-
-
Notifications
You must be signed in to change notification settings - Fork 85
/
Copy pathCHANGES
2299 lines (2096 loc) · 99.1 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Version: 24.09.24
### NOTE
This release is a major redesign of some functionality of the project.
* some legacy options have been removed
* bugs fixed reported as [issue](/~https://github.com/OWASP/O-Saft/issues)
* many bugs which occurred rarely (special combination of options) are fixed
* using openssl for detecting ciphers must be enabled by options
* handles openssl 3.x
* handles DTLS 1.2
* Dockerfile build with openssl provided by alpine:3.20 (is default now)
* Dockerfile builds image for Docker or Podman
* new Dockerfile.openssl to build image with own openssl 1.0.2-chacha
* new commands and options for o-saft-docker (supports Podman)
* SBOM o-saft.rel added which contains SIDs and sha256sums
* --v behaves as a simple "info"-option
* tracing improved in general
* improved INSTALL.sh with --check* options (for example checking SBOM)
* usr/o-saft-standalone.pl mainly working without perl warnings
* documentation addapted to changed and new functionality
* more descriptive documentation according cipher, cipher ranges etc.
### BUGFIX
* usr/INSTALL-template.sh BF: must use literal TAB instead of \t in echo (problem in BusyBox)
* usr/get-SIDs.sh: BF: using expr on STDIN improved (bug with BusyBox v1.36.1)
* o-saft.pl: BF: check_dh() called if +logjam given (instead of +check)
* o-saft.pl: BF: normalise command only, not assigned value (was a problem with +test* commands only)
* o-saft.pl: BF: don't print command-line for option --help=gen* (used in make context only)
* o-saft.pl: BF: print SSLv2 in "Ciphers: Summary"
* o-saft.pl: BF: detect POODLE for TLSv1 (issue 146)
* o-saft.pl: BF: +cbc, +edh, +adh check cipher suite constant names also (issue 144)
* o-saft.pl: BF: avoid "Use of uninitialized value $v in scalar chomp .." (issue 14
* o-saft.pl: BF: avoid "Undefined subroutine &SSLinfo::do_ssl_open ..." for some cipher check commands like +cbs (issue 140)
* o-saft.pl: BF: print <<undef>> for unknown cipher suite found with +cipher
* o-saft.pl: BF: bare word after qr// removed (error in modern perl)
* o-saft.tcl: BF: pass +commands and --option to o-saft.pl (issue 153)F: bare word after qr// removed (error in modern perl)
* o-saft-docker: BF: argument hacker and usage do not need docker executable
* lib/SSLhello.pm: BF: use binmode(.., ":raw") to avoid perl error: send() isn't allowed on :utf8 handles (in stand-alone mode)
* lib/SSLinfo.pm: BF: avoid printing undefined value (issue 141)
* lib/OTrace.pm: BF: use pre Perl 5.22 RegEx syntax (issue 142)
* lib/OCfg.pm: BF: avoid Perl warning about regex match in hint()
* lib/OCfg.pm: BF: 0x03005600 (TLS_FALLBACK_SCSV) added to 'range'->'rfc'
* lib/OCfg.pm: BF: cipher_adh cipher_null added to cfg{need-chsckssl} (issue 140)
* lib/OMan.pm: BF: use correct version when generating -cgi.html
* lib/OMan.pm: BF: --help=command lists all commands from RC-file
* lib/OMan.pm: BF: bare word after qr// removed (error in modern perl)
* HTML-table.awk: BF: HTML syntax corrected
* HTML-simple.awk: BF: HTML syntax corrected
* usr/XML-value.awk: BF: XML syntax corrected
* usr/XML-attribute.awk: BF: XML syntax corrected
* t/Makefile.mod: BF: definition of SRC.pm adapted to Makefile
* t/Makefile.testssl: ET: target examples corrected
* usr/INSTALL-template.sh BF: special handling when called by make in own test directory
* Makefile: BF: use ./$SRC.pl when generating own help files
### CHANGES
* usr/get-SIDs.sh: EF: check for gawk and md5sum; exit if missing
* Dockerfile: EF: using docker BuildKit; OSAFT_VM_SRC_OSAFT can be local file
* Dockerfile: EF: uses standard openssl
* usr/INSTALL-template.sh ED: new documentation section CHECKS, UPDATES
* usr/INSTALL-template.sh EF: allow all --check* option in container image
* usr/INSTALL-template.sh EF: installation with --cgi improved
* usr/INSTALL-template.sh EF: --install checks md5sum of installed files
* usr/INSTALL-template.sh EF: --check=SIDs and --check=SID --changes implemented
* usr/INSTALL-template.sh EF: --checkdev improved (checks execute permissions)
* usr/INSTALL-template.sh EF: INSTALL.sh.lock implemented
* usr/INSTALL-template.sh EF: each part of --check can be checked individually with --check*
* usr/install_openssl.sh: EF: use Net-SSLeay-1.94.tar.gz
* t/Makefile.dev: ET: TEST.tmpdir, TEST.tmp.rc added
* t/Makefile.warnings: ET: TEST.tmp.rc removed (now in Makefile.inc)
* t/Makefile.inc: ET: TEST.tmpdir, TEST.tmp.rc added
* t/Makefile*: ET: all O-*.dir renamed to O-DIR.*
* t/Makefile*: ET: option --trace-CLI removed; now passed via OSAFT_OPTIONS=--trace-CLI
* t/Makefile: ET: target testcmd-test.internal improved
* t/Makefile: ET: include Makefile.inst
* t/Makefile: ET: do not set PATH in recursive makeT: option --trace-CLI removed; now passed via OSAFT_OPTIONS=--trace-CLI
* Makefile: ET: podman.* targets added
* Makefile: ET: target docker.test added
* Makefile: ET: variable TEST.Makefiles completed
* lib/Ciphers.pm: EF: is_valid_key() handles keys for internal use also
* lib/OTrace.pm: EF: --trace print environment variables
* lib/OTrace.pm: EF: use OCfg, use OData, use Ciphers (partial fix for issue 137)
* lib/OData.pm: EF: use OCfg included; _init_checks_val() implemented (partial fix for issue 137)
* lib/OCfg.pm: EF: resumption_psk added to cfg{data_hex}
* lib/OCfg.pm: EF: h2-16 added for ALPN, NPN
* lib/OCfg.pm: EF: define and export _dbx(); @EXPORT_OK improved; define warn(), hint()
* lib/OCfg.pm: EF: cipherrange and cipherpattern 'openssl' added
