Releases: testssl/testssl.sh
Release list
Version 3.2.4 (bugfix)
TL;DR
- Security bug fix for XSS in HTML file output
- OpenSSL 4 compatibility
- Add missing TLS signature schemes
- Add missing TLS 1.3 Brainpool groups
What's Changed
- docker + IPv6, incl. host networking by @drwetter in #2996
- OpenSSL 4 compatibility by @dcooper16 in #3006
- Fix typo by @drwetter in #3011
- Make sure date -r hits a readable dir (3.2) by @drwetter in #3013
- OpenSSL 4 compatibility for stapled OCSP responses by @dcooper16 in #3019
- Add missing TLS signature schemes by @dcooper16 in #3022
- Add missing TLS 1.3 Brainpool groups by @dcooper16 in #3025
- Fix doc error regarding MAX_SOCKET_FAIL + MAX_OSSL_FAIL (3.2) by @drwetter in #3032
- Fix DN conversion when reading certificate issuer (3.2) by @drwetter in #3033
- Backport: Fix Permissions-Policy header listed twice in output by @SteveVaneeckhout in #3048
- [Bug] FIXME: issuer_CN error with more than 5 lines in Issuer #3065 by @logopk in #3067
- fix: inverted return check in sym-encrypt() at testssl.sh:14741 by @ericcgu in #3083
- Fix stored XSS in HTML report via unescaped Location: header (#3090) by @ericcgu in #3092
- Small check for semantic unit tests (3.2) by @drwetter in #3093
- Ready for 3.2.4 by @drwetter in #3094
Full Changelog: v3.2.3...v3.2.4
Snapshot Version 2607 from 3.3dev
Features as TL;DR
- OpenSSL 4.0 compatiblity
- support for RFC 8998 and draft-yang-tls-hybrid-sm2-mlkem ,
- Add missing TLS 1.3 Brainpool groups
- Serveral client handshake updates
- More HTTP security headers
- Provide DNS HTTPS RR functionality (RFC 9460)
What's Changed
- Docker + IPv6 by @drwetter in #2994
- Change banner back to 3.3dev by @drwetter in #2992
- Amend IPv6 with host networking by @drwetter in #2995
- don't use 3.0 docker images anymore by @drwetter in #2997
- Bump docker/login-action from 3 to 4 by @dependabot[bot] in #2998
- Bump docker/setup-qemu-action from 3 to 4 by @dependabot[bot] in #2999
- Bump docker/metadata-action from 5 to 6 by @dependabot[bot] in #3000
- Bump docker/setup-buildx-action from 3 to 4 by @dependabot[bot] in #3001
- Bump docker/build-push-action from 6 to 7 by @dependabot[bot] in #3002
- OpenSSL 4 compatibility by @dcooper16 in #3005
- Fix typo by @drwetter in #3010
- Make sure date -r hits a dir readable by @drwetter in #3012
- Add support for RFC 8998 and draft-yang-tls-hybrid-sm2-mlkem by @dcooper16 in #3014
- Clean up etc/tls_data.txt by @dcooper16 in #3017
- OpenSSL 4 compatibility for stapled OCSP responses by @dcooper16 in #3018
- Add missing TLS signature schemes by @dcooper16 in #3021
- Use OpenSSL with -sigalgs option to obtain server's certificate by @dcooper16 in #3020
- Add missing TLS 1.3 Brainpool groups by @dcooper16 in #3024
- Identify TLS 1.3 ciphers by OpenSSL name by @dcooper16 in #3023
- Address missing extended_master secret extension properly by @drwetter in #3029
- Fix doc error regarding MAX_SOCKET_FAIL + MAX_OSSL_FAIL by @drwetter in #3031
- Fix DN conversion when reading certificate issuer by @drwetter in #3030
- Client handshake updates by @drwetter in #3038
- Apple handshakes updates by @drwetter in #3036
- Added link to php-ssl Certificate scanning integration by @phpipam in #3039
- Improve PR #3041 by @drwetter in #3042
- Fix DNS CAA check for IP scans and subdomains by @grhza in #3041
- Introduce early warning function by @drwetter in #3043
- Add fs data clientsimulation json by @drwetter in #3045
- Fix Permissions-Policy header listed twice in output by @SteveVaneeckhout in #3046
- Update runner to macos-26 (arm64 as before) by @drwetter in #3052
- Fix --mx host:port parsing and incorrect no-MX message (#2986) by @potato-20 in #3049
- Report additional modern security headers (INFO) by @potato-20 in #3050
- Handle badges, remove 1 bracket by @drwetter in #3053
- Fix badges, try 2 by @drwetter in #3054
- Trying to fix the badge issue by @drwetter in #3055
- Revert "Trying to fix the badge issue" by @drwetter in #3056
