Skip to content

5.0.0
Compare
Choose a tag to compare
@nabla-c0d3 nabla-c0d3 released this 26 Nov 23:47
· 150 commits to release since this release
5.0.0
fbfc52d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This major release focuses on improving the reliability of the scans, simplifying the Python API and JSON output, and adding support for checking a server's TLS configuration against Mozilla's recommended configuration.

  • SSLyze will now check the server's scan results against the Mozilla "intermediate" configuration (#453).
    • Which Mozilla configuration to use can be configured via --mozilla-config={old, intermediate, modern}.
    • The --mozilla-config option replaces --regular, which has been removed.
  • SSLyze can now be run as a CI/CD step; see the README for more information.
  • The Python API has been significantly simplified (#512). The changes focus on:
    • Reducing how much code is needed in order to run a scan.
    • Improving the typing of the result objects, in order to simplify code that processes scan results.
    • API-breaking changes: Starting a scan and processing the results is now done differently; see the documentation.
  • The JSON output has been significantly simplified.
    • The JSON output's format now fully matches the format of the results within the Python API.
    • An auto-generated JSON schema is also now available at ./json_output_schema.json (#487).
    • The Python documentation can now be used to understand the format for both Python results and JSON results.
  • SSLyze now provides a fully-typed Python API for parsing the JSON output of previously-run scans (#487).
    • parsed_json_result = SslyzeOutputAsJson.parse_file("result.json")
    • This can be used for example to process the results of SSLyze scans in a separate Python program.
  • HTTP headers testing: the Public-Key-Pins headers are no longer checked by SSLyze, as the pinning feature has been removed from most browsers (#506).
    • API-breaking changes:
      • The public_key_pins_header and public_key_pins_report_only_header fields have been removed from HttpHeadersScanResult.
  • Session resumption testing: the --resum scan command has been updated to provide better insights into how the server supports session resumption (#53).
    • The command will now attempt multiple resumptions using TLS tickets, similarly to what it already does for resumptions with Session IDs. Previously, it would only perform a single resumption attempt when testing TLS Tickets.
    • The new command --resum_attempts can be used in order to configure how many session resumptions --resum will attempt; it is set to 5 by default.
      • python -m sslyze --resum --resum_attempts=20 www.google.com
    • API-breaking changes:
      • The fields within SessionResumptionSupportScanResult have been renamed and updated,
      • The --resum_rate command, ScanCommand.SESSION_RESUMPTION_RATE and the SessionResumptionRateScanResult class have been removed. The --resum_attempts command and SessionResumptionSupportExtraArguments class should be used instead.
  • Misc bug fixes for when scanning servers with exotic TLS or network configurations (#531, #532, #533).
Assets 3