sslyze

• Added support for Python 3.12 (#630).
• Removed support for Python 3.7 (#616).
• Switched to Python Cryptography's implementation of certificate validation, in order to simplify the validation logic and make it more reliable (#638).
  • Removed direct dependency to pyOpenSSL.
  • Removed usages of ssl.match_hostname() (#627).
  • JSON output changes for the certificate information plugin:
    • leaf_certificate_subject_matches_hostname has been removed because hostname validation is now directly reported in the path_validation_results, which makes it simpler to process them.
    • Similarly, openssl_error_string was renamed to validation_error.
• Fixed crash caused by "invalid padding" and "invalid encoding" errors (#632, #634).
• Better output when an SMTP EHLO is rejected ( #635).

• Fixed crashes affecting specific Linux distributions such as Red Hat Linux and CentOS (#556, #621).
• Fixed a bug when probing TLS 1.3 servers that require client authentication (#612).
• Fixed a crash when using the JSON output with the MozillaTlsConfigurationChecker (#614).
• Added support for pydantic 2.x (#611).
• Added support for cryptography 40 and 41 (#610).
• Updated Windows executable to use Python 3.11 (#588).
• Updated Mozilla configuration recommendations to v5.7 (#608).
• Better handling of servers that only support SSL v2.0 (#601).
• WARNING: This is the last release to support Python 3.7.
• WARNING: This is the last release to support pydantic 1.x,

• Added native support for Apple Silicon (https://github.com/nabla-c0d3/nassl/pull/107).
• Fixed a crash when using older versions of PyOpenSSL (#600).

• Updated cryptography to v39 (#596).
• Updated the trust stores.

• Fixed compatibility with specific versions of pydantic (#590).

• Added support for Python 3.11 (#582).
• Added support for Brainpool curves when running --elliptic_curves (#545).
• Added support for validating certificates with IP addresses in their Subject Alternative Name (#544).
• Fixed memory leaks when performing certificate validation by switching to pyOpenSSL (#566).
• Fixed a crash with pydantic v1.10.3 (#586).
• Removed check for the Expect-CT HTTP header when running --http_headers as the header has been deprecated (#584).
• Fixed a crash when exporting results to JSON when an HTTP proxy was used (#581).

• Fixed a bug where no scans were run when using specific combinations of CLI options (#575).
• Added support for more TLS stacks when connecting and scanning for elliptic curves (#579, #562).
• Better CLI output when connectivity to the server is flaky (#534).
• Added support for pydantic 1.10 (#576).
• Documented how to export results to JSON via the Python API (#571).

• Fixed an error when scanning a server with a specific behavior regarding client authentication (#555).
• Fixed an error when using --openssl_ccs on specific servers (#548).
• Added support for cryptography 37.0.0 (#565).
• Updated the embedded trust stores.

• Reduced memory usage, and fixed a memory leak when running multiple scans in a row via the Python API (https://github.com/nabla-c0d3/sslyze/issues/560).

• Fixed a crash when no valid server strings had been supplied via the command line (#557).
• Fixed a crash when serializing the result of running --http_headers to JSON (#554).
• Checking the server's scan results against the Mozilla configurations can be disabled using --mozilla_config=disable (#551).

• Added support for Python 3.10 (#464).

• Renamed --mozilla-config to --mozilla_config for consistency.
• Fixed a bug when using --reneg against servers using specific versions of GnuTLS.
• Added support for cryptography 36.0.0 (#542).
• Fixed JSON output when using --json_out=- to print JSON to the console (#543).

This major release focuses on improving the reliability of the scans, simplifying the Python API and JSON output, and adding support for checking a server's TLS configuration against Mozilla's recommended configuration.

