Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 16 Sep 2015 18:35:52 +0200
From: Dirk Wetter <dirk@...tssl.sh>
To: oss-security@...ts.openwall.com
Subject: New release (2.6.) of testssl.sh


Hi,

version 2.6 of the SSL/TLS checker "testssl.sh" is out!

testssl.sh is a free command line tool which checks a server's service
on any port for the support of TLS/SSL ciphers, protocols as well as
recent cryptographic flaws and it does more.

It is written in (pure) bash, makes only use of standard Unix utilities,
openssl and last but not least bash sockets.

Version 2.6 includes major improvements (ids from github):

* LOGJAM: check of DHE_EXPORT ciphers, displays DH(/ECDH) bits in wide mode
  on negotiated ciphers
* (HTTP) proxy support! Via sockets and openssl -- Thx @jnewbigin
* TLS_FALLBACK_SCSV check -- Thx @JonnyHightower
* TLS 1.0-1.1 as socket checks per default in production
* TLS time and HTTP time stamps for architecture fiingerprinting
* support of sockets also for STARTTLS protocol checks
* TLS time displayed also for STARTTLS
* binary directory provides out of the box better suited binaries (with up to
  195 ciphers), besides Linux static binaries:
  * OS X binaries (new builds from @jpluimers)
  * FreeBSD binary
  * ARM binary (@...)
* Extended validation certificate detection
* "wide mode" option for checks like RC4, BEAST. PFS: Displays hexcode, kx,
  strength, DH bits, RFC cipher name
* will test multiple IP adresses in one shot, --ip= restricts it accordingly
* runs in default mode through all ciphers at the end of a default run
* new mass testing file option --file option where testssl.sh commands are being
  read from, see https://twitter.com/drwetter/status/627619848344989696
* displays matching host key (HPKP)
* further detection of security relevant headers (reverse proxy, IPv4 addresses) as
  well as proprietary banners (OWA, Liferay etc.)
* can scan STARTTLS+XMPP by also supplying the XMPP domain (to-option in XML
  streams).
* quite some fixes when using LibreSSL, still not recommended to use though
  (see https://testssl.sh/)
* lots of fixes, code improvements, even more robust

Get it while it's hot @ https://testssl.sh or @ github where all development
action takes place: https://github.com/drwetter/testssl.sh/tree/2.6 .

Some of the planned feaures for the next release see
https://github.com/drwetter/testssl.sh/milestones/2.7dev%20%282.8%29


Cheers, Dirk (@...etter)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