* lib/OCfg.pm: EF: some RegEx simplified
* lib/OCfg.pm: EF: hint for Lucky13 added
* lib/OCfg.pm: EF: initialisation and export improved (partial fix for issue 137)
* lib/ODoc.pm: EF: use full qualified $OCfg:: (partial fix for issue 137)
* lib/OMan.pm: EF: man_warnings() prints used file with --v
* lib/OMan.pm: EF: --help=command lists internal defined summary commands also
* lib/OMan.pm: EF: "use Ciphers" improved (partial fix for issue 137)
* o-saft-docker: EF: option -name=pattern for kill operation added
* o-saft-docker: EF: update implemented
* o-saft-docker: EF: options -OSAFT_VM_SRC_OSAFT= and -OSAFT_VM_SHA_OSAFT= added
* o-saft-docker: ED: documentation improved (note about xhost and xauth)
* .o-saft.pl: ED: description improved; description added to all redefined commands
* o-saft.tcl: EF: options --v behaves like in o-saft.pl
* o-saft.tcl: EF: +info results are show as Text, not TK-table (issue 154)
* o-saft.tcl: EF: "Start" button added to layout=tablet (for simple usage)
* o-saft.tcl: EF: check for version number improved (hack for use of OSAFT_OPTIONS=--trace-CLI with make)
* o-saft.pl: EF: EF: parsing commands and options unified
* o-saft.pl: EF: _dbx() defined in OCfg.pm
* o-saft.pl: EF: --cipherrange=openssl implemented
* o-saft.pl: EF: -ciphermode= not supported for +cipher-dh
* o-saft.pl: EF: own openssl instead of SSLinfo::do_openssl() for +cipher
* o-saft.pl: EF: check Net::SSLeay<1.92
* o-saft.pl: EF: handle all --help* options/commands after reading all arguments
* o-saft.pl: ED: texts improved for "Ciphers: Summary"; for --version output
* o-saft.pl: EF: abort execution when using invalid/unknown ciphers with --cipher=
* o-saft.pl: EF: individual _is_ssl_*() now in generic _is_vulnerable() and _is_compliant()
* o-saft.pl: EF: --v prints info when OSAFT_CONFIG, OSAFT_OPTIONS used
* o-saft.pl: EF: check ENV{'OSAFT_OPTIONS'} if command line should be printed
* o-saft.pl: EF: use shebang -CADSio; descriptions according Unicode, UTF-8 and binmode() adapted
* o-saft.pl: EF: use OCfg, use OData improved (partial fix for issue 137)
* o-saft.pl: EF: die() doesn't print line number; keep make targets *.log happy
* t/Makefile*: ED: _SID renamed to O-SID, _MYSELF* renamed to O-SELF*
* t/Makefile.inc: ET: make file simplified
* t/Makefile.docker: ET: variables and targets for mbedtls removed (now in Makefile.testssl*)
* t/Makefile.cipher: ET: new target testarg-cipher-+cipher---test-missing_
* t/Makefile.cipher: ET: more targets for --cipher* options
* lib/OTrace.pm: EF: __trac() support data type "Regexp"
* doc/help.txt: ED: section UPDATES added
* doc/help.txt: ED: new section "Individual check values"
* doc/help.txt: ED: description about checking/scanning ciphers improved
* doc/help.txt: ED: documentation about warnings and hints improved
* doc/help.txt: ED: more attacks added in section CHECKS
* doc/help.txt: ED: description for POODLE improved
* doc/help.txt: ED: KNOWN PROBLEM "Old, deprecated cipher suites" added
* doc/glossary.txt: ED: formal changes ; more acronyms added
* doc/rfc.txt: ED: more RFCs added; link for SSLv2 added
* usr/gen_standalone.sh: EF: sequence of included files from lilb/ changed; formal changes
* usr/INSTALL-template.sh: EF: avoid error message if wish is missing
* o-saft.pl: EF: +version prints own unique SID
* o-saft-docker: EF: avoid errors if docker program missing
### NEW
* o-saft-docker: NF: kill command added
* Dockerfile.openssl: NF: renamed from Dockerfile
* t/Makefile.inst: NF: new Makefile.inst for testing INSTALL.sh
* .o-saft.pl: NF: resumption_psk added
* o-saft.pl: NF: check for BREACH vulnerability
* lib/Cipher.pm: NF: is_adh(), is_cbc(), is_edh() implemented
* lib/SSLinfo.pm: NF: exract HTTPS header Content-Encoding and Transfer-Encoding
* lib/SSLinfo.pm: ED: internal %CST renamed to %SSLINFO to avoid name conflicts
* lib/SSLinfo.pm: NF: resumption_psk implemented
* lib/OData.pm: NF: data{resumption_psk} added
* lib/OData.pm: NF: $data{https_content_enc} and $data{transfer_enc} add
* lib/OCfg.pm: NF: new regex->BREACH
* lib/OCfg.pm: EF: cfg{cipherranges}{iana} added
* t/Makefile.mod: NT: new targets testing Cipher::is_* added
* t/Makefile.cipher: NT: new targets for cipher check command (like +adh) added
Version: 24.06.24
### NOTE
### BUGFIX
* o-saft-docker: BF: wrong markup corrected (minor issue with -help only)
* usr/checkAllCiphers.pl: BF: adaptet to changes in lib/error_handler.pm 3.6 (OERR_* constants are %OERR hash now)
* doc/help.txt: BD: wrong option --trace=FILE, it is --rc=FILE
* t/Makefile.misc: ET: variables for targets docs.subs and docs.anno improved
* Makefile: EF: target docs depends on generated o-saft.pl.--help* files
* lib/Cipher.pm: BF: get_key() searches for name in all constants
* lib/Cipher.pm: BF: show_getter() prints all defined constants and aliases
* lib/OMan.pm: BF: output for help=info
* lib/OMan.pm: BF: _VERSION() from main must be called ::_VERSION()
* lib/ODoc.pm: BF: list of paths in _get_standalone() corrected
* o-saft.tcl: BF: ignore errors, warnings lines when building window with ciphers
* o-saft.tcl: BF: alias names corrected
* o-saft.tcl: BF: change layout button corrected in "tablet" layout
* o-saft.pl: BF: avoid " "Use of uninitilized value $ssl ..." with --legacy=sslscan
* o-saft.pl: BF: +sigkey_value needs special handling with --format=hex
* o-saft.pl: BF: --cipher accepts cipher constants, suite names, or aliases
* o-saft.pl: BF: special error check for +sstp (response from wolfSSL is slightly different)
* o-saft.pl: BF: reading from RC-FILE also if no --trace given
* o-saft.pl: BF: syntax corrected (bug since 3.14 only)
