5.0.2

• Added support for Python 3.10 (#464).

5.0.1

• Renamed --mozilla-config to --mozilla_config for consistency.
• Fixed a bug when using --reneg against servers using specific versions of GnuTLS.
• Added support for cryptography 36.0.0 (#542).
• Fixed JSON output when using --json_out=- to print JSON to the console (#543).

5.0.0

This major release focuses on improving the reliability of the scans, simplifying the Python API and JSON output, and adding support for checking a server's TLS configuration against Mozilla's recommended configuration.

• SSLyze will now check the server's scan results against the Mozilla "intermediate" configuration (#453).
  • Which Mozilla configuration to use can be configured via --mozilla-config={old, intermediate, modern}.
  • The --mozilla-config option replaces --regular, which has been removed.
• SSLyze can now be run as a CI/CD step; see the README for more information.
• The Python API has been significantly simplified (#512). The changes focus on:
  • Reducing how much code is needed in order to run a scan.
  • Improving the typing of the result objects, in order to simplify code that processes scan results.
  • API-breaking changes: Starting a scan and processing the results is now done differently; see the documentation.
• The JSON output has been significantly simplified.
  • The JSON output's format now fully matches the format of the results within the Python API.
  • An auto-generated JSON schema is also now available at ./json_output_schema.json (#487).
  • The Python documentation can now be used to understand the format for both Python results and JSON results.
• SSLyze now provides a fully-typed Python API for parsing the JSON output of previously-run scans (#487).
  • parsed_json_result = SslyzeOutputAsJson.parse_file("result.json")
  • This can be used for example to process the results of SSLyze scans in a separate Python program.
• HTTP headers testing: the Public-Key-Pins headers are no longer checked by SSLyze, as the pinning feature has been removed from most browsers (#506).
  • API-breaking changes:
    • The public_key_pins_header and public_key_pins_report_only_header fields have been removed from HttpHeadersScanResult.
• Session resumption testing: the --resum scan command has been updated to provide better insights into how the server supports session resumption (#53).
  • The command will now attempt multiple resumptions using TLS tickets, similarly to what it already does for resumptions with Session IDs. Previously, it would only perform a single resumption attempt when testing TLS Tickets.
  • The new command --resum_attempts can be used in order to configure how many session resumptions --resum will attempt; it is set to 5 by default.
    • python -m sslyze --resum --resum_attempts=20 www.google.com
  • API-breaking changes:
    • The fields within SessionResumptionSupportScanResult have been renamed and updated,
    • The --resum_rate command, ScanCommand.SESSION_RESUMPTION_RATE and the SessionResumptionRateScanResult class have been removed. The --resum_attempts command and SessionResumptionSupportExtraArguments class should be used instead.
• Misc bug fixes for when scanning servers with exotic TLS or network configurations (#531, #532, #533).

4.1.0

• SSLyze's memory usage has been significantly reduced when scanning a lot of servers concurrently (#511).
  • This will make it easier to deploy SSLyze to environments where memory is limited, such as AWS Lambda.
  • For example, when queuing 100 server scans, memory usage will now reach a maximum of 150 MB, instead of 1400 MB in previous versions of SSLyze.
• Fixed errors when running http_headers on specific server software (#517, #516).
• Removed usage of pipenv and switched back to a requirements.txt.

4.0.4

• Fixed errors when running --elliptic_curves on specific server software (#490).
• Better error reporting when running --http_headers on a server that doesn't speak HTTP (#499, #500).
  • See also the new HttpHeadersScanResult.http_error_trace field in the Python API.

4.0.3

• Updated the JSON output to be more stable, to allow diffing the JSON output of successive scans against the same server (#491).
• Fixed errors when scanning a server that only supports TLS 1.3 (#488).
• Fixed error when running --robot on an nginx server configured to require client authentication (#484).
• Fixed crash due to malformed HTTP headers (#498).
• Better reporting when scanning unresponsive servers (#501).
• Fixed error when an invalid certificate is deployed on the server (#495).
• Fixed error when running --reneg on Indy TCP server (#483).

4.0.2

• Fixed an issue with servers requiring client authentication and SSLyze reporting some TLS versions as unsupported (#472).
• Fixed a crash when parsing an OCSP response with no "Next Update" field (#481).
• Updated the trust stores.

4.0.1

• Updated the version of cryptography in the setup.py (#467).
• Fixed a crash when displaying non-successful OCSP responses (#477).

4.0.0

• Added support for Python 3.9 (#468).
• Fixed a crash when parsing OCSP responses (#471).
  • API-breaking change: the ocsp_response field in CertificateInfoScanResult is now an OCSPResponse instance from the cryptography.x509.ocsp module.
  • JSON-breaking change: Significantly improved the JSON output for certificates and OCSP responses, when using --certinfo.
• Fixed a false positive when testing for client-initiated renegotiation DoS attacks on some servers (#473).
  • API-breaking change: the accepts_client_renegotiation field in SessionRenegotiationScanResult was removed, and the more accurate is_vulnerable_to_client_renegotiation_dos field was added.
• The ability to detect the server’s “preferred” cipher suite was removed for being too unreliable, and will be replaced by full cipher suite order detection in a future release (#456).
  • API-breaking change: the cipher_suite_preferred_by_server in CipherSuitesScanResult was removed.
• Fixed a crash when scanning a server with an exotic/invalid TLS configuration (#466).
• Fixed support for older versions of macOS.
• Added support for the latest version of cryptography (#467).

3.1.0

• Added support for scanning for supported elliptic curves (#447):

$ python -m sslyze --elliptic_curves www.cloudflare.com

 * Elliptic Curve Key Exchange:
       Supported curves:                  prime256v1, secp384r1, secp521r1, X25519
       Rejected curves:                   sect163r2, secp160r1, sect233k1, X448, secp160r2, sect233r1, secp192k1,
sect239k1, secp224k1, sect193r1, sect283k1, secp224r1, sect163k1, sect283r1, secp256k1, secp160k1, 
sect409k1, prime192v1, sect409r1, sect163r1, sect193r2, sect571k1, sect571r1

• Added support for cryptography 3.x (#455).
• Fixed various crashes (#458, #459).