TLS (
tls)Elliptic Curves (
curves)add missing PQC named curves (#145)
KYBER_512_R3,KYBER_768_R3,KYBER_1024_R3,SECP256R1_KYBER_512_R3,SECP256R1_KYBER_768_R3,SECP384R1_KYBER_768_R3,SECP521R1_KYBER_1024_R3,X25519_KYBER_512_R3,X25519_KYBER_768_R3
- DNS (
dns) - Generic
- handle CNAME records (#142)
- TLS (
tls)- All (
all)- check curves using highest available version to recognize possibly supported PQC curves (#141)
- Simulations (
simulations)- consider protocol versions supported by the clients (#143)
- All (
- TLS (
tls)- Versions (
versions)- add checker for inappropriate fallback alerts (#139)
- Vulnerabilities (
vulns)- add checker for insecure protocol versions (#137)
- add checker for inappropriate fallback alerts (#139)
- Versions (
- TLS (
tls)- Ciphers (
ciphers)- fix calculation of cipher suites relates to a certain version (#138)
- fix cipher suite check when server does not support long cipher suite list (#135)
- Diffie-Hellman (
dhparams)- add missing SSLv3 support (#136)
- Vulnerabilities (
vulns)- fix calculation of missing forward secrecy (#134)
- Ciphers (
- SSH (
ssh)- Vulnerabilities (
vulns)- checker for well-known vulnerabilities (#130)
- Sweet32 attack
- Anonymous Diffie-Hellman
- NULL encryption
- RC4
- Non-Forward-Secret
- Early SSH version
- Weak Diffie-Hellman
- DHEat attack
- Terrapin attack
- checker for well-known vulnerabilities (#130)
- Vulnerabilities (
- Generic
- add metadata to documentation
- TLS (
tls)- Signature Algorithms (
sigalgos)- Handle decode error as a signal of no more algorithms. (#129)
- Signature Algorithms (
- DNS (
dns)- e-mail authentication, reporting (
mail)- Handle the case when a domain has no TXT records (#132)
- e-mail authentication, reporting (
- TLS
- All (
all)- handle server support only 1.3 version in
allanalyzer (#111)
- handle server support only 1.3 version in
- Simulations (
simulations)- fix markdown generation in the case of TLS client versions (#80)
- Generic
- avoid sending large records cause unexpected response from server (#127)
- All (
- SSH
- Ciphers (
ciphers)- handle deprecated but not weak algorithms (#126)
- Ciphers (
- SSH
- handle deprecated but not weak algorithms (#126)
- TLS (
tls)- Extensions (
extensions)- add analyzer checking which record size limits are supported (#123)
- Extensions (
- HTTP (
http)- Content (
content)- checker for subresource integrity (#86)
- checker for unencrypted content (#120)
- Content (
- TLS (
tls)- Simulations (
simulations)- grade key exchange sizes (#121)
- Simulations (
- Generic
- handle not graded algorithms (#122)
TLS (
tls)Elliptic Curves (
curves)add support for post-quantum safe hybrid (Kyber) algorithms (#119)
X25519_KYBER_512_R3_CLOUDFLARE,X25519_KYBER_768_R3_CLOUDFLARE
SSH (
ssh)- Public Keys (
pubkeys)- X.509 certificate and certificate chain support (#70)
- Public Keys (
- Generic
- colorized output based on the security strength of the cryptographic algorithms and key sizes (#94)
- documentation of command-line interface (#117)
- documentation of Python API (#117)
- Generic
- add missing dnsrec module to the packaging (#13)
- DNS (
dns)- e-mail authentication, reporting (
mail)- add analyzer for mail exchange (MX) record (#115)
- add analyzer for e-mail authentication, reporting records (#116)
- Domain-based Message Authentication, Reporting, and Conformance (DMARC)
- Sender Policy Framework (SPF)
- SMTP MTA Strict Transport Security (MTA-STS)
- SMTP TLS Reporting (TLSRPT)
- e-mail authentication, reporting (
- DNS (
dns)
- TLS (
tls)
- TLS (
tls)- Public Keys (
pubkeys)- certificate transparency (CT) log support (#47)
- Public Keys (
- TLS (
tls)- Generic
- OpenVPN support (#85)
- Generic
- TLS (
tls)- Generic
- MySQL support (#54)
- Vulnerabilities (
vulns)- checker for well-known vulnerabilities (#93)