- Hide CI badges for now by @drwetter in #3057
- Provide better debugging means for GH runners by @drwetter in #3058
- Automate pandoc by @drwetter in #3064
- Bump actions/checkout from 4 to 6 by @dependabot[bot] in #3068
- [Bug] FIXME: issuer_CN error with more than 5 lines in Issuer #3065 by @logopk in #3066
- Bump actions/checkout from 6 to 7 by @dependabot[bot] in #3069
- Revive hsts preload by @drwetter / @potato-20 in #3071
- AI section + minor improvements by @drwetter in #3072
- clarify what a breaking change is by @drwetter in #3073
- Provide DNS HTTPS RR functionality by @drwetter in #3047
- Fix escaping. by @lapo-luchini in #3075
- Fix -4/-6 flag being ignored when no specific test is selected by @SteveVaneeckhout in #3076
- Fixed 'cert_trust_wildcard' identifier when multiple certificates are… by @TheraNinjaCat in #3059
- Fix empty result for HTTPS_RR for Mac and friends by @drwetter in #3078
- fix: inverted return check in sym-encrypt() at testssl.sh:14741 makes … by @ericcgu in #3080
- Fix confusion when scanning TLS-1.3-only hosts by @drwetter in #3084
- Update pull_request_template.md by @drwetter in #3088
- bugfix: aesgcm_used --> enc_aesgcm_used by @ericcgu in #3086
- Small check for semantic unit tests by @drwetter in #3089
- Fix stored XSS in HTML report via unescaped Location: header (#3090) by @ericcgu in #3091
New Contributors
- @phpipam made their first contribution in #3039
- @grhza made their first contribution in #3041
- @potato-20 made their first contribution in #3049
- @lapo-luchini made their first contribution in #3075
- @TheraNinjaCat made their first contribution in #3059
- @ericcgu made their first contribution in #3080 (manually added, github didn't bother)
Full Changelog: v3.3dev-snapshot-2602...v3.3dev-snapshot-2607
Snapshot Version 2602 from 3.3dev
This is the first snapshot release for 3.3dev. It is for users which want to use the latest and greatest set of features but also want to have a version which matured enough.
In order not to confuse users with the stable branch 3.2 where no new features will appear, this is labeled (from github) as pre-release. But it is believed to be production ready. However things will continue to change in 3.3dev until the next stable release 3.4.0 .
Features as TL;DR
- QUIC protocol check
- TLS 1.3 early data (0-RTT)
- Adds a check for mandatory extended master secret TLS extension
- Bump SSLlabs rating guide to 2009r
- Check for Opossum vulnerability
- Enable IPv6 automagically, i.e. if target via IPv6 is reachable just (also) scan it
- MacOS runs faster
- Provide an FAQ
What's Changed
- Fix README DeepWiki Link by @HarrisonTCodes in #2801
- Reflect version 3.0.10 version is EOL by @drwetter in #2804
- Reflect that this is 3.3dev by @drwetter in #2805
- Modify grading for incomplete chain. by @secinto in #2798
- Add sectigo CA E46 and R46 for Linux.pem by @drwetter in #2808
- Minor improvements to #2798 by @drwetter in #2809
- Change action docker file to 3.3dev by @drwetter in #2811
- YAML file doesn't need the unit tests by @drwetter in #2812
- Revert lowercase conversion for repo by @drwetter in #2813
- Revert "Revert lowercase conversion for repo" by @drwetter in #2814
- Improve error message for sockets fail and Alpine by @drwetter in #2817
- Performance hint for openssl by @drwetter in #2820
- Fix 52_ocsp_revoked (OCSP --> CRL) by @drwetter in #2823
- First try for QUIC (OpenSSL only and only checking the protocol) by @drwetter in #2822
- Fix not working --disable-rating switch (3.3dev) by @drwetter in #2827
- Removed rogue space on QUIC output by @digininja in #2828
- feat: bump ssllabs rating guide to 2009r by @magnuslarsen in #2830
- Update CHANGELOG.md by @drwetter in #2835
- For Mac: use homebrew's openssl by @drwetter in #2837
- Redo PR for Opossum , see #2838 by @drwetter in #2842
- Fix message when IPv6 needs to be tested too by @drwetter in #2844
- Try harder to find OPENSSL2 by @drwetter in #2846