### CHANGES
* o-saft.cgi: EF: use own %STR variable (to be compatible with various Makefiles)
* lib/OCfg.pm: EF: more values added to be handled by --format=hex
* lib/OCfg.pm: EF: hasdtls1 hasdtls12 hasdtls13 added some list of commands
* lib/OCfg.pm: EF: cipher 0x030000FE (WDM-NULL-SHA256) added to some ranges
* lib/Cipher.pm: EF: cipher -WDM-NULL-SHA256 (wolfSSL DTLS Multicast) added
* doc/help.txt: ED: description for --cipherrange=RANGE improved
* doc/help.txt: ED: KNOWN PROBLEM "+cipher hangs" added
* t/gen-graph-annotations.sh: EF: sub-directories adapted to new directory structure
* usr/INSTALL-template.sh: EF: option --instdev implemented
* usr/INSTALL-template.sh: EF: list of file "not to be installed" and moved with --clean improved
* usr/INSTALL-template.sh: EF: $dirs__ancient implemented; messages improved
* usr/INSTALL-template.sh: EF: messages and documentation improved
* usr/INSTALL-template.sh: EF: checking ancient files improved; checking ancient directories
* usr/INSTALL-template.sh: EF: accept environment variable OSAFT_Dir as installation directory
* usr/INSTALL-template.sh: EF: special handlicg for o-saft-docker
* t/Makefile.dev: ET: targets for testing INSTALL.sh moved to Makefile.inst
* t/Makefile.cmd: ET: some targets use filter to remove random data in generated .log
* Makefile: EF: EXE.docker renamed to EXE.o_docker; EXE.docker=docker added
* Makefile: EF: target INSTALL.sh depends on Makefile.misc
* Makefile: EF: checkAllCiphers.pl is now usr/checkAllCiphers.pl
* o-saft.cgi: EF: do not allow --inc= and --no-inc=
* o-saft.pl: EF: options --no-tls and --no-dtls added (aliases)
* o-saft.pl: EF: --ignore-warning= implemented
* o-saft.pl: EF: printversion() prints all own modules
* o-saft.pl: ED: --v output improved
* o-saft.pl: EF: security checks implemented and documented for use of qx()
* o-saft.pl: EF: +version prints Perl version also
* o-saft.pl: EF: some warning messages about ::VERSION improved; warning 127 and 130 removed
* lib/Cipher.pm: ED: output format of gett03() is the same as of show_getter()
* lib/SSLhello.pm: ED: message printed by error_handler->reset_err() unified
* lib/SSLinfo.pm: EF: --testopenssl also prints openssl executable which returned capabilities/options
* lib/OTrace.pm: EF: --test-memory prints sorted data
* lib/OTrace.pm: EF: simplified use of Exporter module
* lib/OText.pm: EF: simplified use of Exporter module
* lib/OData.pm: EF: simplified use of Exporter module
* lib/ODoc.pm: EF: simplified use of Exporter module
* lib/OCfg.pm: EF: simplified use of Exporter module
* lib/OMan.pm: EF: simplified use of Exporter module
* lib/OMan.pm: EF: man_warnings() simplified
* lib/OMan.pm: EF: documentation improved; --pod=* and --file=* option implemented
* lib/OMan.pm: EF: click outside menu closes menu in navigation bar on website
* lib/SSLinfo.pm: ED: output format for --test-* options unified
* lib/OTrace.pm: EF: calling SSLinfo::test_openssl() for --test-openssl
* doc/help.txt: ED: environment variables OSAFT_CONFIG and OSAFT_OPTIONS added; description of reading RC-FILE and options
* doc/help.txt: ED: documentation improved
* doc/devel.txt: ED: documentation improved
* doc/coding.txt: ED: documentation improved
* doc/coding.txt: ED: note about qx() security added
* t/.perlcriticrc: EF: some pragmas and description improved
* t/Makefile.mod: ET: more targets for --test-* options
* usr/install_openssl.sh: EF: handle errors returnd by find
* usr/install_openssl.sh: EF: dependency changed: libidn2-0-dev -> libidn2-dev
### NEW
* t/Makefile.docker: NF: targets mbedtls.* for Mbed TLS server docker image
* t/Makefile.docker: ET: target for command hacker added
* t/Makefile.docker: NT: target testarg-docker- added
* lib/Cipher.pm: NF: new functions find_consts() find_keys_any() and find_names_any()
* lib/OData.pm: NF: hasdtls1, hasdtls12, hasdtls13 added to %check_conn
* lib/OTEXT.pm: NF: general function usage_show() for printing --usage
* lib/OData.pm: NF: --usage implemented
* lib/OCfg.pm: NF: --usage implemented
* o-saft.tcl: NF: option --rc=FILE added
* o-saft.tcl: NF: --no-rc option implemented
* o-saft.pl: NF: option --silent (shortcut for --nowarning --nohint) added
* o-saft.pl: NF: hasdtls1, hasdtls12, hasdtls13 checks implemented
* o-saft.pl: NF: environment variable OSAFT_CONFIG, OSAFT_OPTIONS implemented
* o-saft.pl: NF: --inc=* and --no-inc=* added
Version: 24.02.24
### NOTE
### BUGFIX
* lib/OMan.pm: BF: avoid Perl's "Use of uninitialized value $OMan::cfg{"me"} ..." (in o-saft-standalone.pl only)
* usr/INSTALL-template.sh: BF: script can be executed in any directory
* lib/SSLhello.pm: BF: use full qualified %error_handler::OERR in standalone mode
### CHANGES
* usr/o-saft-standalone.pl: EF: remove POD and comments from generated code
* lib/OMan.pm: EF: +VERSION implemented
* lib/OText.pm: EF: +VERSION implemented
* lib/SSLhello.pm: EF: +VERSION implemented
* usr/INSTALL-template.sh: EF: echo_info() implemented
* lib/SSLhello.pm: EF: constants OERR_* replaced be variable $OERR (adaption to erro_handler 3.8)
* lib/SSLinfo.pm: EF: constants SSLINFO* replaced by hash %CST
* lib/error_handler: EF: OERR_* constants are %OERR hash now; %ERROR_TYPE_RHASH_REF replaced by %OERR_map
* t/Makefile.tcl: ET: --trace-CLI added to o-saft.tcl calls
### NEW
* o-saft.tcl: ET: --trace-CLI added to o-saft.tcl calls
* usr/INSTALL-template.sh: EF: --v option (instead of logging)
Version: 24.01.24
### NOTE
This release is a major redesign (refactoring) of the project. The top
directory now contains the main tools only. All modules, documentations and
(user) contributed tools are in sub-directories.