- Anonymous Diffie-Hellman
- DHEat attack
- DROWN attack
- Early TLS version
- Export grade ciphers
- FREAK attack
- Logjam attack
- Lucky Thirteen attack
- NULL encryption
- Non-Forward-Secret
- RC4
- Sweet32 attack
- Generic
- TLS (
tls)- Generic
- RDP hybrid mode support (#109)
- Generic
- Diffie-Hellman
- add builtin Diffie-Hellman parameters of several application servers (#104)
- add logging support to make it possible to follow up the analysis process (#58)
- Diffie-Hellman
- SSH (
ssh)- HASSH (
hassh)- tag generation support for servers (#97)
- tag generation support for clients (#96)
- Public Keys (
pubkeys)- host certificate support (#69)
- HASSH (
- TLS (
tls)- Diffie-Hellman (
dhparams)- support finite field Diffie-Hellman ephemeral (FFDHE) parameter negotiation defined in RFC 7919 (#98)
- Diffie-Hellman (
- TLS (
tls)- Extensions (
extensions)- Clock accuracy check works even if difference is negative (#103)
- Signature Algorithms (
sigalgos)- Not supported signature algorithms are not listed anymore (#102)
- Extensions (
- JA3 (
ja3)- Generate (
generate)- support NNTP clients (#83)
- support SMTP/LMTP clients (#82)
- support POP3 clients (#81)
- support FTP clients (#80)
- support Sieve clients (#79)
- support PostgreSQL clients (#78)
- support LDAP clients (#77)
- Generate (
- SSH (
ssh)- Public Keys (
pubkeys)- add analyzer for checking SSH server against used host keys (#34)
- Versions (
versions)- identify application server and version (#71)
- Public Keys (
- SSH (
ssh)- Generic
- Add all command to SSH
- Generic
- Generic
- Diffie-Hellman
- Handle Diffie-Hellman parameter q value comparision well (#74)
- Diffie-Hellman
- TLS (
tls)- Generic
- Handle multi-line greeting message in the case of SMTP servers (#72)
- Diffie-Hellman (
dhparams)- Add safe prime attribute to well-known DH params as there is an RFC (5144) which defines unsafe prime (#73)
- Public Keys (
pubkeys)- Handle missing certificates message well during an anonymous Diffie-Hellman key exchange (#66)
- Generic
- SSH (
ssh)- Diffie-Hellman (
dhparams)- add group exchange algorithms supported by the server to the result (#53)
- Diffie-Hellman (
- switch to Markdown format in changelog, readme and contributing
- update contributing to the latest version from contribution-guide.org
- add summary of the project to the readme
- TLS (
tls)- LMTP opportunistic TLS (
STARTTLS) support (#56) - NNTP opportunistic TLS (
STARTTLS) support (#7) - PostgreSQL opportunistic TLS (
STARTTLS) support (#55)
- LMTP opportunistic TLS (
- TLS (
tls)- Generic
- Use DH ephemeral keys that are mathematically correct during a TLS 1.3 handshake to increase stability (#57)
- Ciphers (
ciphers)- No fallback mechanism is used to check cipher suites if server honors long cipher suite lists (#59)
- Generic
- TLS (
tls)- Extensions (
extensions)- add analyzer checking which application-layer protocols are supported (#45)
- add analyzer checking whether encrypt-then-MAC mode is supported (#45)
- add analyzer checking whether extended master secret is supported (#45)
- add analyzer checking which next protocols are supported (#45)
- add analyzer checking whether renegotiation indication is supported (#45)
- add analyzer checking whether session ticket is supported (#45)
- Sieve opportunistic TLS (
STARTTLS) support (#9)
- Extensions (
- SSH (
ssh)- Diffie-Hellman (
dhparams)- check which DH parameter sizes supported by the server by group exchange (#53)
- check which DH parameter sizes supported by the server by key exchange (#53)
- Diffie-Hellman (
- TLS (
tls)- Generic
- handle server long cipher suite, signature algorithm list intolerance (#52)
- Generic
- TLS (
tls)- Ciphers (
ciphers)- add TLS 1.3 support (#35)
- Elliptic Curves (
curves)- add TLS 1.3 support (#35)
- Diffie-Hellman (
dhparams)- add TLS 1.3 support (#35)