- add support for MacOS's dscacheutil by @wfaulk in #2848
- Fix port and block problem for Opossum by @drwetter in #2851
- only exec QUIC when SERVICE= HTTP by @drwetter in #2853
- Enable IPv6 automagically by @drwetter in #2852
- Fix bug when --nodns none --ip is supplied by @drwetter in #2856
- Doing a better guess for Opossum when tcp/80 is not a/v by @drwetter in #2855
- Slightly improved strings @ pre-socket handling by @drwetter in #2858
- Fix also IPv6 addresses for --nodns etc.... by @drwetter in #2860
- Test with badge referring to the correct branch by @drwetter in #2862
- Pick another host for unit tests by @drwetter in #2857
- More reliability for QUIC test by @drwetter in #2863
- Modify OS bullet point + badge param by @drwetter in #2865
- Exec IPv6 check in background by @drwetter in #2867
- Try badge for correct branch by @drwetter in #2869
- Fix additional parameter in shouldwedo_ipv6() by @drwetter in #2868
- wait_kill() is now 0.1 seconds by @drwetter in #2870
- Bump actions/checkout from 4 to 5 by @dependabot[bot] in #2872
- Keep feature_request.md up to date by @drwetter in #2877
- Provide an FAQ by @drwetter in #2879
- Additions to FAQ by @drwetter in #2882
- Fix garbled screen when HTTP Age is not a non-negative int by @drwetter in #2886
- Fix indentation @ Intermediate cert validity by @drwetter in #2891
- Restructure, load balancer issue, STARTTLS SMTP better explained by @drwetter in #2894
- Fix #2896 by @dcooper16 in #2897
- Consistency for function ciphers_by_strength() by @drwetter in #2905
- Jdvorak001 fix file naming by @drwetter in #2904
- Define vars for early data by @drwetter in #2911
- Update baseline scan for unit test by @drwetter in #2914
- TLS 1.3 early data / 0-RTT by @drwetter in #2912
- Fix date for Ubuntu >= 25.10 by @drwetter in #2913
- Update GHAs by @drwetter in #2919
- Update Linux CA store by @drwetter in #2916
- Minor fine tuning by @drwetter in #2923
- Squash some shellcheck errors by @drwetter in #2922
- Update "sneaky" user agent by @drwetter in #2927
- Fix date parsing bc of locale problem by @drwetter in #2930
- Shorten badssl GHA as they fail too often by @drwetter in #2934
- Add new Sectigo R46 cert, update Java/Mozilla.pem by @drwetter in #2935
- Fix pattern for matching /etc/hosts entries by @drwetter in #2938
- Shellcheck cherrypicked from PR #2428 by @drwetter in #2940
- Bump actions/checkout from 4 to 5 by @dependabot[bot] in #2941
- feat: --rating-only flag to only test checks required for rating by @magnuslarsen in #2945
- Update docs after raiting only switch by @drwetter in #2948
- Ignore files types for shellcheck by @drwetter in #2949
- Add support for EC private key in mTLS check by @24icewolf42 in #2947
- Fix and improve Opossum check by @drwetter in #2951
- Bump actions/checkout from 5 to 6 by @dependabot[bot] in #2953
- No shellcheck in ./t/ by @drwetter in #2955
- Try to remove the "failed to flush stdout" messages by @drwetter in #2957
- Address 2952 by @drwetter in #2954
- Fix error when early data empty by @drwetter in #2958
- Label missing KEMs as LOW severity by @drwetter in #2961
- Fix #2959 by @dcooper16 in #2963
- Add missing LF after pwnkeys DB check by @drwetter in #2965
- Remove underlined headline for each vulnerability by @drwetter in #2967
- ROBOT is also a vulnerability by @drwetter in #2968
- Mitigate inconsistent test results for ROBOT by @drwetter in #2969
- Add ROBOT_TIMEOUT to documentation by @drwetter in #2974
- Update badges by @drwetter in #2975
- Add FAQ by @drwetter in #2977
- Polish by @drwetter in #2978
- Suggest alternative $OPENSSL2 when $OPENSSL fails by @drwetter in #2980
- general remarks, check boxes by @drwetter in #2979
- Remove VULN_THRESHLD relic by @drwetter in #2981
- Flag absence of extended master secret extension by @drwetter in #2982
- Finalize renaming MAX_WAITSOCK --> ROBOT_TIMEOUT by @drwetter in #2985
- Prepare for a snapshot release by @drwetter in #2989
- Add "dev" to the version banner to clarify by ...
