation improved in o-saft-dbx.pl
* don't read external files in CGI mode
Version: 13.12.18
UPDATE
* --cfg_* configuration options implemented
* CUSTOMIZATION description added
Version: 13.12.17
UPDATE
* samples to redefine texts in Deutsch added in .o-saft.pl
* --cfg_text* implemented
* print internal data with --help=* simplified
* --set-score renamed to --cfg_score
Version: 13.12.16
Version: 13.12.15
BUGFIX
* (issue 16) define $_timeout variable when missing (Mac OS X problem)
* reading score values from files corrected; allow + in score settings
UPDATE
* get subject_hash and issuer_hash from Net::SSLeay
* commands issuer and issuer_hash added to --cfg_cmd-info in .o-saft.pl
NEW
* +chain to retrive Certificate Chain implemented
* +protocols to retrive supported protocols by target (requres openssl
with -nextprotoneg support)
Version: 13.12.14
NEW
* Serial Number <= 20 octets (RFC5280, 4.1.2.2. Serial Number)
* new commands len_sernumber and sernumber added to --cfg_cmd-check in .o-saft.pl
Version: 13.12.13
UPDATE
* documentation improved (better English)
Version: 13.12.12
BUGFIX
* error handling for DNS corrected (if something failed)
* no scoring for +info (avoids some "unitialised" warnings too)
* avoid some warnings with --cmd-* in .o-saft.pl
* reverse hostname computation corrected
* --cfg_cmd-check withoud valid command in .o-saft.pl
NEW
* --cfg_cmd-quick added in .o-saft.pl
Version: 13.12.11
BUGFIX
* STS check corrected
UPDATE
* +http improved
* huge code cleanup; checks improved; scoring now in sub scoring()
* Net/SSLinfo.pm: hsts_pins renamed to https_pins; hsts renamed to https_sts
NEW
* o-saft-README file implemented
* o-saft-dbx.pm with functions for debug, trace and verbose output
* .o-saft.pl as local resource file implemented
* --cfg_text-* and --cfg_cmd-* options implemented
Version: 13.12.09
UPDATE
* duplicate messages removed
Version: 13.12.08
BUGFIX
* bugfix: check for renegotiation and resumption corrected
UPDATE
* --no-header avoids printing most formating lines
Version: 13.12.07
BUGFIX
* --showhost works for +check too
* checks corrected if --no-http was used
* checks improved if --no-cert was used
* bugfix: missing (..) added in sub checkhttp
UPDATE
* code cleanup and simplified, all %check_* --> %checks
* documentation improved
NEW
* --help=cmd, --help=commands, --help=intern
Version: 13.11.30
UPDATE
* _yeast_data() implemented; documentation improved for o-saft-dbx.pm
* cleanup for texts
Version: 13.11.29
BUGFIX
* some warnings (perl -w) corrected (for --no-cert option)
UPDATE
* code cleanup for checkssl()
* output for +check sorted
* output improved for --no-cert option
Version: 13.11.28
UPDATE
* check hostname vs. certificate name improved
Version: 13.11.27
UPDATE
* omit cipher checks if protocoll not supported for BSI TR-02102
Version: 13.11.26
BUGFIX
* better extraction of certificate extensions details
NEW
* check invalid characters in extensions added
Version: 13.11.25
BUGFIX
* checks for CRL, OCSP corrected;
* missing EV checks for AIA, CRL and OCSP added
* ouput of certificate extensions corrected
NEW
* commands for details of certificate extensions added
ext_authority, ext_cps, ext_crl, ...