- Signature Algorithms (
sigalgos)- add TLS 1.3 support (#35)
- Versions (
versions)- add TLS 1.3 support (#35)
- Ciphers (
- TLS (
tls)- add analyzer (
all) for running all TLS analysis at once (#40)
- add analyzer (
- SSH (
ssh2)- add analyzer for checking SSH servers against negotiated algorithms (#33)
- Generic
- use human readable algorithms names in Markdown output (#48)
- command line interface gives error output instead of traceback on exception (#49)
- TLS (
tls)- add analyzer for checking whether TLS server requires client certificate for authentication (#36)
- LDAP support (#25)
- TLS (
tls)- Generic
- handle that a server indicates handshake failure by sending close notify alert (#44)
- handle that a server does not respect lack of the signature algorithms extension (#43)
- Versions (
versions)- handle that a server supports only non-RSA public keys (#41)
- Generic
- TLS (
tls)- Cipher Suites (
ciphers)- speed up TLS supported curve check (#39)
- Cipher Suites (
- Generic
- Markdown output format (#30)
- TLS (
tls)- XMPP (Jabber) support (#26)
- Cipher Suites (
ciphers)- GOST (national standards of the Russian Federation and CIS countries) support for TLS cipher suite checker (#32)
- TLS (
tls)- fix several uncertain test cases (#28)
- remove unnecessary unicode conversions (#29)
- switch from cryptography to certvalidator
- TLS (
tls)- RDP support (#21)
- JA3 (
ja3)- JA3 fingerprint decoding support (#22)
- JA3 fingerprint generatoin support (#23)
- FTP server check cause Python traceback on connection close (#27)
- use attrs to avoid boilerplates (#24)
- TLS (
tls)- Diffie-Hellman (
dhparams)- check whether server uses safe prime as DH parameter to avoid small subgroup confinement attack (#13)
- check whether server uses well-known (RFC defined) DH parameter (#13)
- check whether server reuse the DH parameter (#13)
- FTP opportunistic TLS (
STARTTLS) support (#8)
- Diffie-Hellman (
- TLS (
tls)- Cipher Suites (
ciphers)- handle server long cipher suite list intolerance
- fix cipher suite preference order calculation (#18)
- Elliptic Curves (
curves)- fix result when server does not support named group extension
- Public Keys (
pubkeys)- handle cross signed key in the certificate chain
- fix JSON output in case of expired certificates (#15)
- handle the case when only a self-singed CA is served as certificate (#17)
- handle the case when CA with no basic constraint is served (#20)
- handle rarely/incorrectly used TLS alerts
- handle when there is no response from server (#11)
- handle scheme other than tls in URL argument of the command line tool (#3)
- handle plain text response to TLS handshake initiation (#19)
- add default port for opportunistic TLS schemes (#6)
- uniform timeout handling in TLS clients (#12)
- Cipher Suites (
- improve unit tests (100% code coverage)
- Docker support and ready-to-use container on DockerHub (coroner/cryprolyzer)
- build packages to several Linux distributions on Open Build Service
- Debian (10, Testing)
- Raspbian (10)
- Ubuntu (19.10)
- Fedora (29, 30, 31, Rawhide)
- Mageia (7, Cauldron)
- IP address can be set to hostname in command line (#10)
- fix several Python packaging issues
- add analyzer for checking TLS server against supported protocol versions
- add analyzer for checking TLS server against supported cipher suites
- add analyzer for checking TLS server against supported elliptic curves types
- add analyzer for checking TLS server against used Diffie-Hellman parameters
- add analyzer for checking TLS server against supported signature algorithms
- add analyzer for checking TLS server against used X.509 public key certificates
- check TLS server against used fallback (handshake without SNI) certificates
- add opportunistic TLS (STARTTLS) support for IMAP, SMTP, POP3 protocols