Skip to content

Releases: tls-attacker/TLS-Scanner

TLS-Scanner v6.1.5

05 Dec 14:10
Compare
Choose a tag to compare

Changes:

  • Compatibility with latest TLS-Attacker release

TLS-Scanner v6.1.1

16 Oct 09:44
Compare
Choose a tag to compare

Fixed a copy paste bug related to incorrectly setting PRF support in the report

TLS-Scanner v6.1.0

09 Oct 14:46
Compare
Choose a tag to compare

Changes

  • Integrated new TLS-Attacker and X.509-Attacker version
  • Updated BSI guidelines
  • Fixed ProtocolVersionProbe adding versions as both supported and unsupported in certain edge cases
  • Set Log4j ExtendedPatternLayout to print byte arrays as hex streams instead of signed byte values
  • Made HTTP header parsing case-insensitive
  • Fixed hostname used in strict SNI check

TLS-Scanner v5.3.1

30 Jun 09:22
Compare
Choose a tag to compare
  • Added NamedGroupsProbe for client scanner
  • Fixed NullPointerException thrown when certificate trust anchors are missing
  • Fixed serialization issue

TLS-Scanner v5.2.5

16 Jun 08:15
Compare
Choose a tag to compare

Starting with this release, we attribute the Technology Innovation Institute (@tiiuae) in the license header to reflect the extensive contributions made by its researchers.

This is also the first release supporting DTLS scans. By adding the -dtls flag, you can now evaluate the supported protocol features of a DTLS server and test for common vulnerabilities (Bleichenbacher, Padding Oracle, RACCOON, ALPACA, ...). We also added new probes to evaluate DTLS-specific features such as:

  • cookie validation
  • protection against DoS amplification attacks
  • protection against memory exhaustion DoS attacks
  • retransmission support
  • fragmentation support
  • reordering support
  • handling of invalid message sequence numbers

We also added a first version of an application fingerprinting probe for DTLS. Once TLS-Scanner knows the application protocol deployed on the server, more detailed tests for correct handling of improperly protected application data will be executed.

Minor changes in Client-Scanner:

  • added new probes to evaluate supported EC Point Formats and minimum public key sizes expected in server certificate
  • improved parallelization of extensive probes
  • switched towards dynamic extension selection by default instead of hard-coded choices

TLS-Scanner v5.2.4

17 Mar 09:13
Compare
Choose a tag to compare

Changes

  • Adapted padding oracle probe to support client scanning
  • Adapted fragmentation probe to support client scanning
  • Added client scanner ALPN probe
  • Added client scanner client certificate authentication probe
  • Extended client scanner version probe to test versions with varying cipher suites
  • Extended client scanner compression probe to attempt to negotiate all compression values
  • Added client scanner resumption probe
  • Added client scanner application data probe
  • Enabled multi threaded client scanning
  • Improved Heartbleed probe for server scanner
  • Fixed relative license path in POM when used as a git submodule
  • Compatibility with TLS-Attacker version 5

TLS-Scanner 4.2.3

18 Jul 15:31
cec4b24
Compare
Choose a tag to compare

Changes:

  • Improved evaluation of servers that only support TLS 1.3
  • Fixed Supported Groups Extension missing in FFDHE Named Group tests
  • Restricted TLS 1.3 cipher suite probe to TLS 1.3 values
  • Fix: HSTS header case issue with HTTP/2 by @craig in #83
  • Made guideline usage easier for new users who are interested in them by @craig in #86

TLS-Scanner 4.2.2

14 Jun 06:43
a348f97
Compare
Choose a tag to compare

Fixed bug in Invalid Curve test

TLS-Scanner 4.2.1

09 Jun 16:01
d89af48
Compare
Choose a tag to compare

Fixed DirectRacconProbe
Fixed Dockerfile

TLS-Scanner 4.2.0

08 Jun 21:11
bdc8464
Compare
Choose a tag to compare

Implemented Prototype for TLS client scanning
Added ability to print sitereporrt as json
TLS-Scanner can now dynamically bypass some amount of intolerances due to dynamic base config selection
Reworked POM
Moved vulnerability evaluation from TLS-Attacker to TLS-Scanner
Introduced 2 new modules TLS-Scanner-Core and Scanner-Core which bundle generic Scanner code and TLS specific scanner code that can be used by either client or server scanners or also for other protocols
Introduced more meaningful TestResults, that can now express more nuances
Introduced a probe for RecordLayer fragementation support
Introduced probes to analyze random numbers
Bleichenbacher Probe now also performs statistical tests to evaluate a possible vulnerability
Introoduced tests for BSI and NIST guidelines
Removed TlsPoodle Probe (was already covered by Padding Oracle Probe)
TLS-Scanner can now use custom CA's to evaluate certificate trust
Minor changes towards code quality and maintainability
Fixed a bug which caused the JVM to still run even after the scan has finished
Introduced SignatureAndHashAlgorithm probe which evaluates which constants are supported by the server
Introduced SignatureAndHashAlgorithm order probe which checks if the server is enforcing its preferences
Introduced NamedGroups order probe which checks if the server is enforcing its preferences
Moved TLS-Scanner to Java 11
Runnaway probes are now automatically killed after a fixed amount of time to prevent infinite loops
Fixed a bug in the Sweet32 probe which caused wrong results
Added a test that checks if the server is using a unix timestamp in its random