Version 3.2.3 (bugfix)
TL;DR
- label missing KEMs as low severity to indicate that people should start using it
- changing in CA stores
- changes in unit tests
- clientHello contains <= 118 ciphers as more could cause problem for picky servers
- fixed ROBOT check for STARTTLS which sometimes caused inconsistent test results
- fixed confused "ADDTL_CA_FILES" enviroment variable
- fixed word pattern matching in /etc/hosts where
anystringmatched alos192.168.0.11 anystring-tomcat - several minor fixes
What's Changed (full)
- Backport GH runner from 3.3dev by @drwetter in #2900
- Fix #2896 by @dcooper16 in #2898
- Consistency for function ciphers_by_strength() (3.2) by @drwetter in #2906
- Fix file time stamp issue by @drwetter in #2907
- Fix unittest 3.2 by @drwetter in #2921
- Update linux ca store 3.2 by @drwetter in #2918
- Fix date for Ubuntu >= 25.10 (3.2) by @drwetter in #2924
- Update "sneaky" user agent (3.2) by @drwetter in #2928
- Shorten badssl GHA as they fail too often (3.2) by @drwetter in #2932
- Fix date parsing bc of locale problem (3.2) by @drwetter in #2931
- Add new Sectigo R46 cert, update Java/Mozilla.pem (3.2) by @drwetter in #2936
- Fix pattern for matching /etc/hosts entries (3.2) by @drwetter in #2939
- Label missing KEMs as LOW severity (3.2) by @drwetter in #2962
- Fix #2959 by @dcooper16 in #2964
- Add missing LF after pwnkeys DB check (3.2) by @drwetter in #2966
- Add missing counter to ROBOT (3.2) by @drwetter in #2970
- Mitigate inconsistent test results for ROBOT (3.2) by @drwetter in #2976
- Finalize renaming MAX_WAITSOCK --> ROBOT_TIMEOUT (3.2) by @drwetter in #2984
- Bump version (3.2) by @drwetter in #2988
Full Changelog: v3.2.2...v3.2.3
Version 3.2.2 (bugfix)
Some changes in branch 3.2.
There was parsing issue in HTTP Age header which looked on the first glance security relevant. Closer look revealed it's just a type confusion. But it's still recommended to update. Also this release includes a FAQ. More important details below.
What's Changed
- Add README DeepWiki Link by @HarrisonTCodes
- Modify grading for incomplete chain. by @secinto
- Add sectigo CA E46 and R46 for Linux.pem by @drwetter
- Improve error message for sockets fail and Alpine by @drwetter
- Make code2network() faster by using bash instead of tr by @drwetter
- Fix not working --disable-rating switch by @drwetter
- feat: bump ssllabs rating guide to 2009r by @magnuslarsen
- For Mac: use homebrew's openssl when necessary+needed by @drwetter
- Fix displayed message when IPv6 needs to be tested too by @drwetter
- FAQ for 3.2 by @drwetter in #2881
- Fix garbled screen when HTTP Age is not a non-negative int (branch 3.2) by @drwetter
- Fix indentation @ Intermediate cert validity (3.2) by @drwetter
- Lucky13: improve phrasing for 3.2 by @drwetter
- Bump version (3.2) by @drwetter in #2890
New Contributors
- @HarrisonTCodes made their first contribution in #2801
- @secinto made their first contribution in #2798
Full Changelog: v3.2.1...v3.2.2
Version 3.0.10
This is the last release in the 3.0 branch. Migrate to 3.2 ASAP.
