Releases: tls-attacker/TLS-Scanner
TLS-Scanner v6.1.1
TLS-Scanner v6.1.0
Changes
- Integrated new TLS-Attacker and X.509-Attacker version
- Updated BSI guidelines
- Fixed ProtocolVersionProbe adding versions as both supported and unsupported in certain edge cases
- Set Log4j ExtendedPatternLayout to print byte arrays as hex streams instead of signed byte values
- Made HTTP header parsing case-insensitive
- Fixed hostname used in strict SNI check
TLS-Scanner v5.3.1
- Added NamedGroupsProbe for client scanner
- Fixed NullPointerException thrown when certificate trust anchors are missing
- Fixed serialization issue
TLS-Scanner v5.2.5
Starting with this release, we attribute the Technology Innovation Institute (@tiiuae) in the license header to reflect the extensive contributions made by its researchers.
This is also the first release supporting DTLS scans. By adding the -dtls flag, you can now evaluate the supported protocol features of a DTLS server and test for common vulnerabilities (Bleichenbacher, Padding Oracle, RACCOON, ALPACA, ...). We also added new probes to evaluate DTLS-specific features such as:
- cookie validation
- protection against DoS amplification attacks
- protection against memory exhaustion DoS attacks
- retransmission support
- fragmentation support
- reordering support
- handling of invalid message sequence numbers
We also added a first version of an application fingerprinting probe for DTLS. Once TLS-Scanner knows the application protocol deployed on the server, more detailed tests for correct handling of improperly protected application data will be executed.
Minor changes in Client-Scanner:
- added new probes to evaluate supported EC Point Formats and minimum public key sizes expected in server certificate
- improved parallelization of extensive probes
- switched towards dynamic extension selection by default instead of hard-coded choices
Contributors
Assets 2
TLS-Scanner v5.2.4
Changes
- Adapted padding oracle probe to support client scanning
- Adapted fragmentation probe to support client scanning
- Added client scanner ALPN probe
- Added client scanner client certificate authentication probe
- Extended client scanner version probe to test versions with varying cipher suites
- Extended client scanner compression probe to attempt to negotiate all compression values
- Added client scanner resumption probe
- Added client scanner application data probe
- Enabled multi threaded client scanning
- Improved Heartbleed probe for server scanner
- Fixed relative license path in POM when used as a git submodule
- Compatibility with TLS-Attacker version 5
TLS-Scanner 4.2.3
Changes:
- Improved evaluation of servers that only support TLS 1.3
- Fixed Supported Groups Extension missing in FFDHE Named Group tests
- Restricted TLS 1.3 cipher suite probe to TLS 1.3 values
- Fix: HSTS header case issue with HTTP/2 by @craig in #83
- Made guideline usage easier for new users who are interested in them by @craig in #86
Contributors
Assets 2
TLS-Scanner 4.2.2
Fixed bug in Invalid Curve test
TLS-Scanner 4.2.1
Fixed DirectRacconProbe
Fixed Dockerfile
TLS-Scanner 4.2.0
Implemented Prototype for TLS client scanning
Added ability to print sitereporrt as json
TLS-Scanner can now dynamically bypass some amount of intolerances due to dynamic base config selection
Reworked POM
Moved vulnerability evaluation from TLS-Attacker to TLS-Scanner
Introduced 2 new modules TLS-Scanner-Core and Scanner-Core which bundle generic Scanner code and TLS specific scanner code that can be used by either client or server scanners or also for other protocols
Introduced more meaningful TestResults, that can now express more nuances
Introduced a probe for RecordLayer fragementation support
Introduced probes to analyze random numbers
Bleichenbacher Probe now also performs statistical tests to evaluate a possible vulnerability
Introoduced tests for BSI and NIST guidelines
Removed TlsPoodle Probe (was already covered by Padding Oracle Probe)
TLS-Scanner can now use custom CA's to evaluate certificate trust
Minor changes towards code quality and maintainability
Fixed a bug which caused the JVM to still run even after the scan has finished
Introduced SignatureAndHashAlgorithm probe which evaluates which constants are supported by the server
Introduced SignatureAndHashAlgorithm order probe which checks if the server is enforcing its preferences
Introduced NamedGroups order probe which checks if the server is enforcing its preferences
Moved TLS-Scanner to Java 11
Runnaway probes are now automatically killed after a fixed amount of time to prevent infinite loops
Fixed a bug in the Sweet32 probe which caused wrong results
Added a test that checks if the server is using a unix timestamp in its random
TLS-Scanner 4.1.3
Fixes log4shell -> Log4j 2.17.0