Version: 13.11.23
NEW
* +extensions implemented; --header, --no-header implemented
Version: 13.11.22
BUGFIX
* print cipher totals for all versions; some texts unified
Version: 13.11.21
BUGFIX
* "Given hostname is same as reverse resolved hostname" ccorrected
* check for wildcards in TR-02102-2 compliance corrected
* +info--v command fixed; _dump() call
UPDATE
* texts and output layout unified; prepared for configurable texts
* debug, trace and verbose functions are emty stubs, now in o-saft-dbx.pm
NEW
* o-saft-dbx.pm with functions for debug, trace and verbose output
Version: 13.11.20
UPDATE
* texts and output layout unified; prepared for configurable texts
* certificate's date checks improved
Version: 13.11.19
BUGFIX
* some warnings (perl -w) corrected
* perl warnings fixed for +version command
UPDATE
* --trace command improved
* function calls unified
* using temporary variables for better (human) readability
NEW
* --trace=VALUE implemented; --trace-cmd implemented
Version: 13.11.18
UPDATE
* function calls unified
* using temporary variables for better (human) readability
Version: 13.11.17
BUGFIX
* missing labels in output added
* +bsi does not inhibit other checks
* +quick with more check (got lost with implementation of +bsi)
UPDATE
* some labels in output improved
* +quick improved with labels
Version: 13.11.16
UPDATE
* missing security flag for some ciphers added; documentation improved
Version: 13.11.15
UPDATE
* RC4 ciphers degraded as weak
Version: 13.11.14
UPDATE
* documentation and glossar improved
Version: 13.11.13
NEW
* compliance check: BSI TR-02102 implemented; command +bsi
Version: 13.11.12
UPDATE
* glossar improved
Version: 13.11.11
BUGFIX
* parsing altname in certificate corrected
UPDATE
* +sts alias for +hsts
NEW
* check for RC4 implemented
Version: 13.10.22
UPDATE
* retrive target data for: krb5 psk_hint psk_identity srp master_key session_id session_ticket
Version: 13.10.20
BUGFIX
* connecting with openssl improved for openssl 1.0.1.e
UPDATE
* --v honored in various modes
* --format=hex includes +fingerprint
NEW
* reading options and arguments from rc-file implemented
Version: 13.10.19
BUGFIX
* more improvements for perl's -w
* Net::SSLinfo::do_openssl() uses optional $data parameter; code improved
Version: 13.10.18
BUGFIX
* bugfix: variable syntax corrected; more improvements for perl's -w
Version: 13.10.17
BUGFIX
* code improved for perl's -w
Version: 13.10.16
BUGFIX
* syntax improved for ActivePerl
UPDATE
* INSTALLTION part added to README file
Version: 13.10.14
BUGFIX
* --cmd=quick is same as +quick
* --help=checks instead of --help=check
Version: 13.10.11
BUGFIX
UPDATE
* --v honored in various modes
* --format=hex includes +fingerprint
NEW
* description for CIPHER NAMES
Version: 13.09.29
BUGFIX
* check --envlibvar= option
* +cipher command corrected
UPDATE
* fomal code changes in checkciphers()
NEW
* --force-openssl implemented to use openssl for cipher checks
Version: 13.09.28
BUGFIX
* s_client command corrected
* PFS check label text corrected
* Net::SSLinfo::do_openssl() supports ciphers command correctly
NEW
* EV-SSL checks implemented
* +subject_ev implemented
Version: 13.09.27
UPDATE
* minor changes of output texts
NEW
* --format=hex implemented
Version: 13.09.25
UPDATE
* regex and check for compliance and attacks improved
Version: 13.09.16
BUGFIX
* label for EDH check corrected
* RegEx ADHorDHA and DHEorEDH corrected
UPDATE
* glossar improved
NEW
* --format=raw implemented
Version: 13.09.15
BUGFIX
* +list command exits
NEW
* check for CRIME implemented
Version: 13.09.14
BUGFIX
* BEAST check for default cipher corrected
Version: 13.09.13
UPDATE
* documentation improved
* huge amount of code cleanup (no change of functionality)
Version: 13.09.12
not released
Version: 13.09.11
BUGFIX
* reverse hostname lookup corrected; now prints list
* print host (target) information before doing checks
UPDATE
* be greedy to allow +BEAST, +CRIME, etc.
* cipher names are prependet by SSL version in +check output
* documentation (COMMANDS, OPTIONS) improved
* legacy option improved
NEW
* -no-dns implemented (workaround for '<gethostbyaddr() failed>)
* %cfg{regex} added
Version: 13.09.10
BUGFIX
* output for some legacy formats corrected (sslscan, ssltest, sslyze)
* print correct SSL version for ciphers in results
* legacy option --no-failed corrected
UPDATE
* Glossar improved
Version: 13.09.09
BUGFIX
* +cipher command corrected
Version: 13.09.08
NEW
* --cipher= allows other names; _find_cipher_name() implemented
Version: 13.09.07
BUGFIX
* --short texts corrected
UPDATE
* scoring improved
* documentation improved
NEW
* +quick command for quick and simple check
* +http command for HTTP(S) checks
* --legasy=testsslserver implemented
Version: 13.07.31
UPDATE
* debugging and tracing improved
NEW
* STS checks implemented (scoring not yet perfect)
* PFS checks implemented
* --format=raw implemented
* new commands: +sigkey_value, +sigkey_algorithm, +sigkey_len
Version: 13.03.31
BUGFIX
* avoid useless or wrong output when --no-cert given
UPDATE
* glossar
NEW
* --http implemented
* --set_score implemented
* --help=LABEL implemented
* --ignorecase implemented
* --showhost implemented
* scoring implemented (first simple attempt)