Version 3.0.0

Changes from v1.3.1 to 3.0.0

Additions

• new feature: compliance analysis (see the README for details) (thanks to @Odinmylord)
• new vulnerabilities analyzed: ALPACA and Raccoon (thanks to @IvanValentini)
• new configuration type supported: nginx (thanks to @turbostar190)

Changes

Structural (thanks to @matteounitn)

• complete code refactor
• new dynamic system based on modules

Actionable report

• new HTML report
• new PDF report

Version 1.3.1

Changes between 1.3 and 1.3.1

• Resolved an issue that could trigger a false positive within Evaluator/enumerator.sh (fixing issue #5)
• Added publiccode.yml in order to get indexed by the Italian's open source software catalog for public administrations

⚠Disclaimer⚠ TLSAssistant's v1.* branch is currently on maintenance mode. It is stable but it will only receive hotfixes as the project is being rewritten from scratch to enrich and upgrade its capabilities. TLSAssistant's v2 will be released by the end of 2021.

Version 1.3

Changelog 1.3

SUPER Integration

• Integration of SUPERAnalyzer to scan android TLS Issues
• tls_rules.json
• parser.py (STIX Compliant)
• Added mitigation (Android Related):
  • ACCEPT_ALL_SSL_CERTIFICATES
  • CERTIFICATE_OR_KEYSTORE_DISCLOSURE
  • OBFUSCATED_CODE
  • SSL_GET_INSECURE_METHOD
  • WEAK_ALGORITHMS
  • WEBVIEW_IGNORES_SSL_ERRORS

SLOTH Improvements

• Added Mitigation:
  • SLOTH_MD5_Signature_TLS13
• Improvement of the first attack vector (mutual authentication)
• Added second attack vector (md5 signature check)
• Overall Vulnerabilities checks:
  • TLS 1.3 Legacy Sign Algorithms
  • Sanity Checks
  • MD5 Signature
  • MD5 Signature in ClientHello

Other

• Update testssl.sh to version 3.0.4 (Thanks to @NetBender )
• BREACH CVE Update (Thanks to @NetBender )
• ARIA2C for faster downloads (on installation)
• Change VENV to python 3
• Use mallodroid Python 3

Minor Improvements

• Cleanup Fixes

Version 1.2

Changes between 1.1 and 1.2

• Added STIX as output format (-x|--stix)
• Added a script to export all the mitigations in STIX bundles (exportSTIX.sh)
• Removed TLS_Extended_Master_Checker dependency
• Reworked SLOTH detection (thanks to @matteounitn)
• Fixed an issue that prevented the installation on Linux Mint
• Fixed the subdomain scan
• Updated dependencies

Version 1.1

Changes between 1.0 and 1.1

• Improved INSTALLER edge cases handling (fixing issue #1). Now if an error occurs, the script will be stopped
• Fixed webserver detection in cases when the secure version of the server hides the information
• Removed --no-styled-output parameter from curl calls to improve compatibility
• Added a cleanup script that deletes the downloaded dependencies
• Migrated to Python's virtualenv to avoid changes to any custom system configuration
• Fixed HSTS detection (previously checking the main domain and not the target one)
• Fixed hostname handling
• Introduced highlighted Attack Trees as new verbosity level (-v 3)
• Added CVE and CVSS score to the attack description
• Changed the default report folder (now ./Report)
• Added Dockerfile to simplify a container deployment
• Added subdomain scan (-d|--domain)
• Added bulk scan (-l|--list)
• Added code snippets for nginx (thanks to @matteounitn)
• Various bug fixes

Version 1.0

First release