What's Changed
- Fix IPv6 addresses (3.0) by @drwetter
- Update Truststores (3.0) by @drwetter
- Improve banner (3.0) by @drwetter i
- No ctrl char in header (3.0) by @drwetter
- Fix F5 cookie in 10.x.x.x. (3.0) by @drwetter
- Fix json/csv output when STARTTLS problem is passed back (3.0) by @drwetter
- Fix Invalid JSON due to scanResult infos by @dcooper16
- Fix checks for whether X25519 and X448 are supported by @dcooper16
- Fix place for round bracket for header and remove obsolete comment by @drwetter
- Fix bug when legacy NPN is tested against a TLS 1.3 host by @drwetter
- Address CA file parsing problem by @drwetter
- Fix Bash substring pattern matches by @dcooper16
- Fix check for OpenSSL supported curves by @dcooper16
- Fix segfault with error 4 in check_revocation_ocsp() when using --phone-out (3.0)
- Fix --phone-out + ocsp, also in docker container (3.0) by @drwetter
- OpenSSL version check in check_revocation_ocsp() by @dcooper16
- Set POODLE var when exiting run_ssl_poodle() by @drwetter
- Sanitze HTTP header early and better by @drwetter
- Remove inherited double line by @drwetter
- Check for -sigalgs support by @dcooper16
- Add minimal doc for GHCR by @drwetter
- Update CA stores (3.0) by @drwetter
- Fix CCS injection by @drwetter
- Fix parser for server header (3.0) by @drwetter
- Update client simulation 3.0 by @drwetter
Full Changelog: v3.0.9...v3.0.10
Version 3.2.1 (bugfix)
What's Changed
- Several # of improvements for/refactoring Dockerfiles (@polarathene )
- Add Android15 handshake simulation by @drwetter
- Fix missing line feed in run_breach() failure output by @vinny-pereira
- Add mac runner for Github action by @drwetter
- Fix CCS injection regression by @drwetter
- Fix parser for server header by @drwetter
- Fix missing issuer CN by @drwetter
- Fix OPENSSL_CONF problem for OPENSSL2 by @drwetter
- More badges
New Contributors
- @sullo made their first contribution
- @ssupdoc made their first contribution
- @vinny-pereira made their first contribution
Full Changelog: v3.2.0...v3.2.1
Final version 3.2.0
This is the final version 3.2.0 of testssl.sh which brings tons of new features over 3.0. For details see the change log.
There will be soon one last bugfix release for the 3.0 branch before it'll becomes EOL/unsupported. Work continues then on 3.3dev.
Release version 3.2rc4
- Added ML-KEMs SecP256r1MLKEM768 X25519MLKEM768 SecP384r1MLKEM1024 X25519Kyber768Draft00
- Renegotiation checks more robust
- More security headers
- Except docker everywhere is the new location (/drwetter/testssl/) to reflect it's a work of many
- LibreSSL support until version 4
- Support RFC 9150 cipher suites (TLS 1.3)
- Support of stapled OCSP responses which use SHA-256
- BigIP cookie IP decoder fix
... and much more fixes / improvements
Version 3.0.9
- Fix bash 5 issue when encountering a short server key extension (David)
- Fix HTML issue when using bash 5 (David)
- CAA DNS records are now not being queried when nodns is set (Dirk)
- MongoDB identification fix (Emmanuel)
- Sanity check when user has broken umask to avoid runtime errors (Dirk)
- Fix for newer grep versions (Dirk)
- Address weird globbing in bash 3.0 (Dirk)
- Dockerfile uses Alpine 3.18, also the one from GHCR (Dirk)
- Dockerfile can use /usr/bin/openssl1.1 . Improves also performance (Dirk)
- Fix regexp in STARTTLS detection (Geert)
- Secure renegotiation fix: SNI (Tazmaniac)
- Ensure control chars from HTTP header don't end up in html,csv,json (Dirk)
- Add sha1WithRSA to sha1WithRSAEncryption for certificates (David)
- Fix potential infinite loop in run_pfs()
You are really encouraged to switch to 3.2 now as 3.0.9 is probably the latest maintenance release in the 3.0. branch. 3.2 has matured, has tons of new features and soon(tm) will be finally released.