• SSLyze will now check the server's scan results against the Mozilla "intermediate" configuration (#453).
  • Which Mozilla configuration to use can be configured via --mozilla-config={old, intermediate, modern}.
  • The --mozilla-config option replaces --regular, which has been removed.
• SSLyze can now be run as a CI/CD step; see the README for more information.
• The Python API has been significantly simplified (#512). The changes focus on:
  • Reducing how much code is needed in order to run a scan.
  • Improving the typing of the result objects, in order to simplify code that processes scan results.
  • API-breaking changes: Starting a scan and processing the results is now done differently; see the documentation.
• The JSON output has been significantly simplified.
  • The JSON output's format now fully matches the format of the results within the Python API.
  • An auto-generated JSON schema is also now available at ./json_output_schema.json (#487).
  • The Python documentation can now be used to understand the format for both Python results and JSON results.
• SSLyze now provides a fully-typed Python API for parsing the JSON output of previously-run scans (#487).
  • parsed_json_result = SslyzeOutputAsJson.parse_file("result.json")
  • This can be used for example to process the results of SSLyze scans in a separate Python program.
• HTTP headers testing: the Public-Key-Pins headers are no longer checked by SSLyze, as the pinning feature has been removed from most browsers (#506).
  • API-breaking changes:
    • The public_key_pins_header and public_key_pins_report_only_header fields have been removed from HttpHeadersScanResult.
• Session resumption testing: the --resum scan command has been updated to provide better insights into how the server supports session resumption (#53).
  • The command will now attempt multiple resumptions using TLS tickets, similarly to what it already does for resumptions with Session IDs. Previously, it would only perform a single resumption attempt when testing TLS Tickets.
  • The new command --resum_attempts can be used in order to configure how many session resumptions --resum will attempt; it is set to 5 by default.
    • python -m sslyze --resum --resum_attempts=20 www.google.com
  • API-breaking changes:
    • The fields within SessionResumptionSupportScanResult have been renamed and updated,
    • The --resum_rate command, ScanCommand.SESSION_RESUMPTION_RATE and the SessionResumptionRateScanResult class have been removed. The --resum_attempts command and SessionResumptionSupportExtraArguments class should be used instead.
• Misc bug fixes for when scanning servers with exotic TLS or network configurations (#531, #532, #533).

• SSLyze's memory usage has been significantly reduced when scanning a lot of servers concurrently (#511).
  • This will make it easier to deploy SSLyze to environments where memory is limited, such as AWS Lambda.
  • For example, when queuing 100 server scans, memory usage will now reach a maximum of 150 MB, instead of 1400 MB in previous versions of SSLyze.
• Fixed errors when running http_headers on specific server software (#517, #516).
• Removed usage of pipenv and switched back to a requirements.txt.

• Fixed errors when running --elliptic_curves on specific server software (#490).
• Better error reporting when running --http_headers on a server that doesn't speak HTTP (#499, #500).
  • See also the new HttpHeadersScanResult.http_error_trace field in the Python API.

• Updated the JSON output to be more stable, to allow diffing the JSON output of successive scans against the same server (#491).
• Fixed errors when scanning a server that only supports TLS 1.3 (#488).
• Fixed error when running --robot on an nginx server configured to require client authentication (#484).
• Fixed crash due to malformed HTTP headers (#498).
• Better reporting when scanning unresponsive servers (#501).
• Fixed error when an invalid certificate is deployed on the server (#495).
• Fixed error when running --reneg on Indy TCP server (#483).

• Fixed an issue with servers requiring client authentication and SSLyze reporting some TLS versions as unsupported (#472).
• Fixed a crash when parsing an OCSP response with no "Next Update" field (#481).
• Updated the trust stores.

• Updated the version of cryptography in the setup.py (#467).
• Fixed a crash when displaying non-successful OCSP responses (#477).

• Added support for Python 3.9 (#468).
• Fixed a crash when parsing OCSP responses (#471).
  • API-breaking change: the ocsp_response field in CertificateInfoScanResult is now an OCSPResponse instance from the cryptography.x509.ocsp module.
  • JSON-breaking change: Significantly improved the JSON output for certificates and OCSP responses, when using --certinfo.
• Fixed a false positive when testing for client-initiated renegotiation DoS attacks on some servers (#473).
  • API-breaking change: the accepts_client_renegotiation field in SessionRenegotiationScanResult was removed, and the more accurate is_vulnerable_to_client_renegotiation_dos field was added.
• The ability to detect the server’s “preferred” cipher suite was removed for being too unreliable, and will be replaced by full cipher suite order detection in a future release (#456).
  • API-breaking change: the cipher_suite_preferred_by_server in CipherSuitesScanResult was removed.
• Fixed a crash when scanning a server with an exotic/invalid TLS configuration (#466).
• Fixed support for older versions of macOS.
• Added support for the latest version of cryptography (#467).

• Added support for scanning for supported elliptic curves (#447):

$ python -m sslyze --elliptic_curves www.cloudflare.com

 * Elliptic Curve Key Exchange:
       Supported curves:                  prime256v1, secp384r1, secp521r1, X25519
       Rejected curves:                   sect163r2, secp160r1, sect233k1, X448, secp160r2, sect233r1, secp192k1,
sect239k1, secp224k1, sect193r1, sect283k1, secp224r1, sect163k1, sect283r1, secp256k1, secp160k1, 
sect409k1, prime192v1, sect409r1, sect163r1, sect193r2, sect571k1, sect571r1

• Added support for cryptography 3.x (#455).
• Fixed various crashes (#458, #459).