Releases: tls-attacker/TLS-Scanner
TLS-Scanner v6.1.6
TLS-Scanner v6.1.5
Changes:
- Compatibility with latest TLS-Attacker release
TLS-Scanner v6.1.1
Fixed a copy paste bug related to incorrectly setting PRF support in the report
TLS-Scanner v6.1.0
Changes
- Integrated new TLS-Attacker and X.509-Attacker version
- Updated BSI guidelines
- Fixed ProtocolVersionProbe adding versions as both supported and unsupported in certain edge cases
- Set Log4j ExtendedPatternLayout to print byte arrays as hex streams instead of signed byte values
- Made HTTP header parsing case-insensitive
- Fixed hostname used in strict SNI check
TLS-Scanner v5.3.1
- Added NamedGroupsProbe for client scanner
- Fixed NullPointerException thrown when certificate trust anchors are missing
- Fixed serialization issue
TLS-Scanner v5.2.5
Starting with this release, we attribute the Technology Innovation Institute (@tiiuae) in the license header to reflect the extensive contributions made by its researchers.
This is also the first release supporting DTLS scans. By adding the -dtls flag, you can now evaluate the supported protocol features of a DTLS server and test for common vulnerabilities (Bleichenbacher, Padding Oracle, RACCOON, ALPACA, ...). We also added new probes to evaluate DTLS-specific features such as:
- cookie validation
- protection against DoS amplification attacks
- protection against memory exhaustion DoS attacks
- retransmission support
- fragmentation support
- reordering support
- handling of invalid message sequence numbers
We also added a first version of an application fingerprinting probe for DTLS. Once TLS-Scanner knows the application protocol deployed on the server, more detailed tests for correct handling of improperly protected application data will be executed.
Minor changes in Client-Scanner:
- added new probes to evaluate supported EC Point Formats and minimum public key sizes expected in server certificate
- improved parallelization of extensive probes
- switched towards dynamic extension selection by default instead of hard-coded choices
Contributors
Assets 2
TLS-Scanner v5.2.4
Changes
- Adapted padding oracle probe to support client scanning
- Adapted fragmentation probe to support client scanning
- Added client scanner ALPN probe
- Added client scanner client certificate authentication probe
- Extended client scanner version probe to test versions with varying cipher suites
- Extended client scanner compression probe to attempt to negotiate all compression values
- Added client scanner resumption probe
- Added client scanner application data probe
- Enabled multi threaded client scanning
- Improved Heartbleed probe for server scanner
- Fixed relative license path in POM when used as a git submodule
- Compatibility with TLS-Attacker version 5
TLS-Scanner 4.2.3
Changes:
- Improved evaluation of servers that only support TLS 1.3
- Fixed Supported Groups Extension missing in FFDHE Named Group tests
- Restricted TLS 1.3 cipher suite probe to TLS 1.3 values
- Fix: HSTS header case issue with HTTP/2 by @craig in #83
- Made guideline usage easier for new users who are interested in them by @craig in #86
Contributors
Assets 2
TLS-Scanner 4.2.2
Fixed bug in Invalid Curve test
TLS-Scanner 4.2.1
Fixed DirectRacconProbe
Fixed Dockerfile