These changes are also reflected in the directories available at github.
If older versions should be used, please get the correspondig `o-saft.tgz`
from that version, see below.
Functionally the options `--v` and `--trace` behave different now.
Beside many formal changes, following bugfixes and changes have been done.
### BUGFIX
* o-saft.pl: BT: print sorted list of ciphers for --ciphermode=dump (important for testing only)
* o-saft.pl: BF: avoid "Use of ..." for --legacy=testsslserver
output for --legacy=testsslserver may now miss some informations values
* t/Makefile.warnings: BT: duplicate target warning-141 removed
* OSaft/Ciphers: BD: description for $cipher_results adapted to new definitions
* Net/SSLhello.pm: BF: typos in cipher suite names corrected
* o-saft-dbx.pm: BF: avoid "Use of uninitialized value in join or string ..."; output for --trace=3 improved
* o-saft-man.pm: BF: <details> tag with overflow-y:auto
* o-saft-man.pm: BF: <aside> tag with higher z-index
### CHANGES
* o-saft-man.pm: EF: man_src_grep() improved and adapted to new syntax for --help=exit
* t/Makefile.warnings: ET: warning-061 and warning-145 added
* t/Makefile.exit: ET: targets adapted to changes in o-saft.pl 2.163
* t/Makefile.cmd: ET: adapted to changes in o-saft.pl 2.163: --trace-CMD is now --v
* t/Makefile.dev: ET: testarg-dev-grep_subs improved
* t/Makefile.dev: EF: additional filter in target testcmd-dev-grep_desc
* t/Makefile: ET: environment variable PERL5LIB and PERL_HASH_SEED are set for all test* targets
* t/Makefile: ED: OSAFT.pm renamed to LIB.pm; o-saft-usr.pm renamed to OSaft/Usr.pm
* OSaft/Data.pm: EF: text fpr cnt_ciphers, cnt_totals improved
* OSaft/Doc/devel.txt: ED: OVERVIEW section added
* Net/SSLinfo.pm: EF: definition of variables and subs done at begnning; trace output improved
* Net/SSLhello.pm: EF: using _trace_* functions for some output with --trace*
* Net/SSLhello.pm: EF: definition of variables and subs done at begnning; trace output improved
* Net/SSLhello.pm: EF: using normalised timestamp for --trace-time
* Net/SSLhello.pm: EF: format of timestamp for --trace-time adapted to main
* Net/SSLhello.pm: EF: print %SSLINFO with --trace instead of --v
* Net/SSLhello.pm: ED: formal changes for trace output
* Net/SSLhello.pm: EF: don't pass -nextprotoneg together with -tls1_3 to openssl
* o-saft-dbx.pm: EF: output of HASH for --trace=3 improved
* osaft.pm: EF: DTLSv1* enabled
* osaft.pm: EF: hints 'openssl3' and 'openssl3c' added
* osaft.pm: EF: regex for 'OWASP_D' and 'OWASP_NA' improved
* osaft.pm: EF: get_ciphers_range() improved
* o-saft.pl: EF: --v and --trace improved (_y_CMD() repleced by_vprint())
* o-saft.pl: EF: sort some values for +check output
* o-saft.pl: EF: "local $\ =" removed to avoid unexpected behaviour in subs
* o-saft.pl: EF: avoid PFS checks with --ciphermode=openssl; may lead to wrong PFS output
* o-saft.pl: EF: --tracekey does not print "= reading file ..." information
* o-saft.pl: EF: check --legacy= option for +cipher; print warning
* o-saft.pl: EF: print hint when using openssl >2.0 and --ciphermode=openssl
* o-saft.pl: _get_cipherlist_*() replace by _get_cipherslist()
* o-saft.pl: EF: _eval_cipherranges() replaced by osaft::get_ciphers_range()
* o-saft.pl: EF: checking openssl's protocol options adapated to OpenSSL 3.0.11
* o-saft.pl: EF: printing "Total number of ciphers" 'cnt_totals' unified
* o-saft.pl: EF: +cipher-sh reimplemented
* OSaft/Ciphers: EF: sort_results() improved
* OSaft/Ciphers: EF: cipher 0x02FFFFFF added for internal use
* OSaft/Ciphers: EF: find_names() allows OpenSSL-style patterns
* OSaft/Ciphers: EF: sort_names() adapted to new ciphers (added in 2.89)
* OSaft/Ciphers: EF: aliases for some ciphers added
* OSaft/Doc/rfc.txt: ED: more RFCs added
* OSaft/Doc/help.txt: ED: HTML layout for some list items improved
* o-saft.pm EF: openssl configuration cfg{openssl} improved
* o-saft-man.pm EF: EF: support --trace option; --v supported for tool itself only
* o-saft-man.pm EF: parent caller defines file to retrieve (grep) data from
* o-saft-man.pm ED: <li> tags improved
* o-saft-dbx.pm EF: _vprintme() removed
### NEW
* OSaft/Doc/openssl.txt: ND: file for internal (developer) documentation
* Net/SSLinfo.pm: EF: test_openssl() for --test-openssl implemented
* t/Makefile.mod: ET: target testarg-mod-Net-SSLinfo.pm_--test-openssl added
* t/Makefile.cipher: ET: targets added to test +cipher --trace*
* t/Makefile.cipher: ET: target testcmd-cipher-+cipher---openssl-local_ added
* t/Makefile.warnings: ET: warning-015 implemented, warning-413 implemented
* osaft.pm EF: cfg{openssl_version} added
* OSaft/Ciphers: EF: cophers TLS13_GOSTR341112_256* added
* OSaft/Trace.pm: NF: added (replace o-saft-dbx.pm 2.44)
* OSaft/USR.pm: NF: added (replace o-saft-usr.pm 2.8)
Version: 23.11.23
BUGFIX
* o-saft-dbx.pm BF: avoid Perl's "Use of uninitialized value ..." when printing values
