|
3 | 3 |
|
4 | 4 | ### Features implemented / improvements in 3.2 |
5 | 5 |
|
| 6 | +* Rating (SSL Labs, not complete) |
6 | 7 | * Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default) |
| 8 | +* Remove "negotiated cipher / protocol" |
| 9 | +* Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol |
| 10 | +* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also |
7 | 11 | * Improved compatibility with OpenSSL 3.0 |
| 12 | +* Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore |
8 | 13 | * Renamed PFS/perfect forward secrecy --> FS/forward secrecy |
| 14 | +* Cipher list straightening |
9 | 15 | * Improved mass testing |
10 | | -* Align better colors of ciphers with standard cipherlists |
11 | | -* Added several ciphers to colored ciphers |
| 16 | +* Better align colors of ciphers with standard cipherlists |
| 17 | +* Save a few cycles for ROBOT |
| 18 | +* Several ciphers more colorized |
12 | 19 | * Percent output char problem fixed |
13 | 20 | * Several display/output fixes |
14 | 21 | * BREACH check: list all compression methods and add brotli |
15 | 22 | * Test for old winshock vulnerability |
16 | 23 | * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP) |
17 | | -* Security fix: DNS input |
18 | | -* Don't use external pwd anymore |
19 | | -* STARTTLS: XMPP server support |
20 | | -* Code improvements to STARTTLS |
21 | | -* Detect better when no STARTTLS is offered |
22 | | -* Rating (SSL Labs, not complete) |
| 24 | +* STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries |
| 25 | +* Several code improvements to STARTTLS, also better detection when no STARTTLS is offered |
| 26 | +* STARTTLS on active directory service support |
| 27 | +* Security fixes: DNS and other input from servers |
23 | 28 | * Don't penalize missing trust in rating when CA not in Java store |
24 | 29 | * Added support for certificates with EdDSA signatures and public keys |
| 30 | +* Extract CA list shows supported certification authorities sent by the server |
| 31 | +* TLS 1.2 and TLS 1.3 sig algs added |
| 32 | +* Check for ffdhe groups |
| 33 | +* Show server supported signature algorithms |
25 | 34 | * --add-ca can also now be a directory with \*.pem files |
26 | 35 | * Warning of 398 day limit for certificates issued after 2020/9/1 |
27 | 36 | * Added environment variable for amount of attempts for ssl renegotiation check |
28 | 37 | * Added --user-agent argument to support using a custom User Agent |
29 | 38 | * Added --overwrite argument to support overwriting output files without warning |
30 | 39 | * Headerflag X-XSS-Protection is now labeled as INFO |
| 40 | +* Strict parser for HSTS |
| 41 | +* DNS via proxy improvements |
31 | 42 | * Client simulation runs in wide mode which is even better readable |
32 | 43 | * Added --reqheader to support custom headers in HTTP requests |
33 | 44 | * Test for support for RFC 8879 certificate compression |
| 45 | +* Deprecating --fast and --ssl-native (warning but still av) |
| 46 | +* Compatible to GNU grep 3.8 |
| 47 | +* Don't use external pwd command anymore |
34 | 48 | * Doesn't hang anymore when there's no local resolver |
35 | | -* Dockerfiles refactored to be multistaged: performance gain+address bugs/inconsistencies |
| 49 | + |
36 | 50 |
|
37 | 51 | ### Features implemented / improvements in 3.0 |
38 | 52 |
|
|
0 commit comments