sslyze

• Significantly reduced memory usage when using SSLyze in a Python application.

• Fixed crashes when scanning Amazon Cloudfront due to TLS 1.3 (#445).
• Fixed a crash when scanning a server with an Ed25519 certificate (#444).
• The CLI will now run --regular if no scan options were supplied: python -m sslyze google.com (#440)

• Fixed a crash when scanning Amazon Cloudfront for Heartbleed and CCS Injection (#437).
• The Python API now exposes a JsonEncoder to make it easy to serialize a ServerScanResult to JSON (#439).

• Fixed crashes when running SSLyze on localized (ie. non-english) versions of Windows (#434).

• Fixed bug with Heartbleed and CCS Injection checks (#202 )
• Fix crashes with servers that have connectivity issues (#433, #430 )

• Improved check for HTTP security headers by adding support for HTTP redirections (#393 ).
• Fixed bug causing some results to not be returned when scanning multiple servers (#429 ).
• Added support for more versions of the cryptography package for better compatibility (#428 ).
• Fixed crash when scanning a server with a certificate that has duplicate X509 extensions (#420 )

• Fixed installation errors with Python 3.8 (#421).
• Added a a pre-built Windows executable: sslyze-3.0.1-exe.zip.

Big internal refactoring focused on modernizing the code base (dataclasses, type annotations, etc.) and improving the speed and reliability of the scan results.

• The Python API and the format of the outputs have been drastically improved and simplified, but are not backward-compatible with older versions of SSLyze.
• Python 3.8 is now supported, and Python 3.6 is no longer supported.
• Huge improvements to the reliability of the scans:
  • The number of concurrent connections per single server can now be controlled and is set to 5 by default (#385).
  • This limit is enforced regardless of the number of scan commands queued for the server, and drastically reduces the number of scans that fail due to a slow server or a slow connection.
• Various improvements to cipher suites scanning:
  • The size of the cipher's suite key is now always returned.
  • The (EC) Diffie-Helmann parameters negotiated during the TLS handshake are now returned (#394).
• Various improvements to server certificate checks:
  • Servers that expose multiple leaf certificates and chains are now supported (#326).
  • Bug fix for Symantec CA deprecation (#406).
• SSLyze is now compatible with PEP 561 for type checking with mypy.
• Various improvements to the JSON output:
  • The format of the JSON output now exactly matches the format of the Python output (which is fully documented).
  • Better parsing of Subject and Issuer fields in certificates (#404).
• Support for XML output was removed.

• Fixed crash when scanning servers that only support old versions of SSL/TLS (#386).

• Tweaked the ROBOT check to reduce the chance SSLyze returning a false positive.

• Fixed misc bugs introduced by the previous release (#374, #375, #376).

• Major cleanup of CertificateInfoPlugin and HttpHeadersPlugin; the results returned by these plugins when using the Python API or the JSON or XML outputs have changed slightly, and should be easier to understand and use.
  • However, existing code that parses these results will break.
• Fixed bug where SSLyze was unable to build the verified chain for a given server; OpenSSL is now used directly to build the verified chain (#355).
• Fixed bug with IPv6 support (#371).
• Fixed crash in the RobotPlugin (#361).
• Converted the test suite to pytest.

• Updated cryptography module to 2.5.

• Various bug fixes (#362)

• Various bug fixes (#356, #357, #358).

• Bug fix for parsing Expect-CT headers.

• Bug fixes for scanning servers that support TLS 1.3 (#347, #348).
• Added more precise exceptions when the ServerConnectivityTester fails to connect to the server (#343).
• Added the OpenJDK trust store when validating the server's certificate.

• Only Linux and macOS are supported for this release, but Windows support will be enabled in the next release.
• Dropped support for Python 2 and older versions of Python 3; only Python 3.6 and 3.7 are supported.
  • Future releases with only support the latest two versions of Python available at the time of the release.
• Added support for the final/official release of TLS 1.3 (RFC 8446).
  • The plugin can be tested against Cloudflare: python -m sslyze --tls_1_3 www.cloudflare.com
• Added beta support for TLS 1.3 early data (0-RTT) testing; see --early_data and EarlyDataScanCommand.
  • The plugin can be tested against Cloudflare: python -m sslyze --early_data www.cloudflare.com
• Significantly improved the documentation for the Python API.
• Bug fixes (#328, #320, #319).
• Switched to a more modern Python tool chain (pipenv, pytest, pyinvoke).
• Removed legacy Python 2/3 code and ported the code base to Python 3 only.

• Brought back Windows support (Python 64 bits only).
• Updated OpenSSL to the final 1.1.1 release.
• SSLyze can now be installed via Docker (#332).

• Fixed a bug where the results for OCSP Stapling support would be inconsistent (#324).
• Fixed a crash on Python 2.7.