* OSaft/Ciphers.pm: BF: ckeck for own commands improved; fully handle --test-ciphers-* options
* Net/SSLhello.pm: BF: proper parameter type for Net::SSLeay::CTX_set_options() to avoid perl warning
* Makefile: BF: more dependencies for targets generating static help files $(DOC.dir)/$(SRC.pl).% improved
* t/Makefile.warnings: BT: macro EXE.extract_warn to extract warnings and errors corrected
* t/Makefile: BT: compute _SID.pod directly
* t/Makefile: BT: help.test.targets corrected
* Net/SSLinfo.pm: BF: Net::SSLeay::set_tlsext_host_name() behaves strange for openssl>2.0; dirty workaround implemented
* Net/SSLinfo.pm: BF: send HTTP verb line with \r to avoid "\n" in the logfiles
* osaft.pm: BF: +compression needs to call checkdest()
* osaft.pm: BF: OWASP scoring for TLS13-* ciphers corrected
* o-saft.pl: BF: implementation of need_netinfo improved
* o-saft.pl: BF: check for given command improved (avoid ambiguity)
* o-saft.tcl: BF: using correct widget for saving results
* o-saft.tcl: BF: Config Tool window has no Save button
* o-saft.tcl: BF: tooltip for Save button in Options tab corrected
* o-saft.tcl: BF: Save button for configuration settings corrected
* o-saft.tcl: BF: key bindings disabled, because they also apply for entry widgets, where they should not
* o-saft-man.pm: BF: remove internal markup in output for --h
CHANGES
* o-saft.cgi: EF: option --format=html4 --format=html5 renamed to --html4 --html5 (--format= already used by o-saft.pl)
* o-saft: EF: -log improved
* o-saft: ET: use non-random logfile name to avoid diff results with make
* OSaft/Ciphers.pm: EF: unified format for warn() messages
* OSaft/Data.pm: EF: adapted to modern TLS: use of TLSv1 or TLSv11 not considered good
* o-saft.pl: EF: --test-ciphers* options simplified; --traceCMD improved
* o-saft.pl: EF: adapted to modern TLS: use of TLSv1 or TLSv11 not considered good
* o-saft.pl: EF: warning if +cipher-dh --ciphermode=intern
* o-saft.pl: EF: checking for identified PFS ciphers improved (for --ciphermode=intern only)
* Net/SSLinfo.pm: EF: print Hint if server does not support protocol
* Net/SSLinfo.pm: EF: Net::SSLeay make HTTP requests with User-Agent header
* o-saft-dbx.pm: ED: description for --test-data improved
* o-saft-dbx.pm: EF: use texts from OSaft::Text
* OSaft/Doc/help.txt: ED: ENVIRONMENT section improved
* OSaft/Doc/help.txt: ED: o-saft.cgi's option --format=html4 --format=html5 renamed to --html4 --html5 (--format= already used by o-saft.pl)
* OSaft/Doc/help.txt: ED: DEBUG section removed, now available with --help=development
* t/Makefile.dev: ET: target testarg-dev-o-saft_-log improved
* t/Makefile.dev: ET: _EXE.log-filterarg improved (to compare results)
* t/Makefile.make: ET: ALL.testmake completed
* Makefile: EF: enforce LC_CTYPE=C.UTF-8 (necessary at least for o-saft.tcl)
* o-saft.tcl: ED: sequence of menu items as in o-saft.cgi
* o-saft.tcl: EF: missing Save button to Commands tab added
* o-saft.tcl: EF: debug (really trace) output improvd for --d=2
NEW
* o-saft-dbx.pm EF: --test-vars implemented; _yeast_test_vars()
* o-saft.pl: EF: --http-user-agent= added
* osaft.pm: EF: set_user_agent() implemented
* Net/SSLinfo.pm: EF: $Net::SSLinfo::user_agent added
* osaft.pm: EF: cfg{use}{user_agent} added
* OSaft/Doc/devel.txt: ND: new file
* Makefile: ET: release.here added; GEN.rel is now in docs/; generated tgz contains $(GEN.rel)
* o-saft: EF: mode -log implemented
Version: 23.04.23
BUGFIX
* contrib/INSTALL-template.sh: BF: overlong message corrected when modules are missing
* contrib/HTML-table.awk: BF: generating HTML comment corrected
* t/Makefile.misc: BF: target nytprof.html generates output in t/nytprof
* Makefile: BT: target pdf for generating PDF corrected
* o-saft.pl: BF: extracting message number in _warn() corrected (used to avoid printing duplicate messages)
* o-saft.pl: BF: avoid "Use of uninitialized value $_no ..."; issues/133
* o-saft-man.pm: BF: value attribute for generated checkbox corrected
CHANGES
* OSaft/Doc/help.txt: ED: documentation for developers moved to other files
* contrib/HTML-table.awk: EF: generate HTML4 or HTML5 depending on scriptname; default: HTML5
* contrib/HTML-table.awk: EF: comment added; h1 tag added
* Net/SSLinfo.pm: ED: using =head3 for method description in POD
* Net/SSLhello.pm: ED: using =head3 for method description in POD
* t/Makefile.dev: EF: using EXE.log-filterarg in testarg*pod.log targets (not yet fully working)
* Makefile: EF: INSERTED_BY_MAKE_OSAFT_PM: give INSTALL.sh list of own perl modules
* Makefile: ET: DOC.src renamed to DOC.odg; SRC.doc to SRC.odg
* o-saft-man.pm: EF: TOC added to generated HTML using <aside> tag (needs to be improved)
* o-saft-man.pm: EF: provide options --format=html4 and --format=html5
* o-saft-man.pm: EF: use linear-gradient background for help buttons in cgi.html
* o-saft-man.pm: EF: --no-tlsv13 removed from default settings in .cgi.html
NEW
* t/Makefile.misc: NF: targets docs.anno docs.subs added
* t/gen-graph-annotations.sh new
* t/gen-graph-sub-calls.sh: new
Version: 22.11.22
BUGFIX
* Net/SSLhello.pm: BF: correct use of %cfg (instead of %{$osaft::cfg...}
* Net/SSLinfo.pm: BF: avoid "Use of uninitialized value ..." in datadump()
* OSaft/Ciphers.pm: BF: using string '0 ' if value is 0 in _ciphers_init()
* OSaft/Data.pm: BF: string <<internal>> changed to internal to avoid conflict in HTML
* o-saft.pl: BF: output for --ciphermode=dump corrected
* o-saft.cgi: BF: seting PATH corrected
* o-saft.cgi: BF: regex for arguments to be ignored corrected
* o-saft.tcl: BF: using undefined array variable corrected
* o-saft.tcl: BF: generating content for "help" improved
* o-saft-man.pm: BF: avoid "Use of uninitalized ..." (bug since 2.80)
* o-saft-man.pm: BF: print STRENGTH for --test-ciphers-list
* t/Makefile: ET: name of targets unified: testarg-hlp-*
* t/Makefile.dev: BT: duplicate targets in ALL.test.dev removed
* t/Makefile.misc: BT: report only first occurrence of shebang in testarg-misc_shebang (still not perfect)
* t/Makefile.help: BT: EXE.pl = ../$(SRC.pl)
* t/Makefile.cipher: BT: targets testcmd-cipher-+test-ciphers-list-* corrected (are testarg-* now)
* contrib/gen_standalone.sh: BF: better check for include of o-saft-dbx.pm
CHANGES
* o-saft.pl: EF: print number of checked ciphers for each protocol
* o-saft.pl: EF: print warning if no ciphers specified
* o-saft-man.pm: EF: use linear-gradient background for help buttons in cgi.html
* o-saft-man.pm: EF: --no-tlsv13 removed from default settings in .cgi.html
* o-saft-man.pm: EF: use shebang /usr/bin/perldoc instead of /usr/bin/env in generated files
* o-saft-man.pm: EF: EF: CSS for --help=gen-cgi and help page improved
* o-saft-man.pm: EF: new design for o-saft.cgi.html
* o-saft-man.pm: EF: man_docs_write() (writes --help=ciphers-text also)
* o-saft-dbx.pm: EF: osaft::test_regex() -> osaft::test_cipher_regex()
* o-saft-dbx.pm: EF: printing list of ciphers improved
* o-saft.cgi: EF: regex for illegal commands and options improved
* o-saft.tcl: EF: destroy_window(): wrapper to destroy toplevel window
* o-saft.tcl: ED: "Key Bindings" documented
* o-saft.tcl: EF: osaft_write_docs() used "o-saft.pl --help=gen-docs" to generate files
* OSaft/Doc/help.txt: EF: description for --cipherrange=RANGE improved; --cipherpattern=PATTERN added
* OSaft/Ciphers.pm: EF: cipher suites SM4-GCM-SM3 and SM4-CCM-SM3 added
* OSaft/Ciphers.pm: EF: security for ciphers *PSK*CBC* set mediu
* OSaft/Ciphers.pm: ET: test functionality improved
* OSaft/Ciphers.pm: EF: @cipher_iana_recomended added (list of ciphers suites recommended by IANA)
* t/Makefile.docker: EF: testarg-%.log uses $(EXE.arg-logfilter)
* t/Makefile.cipher: ET: tests for --ciphermode=dump added
* t/Makefile.misc: ET: target testarg-misc_hashbang renamed to testarg-misc_shebang
* t/Makefile.tcl: ET: use testarg% instead of testcmd%; generate targets with GEN.targets macro
* t/Makefile.pod: ED: section Make:macros added; consistent use of "macro" and "variable"
* t/Makefile.pod: ET: new makefiles added to section O-Saft Makefile Includes
* t/Makefile.dev: ET: new Targets to test INSTALL.sh
* t/Makefile.hlp: ET: useless $(eval ...) removed
* t/Makefile.inc: EF: new text for TEST.logtxt; EXE.arg-logfilter and EXE.cmd-logfilter added
* t/Makefile.etc: EF: EXE.log-filtercmd added to testcmd-etc-testssl.s%.log
* t/Makefile.cmd: EF: EXE.log-filterarg, EXE.log-filtercmd for some targets added
* t/Makefile: EF: enforce LANG=C environment for all tests
* t/Makefile: EF: include t/Makefile.gen t/Makefile.mod
* t/Makefile: EF: include t/Makefile.gen t/Makefile.mod
* t/Makefile: ET: remove useless environment variables
* t/Makefile: EF: renamed: EXE.arg-logfilter -> EXE.log-filterarg; EXE.cmd-logfilter -> EXE.log-filtercmd
* t/Makefile.*: ET: use GEN.targets-args macro to generate targets
* Makefile: ET: INSTALL.sh added to ALL.tgz
* Makefile: EF: Makefile.gen added
* Makefile: EF: enforce LANG=C environment for all tests
* Makefile: EF: remove useless environment variables
* Makefile: EF: include t/Makefile.gen t/Makefile.mod
* Makefile: ET: target docs and do.data improved
* contrib/HTML-table.awk: EF: improved for cipher lists; some header lines handled special
* contrib/*_completion_o-saft: EF: completion for make added
* checkAllCiphers.pl: EF: trace variable assignment improved
NEW
* o-saft.pl: EF: --cipher=CIPHER implemented
* OSaft/Ciphers.pm: NF: get(pfs) implemented
* t/Makefile: NT: target commands of testarg-%.log and testcmd-%.log piped to filter
* t/Makefile.gen: NF: new Makefilewith user defined functions
* t/Makefile.pod: EF: new section Make:target generation
* t/Makefile.inc: EF: new text for TEST.logtxt; EXE.arg-logfilter and EXE.cmd-logfilter added
* t/Makefile.dev: NT: targets for get_keys_list and get_names_list added
* t/Makefile.dev: ET: targets for testng OSaft/Ciphers.pm functions added
* t/Makefile.dev: ET: targets testarg-dev-o-saft-sh--post-* added
* t/Makefile.misc: NT: new target testarg-misc_hashbang
* t/Makefile.mod: NF: targets for testing module functionality
* contrib/INSTALL-template.sh: EF: copy_file implemented with --useenv; descrition for --useenv added
Version: 22.06.22
BUGFIX
* o-saft-man.pm: BF: check if no parameter given corrected
* osaft.pm: BF: avoid "Use of uninitialized value $cipher" in get_cipher_owasp()
* osaft.pm: BF: syntax (, instead of .) in cipheranges corrected
* o-saft.pl: BF: avoid "Use of uninitialized value $cipher" in _sort_cipher_results()
* o-saft.pl: BF: avoid "Use of uninitialized value $key" in checkciphers()
* o-saft.pl: BF: match for valid --cipher-pattern corrected
* o-saft.pl: BF: my -> our for simplified variables
* o-saft.pl: BF: printversion() improved (avoid "Use uninitialized value")
* o-saft.tcl: BF: add and delete of entry widgets for target names corrected
* OSaft/Ciphers.pm: BF: missing cipher suite names DHE-PSK-AES18-CBC-SHA and DHE-PSK-AES256-CBC-SHA added
* OSaft/Ciphers.pm: BF: missing ciphers in sequence of sort_cipher_names() added
* contrib/INSTALL-template.sh: BF: "check for openssl executable used by O-Saft" improved
CHANGES
* o-saft.pl: EF: use _eval_cipherranges() instead of eval() directly
* o-saft.pl: EF: more compatibility options from testssl.sh added
* o-saft.pl: EF: _get_ciphers_range --> osaft::get_ciphers_range
* o-saft.pl: EF: verbosity for cipher_selected with +cipher improved
* o-saft.pl: EF: printing header line for all +cipher checks improved
* o-saft.pl, *.pm: EF: @INC improved
* o-saft.pl, *pm: EF: use OSaft::Text
* o-saft-man.pm: EF: honor --v from caller
* o-saft-man.pm: EF: JavaScript in man_ciphers() improved
* o-saft-man.pm: EF: o-saft.cgi.html improved
* o-saft-man.pm: ED: man_warnings() improved
* contrib/INSTALL-template.sh: EF: check for O-Saft programs improved
* contrib/o-saft_bench.sh: ED: pretty printed results
* o-saft.tcl: EF: improved for AndroidWish
* o-saft.tcl: EF: detect header line for SSL/TLS protocol od ciphers
* o-saft.pl: EF: print header line for all +cipher checks (to map cipher suite names properly to pprotocols)
* o-saft.pl: EF: redisign OSaft/Ciphers.pm: branch moved to trunk
* osaft.pm: EF: get_ciphers_range() (moved from o-saft.pl)
* osaft.pm: EF: redisign OSaft/Ciphers.pm: branch 1.270.1.4 moved to trunk
* OSaft/Ciphers.pm: BF: all ciphers with 3DES are 112 bits only
* OSaft/Ciphers.pm: BF: RMD replaced by RIPEMD for cipher MACs
* OSaft/Ciphers.pm: EF: sort_cipher_results() moved from o-saft.pl
* OSaft/Ciphers.pm: EF: set_sec() implemented
* OSaft/Ciphers.pm: EF: redisign OSaft/Ciphers.pm: branch moved to trunk
* OSaft/Doc/glossary.txt: EF: formal changes, some typos fixed; new XChaCha*, AESCCM*
* OSaft/Doc/help.txt: ED: only historic references to +cipherall and +cipherraw
* OSaft/Doc/help.txt: ED: documentation of --test-ciphers-* options improved
* OSaft/Doc/rfc.txt:
* o-saft-dbx.pm: ED: documentation for --test-ciphers-* options improved
* o-saft-dbx.pm: EF: unused methods removed; some methods moved to Ciphers.pm
* contrib/INSTALL-template.sh: ED: text about generation improved
* Makefile*: ET: generated target names improved; more targets for --test-*
* Makefile: EF: README replaced by README.md
* Makefile: ED: text about generation improved
* Makefile: EF: _CIPHER and related sources removed
* Makefile.dev: ET: some summary target added
* Makefile.dev: ET: --test-regex moved from osaft.pm to o-saft.pl
* Makefile.dev: ET: adapted to new --test-ciphers* options in various tools
* Makefile.dev: ET: adapted to changes in Ciphers.dev; more tests for Ciphers.pm
* Makefile.dev: ET: *osaft-cipher --> *.osaft-ciphers
* Makefile.opt: ET: target testarg-opt-alias--test-ciphers-list added
* Makefile.misc: ET: redesign OSaft/Ciphers.pm: target keys.* and values.* are no longer needed; removed
* Makefile.misc: ET: target cloc.stat.log added
* Makefile.cipher: ET: targets added for: +test-ciphers-list --range=*
* Makefile.cipher: ET: more --range= checks added
* Makefile.warnings: ET: target warning-009 removed
* Makefile.warnings: ET: warning-521, warning-522, warning-504, warning-505, warning-862 added
NEW
* o-saft-man.pm: EF: man_ciphers() implemented; options --help=gen-cipher-text --help=gen-cipher-html
* Makefile: EF: o-saft-docker added to INSTALL.sh
* o-saft.tcl: EF: "Open window with list of cipher suites" implemeted
* o-saft.tcl: EF: --tkpod added
* o-saft.tcl: EF: menu/window for configuration settings added
* o-saft.tcl: EF: tool layout optimized for use on tablet; --gui-layout=tables is default now
* o-saft-docker: EF: option +VERSION added for compatibility with other tools
Version: 22.02.22
BUGFIX
* Net/SSLhello.pm: BF: avoid "Use of uninitialized value $ENV{"PWD"} in ..."
* o-saft*, OSaft/Ciphers.pm: BF: avoid "Use of uninitialized value $ENV{"PWD"} in ..."
* INSTALL.sh: BF: improved check for Perl modules
* INSTALL.sh: BF: create required directories
* contrib/gen_standalone.sh: BF: avoid overwriting generated code when used with -t option
* o-saft.cgi: BF: checks for bad IPs improved
* o-saft: BF: --port= handling for single host argument corrected
* o-saft: BF: output for --legacy=testssl-g corrected
* o-saft: BF: do not start GUI on CLI when output is redirected; detect GUI if STDIN is missing
* contrib/install_openssl.sh: BF: conflicting variable names and check for libidn.so corrected
* contrib/gen_standalone.sh: BF: avoid perl warning "Unescaped left brace in regex is deprecated" (in newer perl versions)
* contrib.bunt.pl: BF: missing space in substitution corrected
* contrib.bunt.pl: BF: colourizing cipher rating improved
* contrib.bunt.pl: BF: detecting host:port corrected
* t/o-saft_bench.sh: BF: +VERSION corrected
* t/o-saft_bench.sh: BF: redirect output of time command (from tty) correctly
* osaft.pm: BF: some cipher names corrected
* osaft.pm: BF: TLS 1.3 cipher-suites corrected
* osaft.pm: BF: ciphers 0x00,0x7x corrected (ciphers for openpgp extension)
* osaft.pm: BF: cipher rating (OWASP A) adapted to OWASP TLS Cheat Sheet (DHE*)
* osaft.pm: BF: avoid **WARNING: 412: for INFO_SCSV
* osaft.pm: BF: sorting ciphers according strength improved (added some CHACHA*, FZA*,
* o-saft*: BF: settings in @INC improved; set . instead ./ in @INC
* o-saft.pl: BF: check for --trace* option improved
* o-saft.pl: BF: check for +ocsp_uri and +ocsp_valid corrected
* o-saft.pl: BF: set default CA file if none found (--ca-file)
* o-saft.pl: BF: duplicate warning 042 corrected
* o-saft.pl: BF: ignore unknown options (new warning 029); avoids using its value as target
* o-saft.pl: BF: avoid perl error: "Undefined subroutine &Time::Local::timelocal ..."
* o-saft.pl: BF: check for +cipher_pfsall corrected
* o-saft.pl: BF: check for +logjam corrected (use $cipher instead of $c)
* o-saft.pl: BF: better ckeck for ancient Net:SSLeay < 1.49 functionality to avoid crash
* o-saft.pl: EF: better check vor valid hostname arguments
* o-saft.pl: BF: --exitcode does not count missing PFS if no ciphers offered
* o-saft.pl: BF: --exitcode does not count TLSv13
* o-saft.pl: BF: --exitcode-v corrected
* o-saft.pl: BF: setting cfg{'ca_file'} corrected
* o-saft.pl: BF: description of some ciphers corrected (according openssl description)
* Net/SSLinfo.pm: EF: output for --trace improved and unified
* Net/SSLinfo.pm: BT: test_ssleay() avoids using undefined functions which results in perl's "Can't locate .." error
* Net/SSLinfo.pm: documentation for --test-* corrected
* Net/SSLinfo.pm: avoid Perl warning "used only once: possible typo"
* Net/SSLinfo.pm: BF: get session information from Net::SSLeay (avoid perl warnings)
* Net/SSLinfo.pm: BF: avoid confusing message in servers access.log like: "\n" 400 750 "-" "-"
* Net/SSLhello.pm: BF: avoid "Use of uninitialized value $ENV{"PWD"} in ..."
* OSaft/Doc/Data.pm: BF: avoid some POD link syntax L<
* OSaft/Doc/Data.pm: BF: warnings have a message number
* OSaft/Ciphers.pm: BF: extend @INC (for internal use; @INC depends on OS and distribution)
* OSaft/Ciphers.pm: BF: sorting of strong ciphers improved
* OSaft/Ciphers.pm: BF: numbers for warning messages
* o-saft.tcl: EF: generating Tcl-markup for help improved (still not perfect)
* o-saft.tcl: BF: syntax corrected when --rc used
* o-saft.tcl: BF: UP and DOwn button in help window aktivated
* o-saft.tcl: BF: avoid searching for empty strings in help window
* o-saft.tcl: BF: result from +version not shown as table data
* Makefile.dev: BT: test with gen_standalone.sh improved
* Makefile.warning: BT: duplicate warning 042 corrected
* Makefile.cipher: BT: typo in target name corrected
* Makefile: BF: GEN.man depends on GEN.pod
* Makefile: BF: generation of files depending on OSaft/Doc/help.txt corrected
* o-saft-dbx.pm: BF: print content of %cfg{targets} instead of array ref
* o-saft-man.pm: BF: avoid "Use of uninitialized value ..." in man_warnings()
* o-saft-man.pm: BF: detect o-saft as one of our own commands in help texts
* o-saft-man.pm: BF: dirty hack to find proper .pod file for gen-man
* o-saft-man.pm: BF: generation of links in POD and HTML improved
* o-saft-man.pm: BF: _main renamed to _main_man (because this file is not yet a Perl package)
* o-saft-man.pm: BF: setting default options in generated .html corrected
CHANGES
* contrib/HTML-table.awk: EF: print table header for each table
* Makefile: ET: t/cloc-total.awk added as source file; list of documentation files improved
* o-saft.cgi: EF: --format=html implemented (experimental)
* o-saft.cgi: EF: parameter sanitation improved (trailing = in names removed)
* o-saft-man.pm: ED: output for --help=warnings in man_warnings() improved
* o-saft-man.pm: ED: idention in HTML <li> lists improved
* o-saft-man.pm: EF: --help=warnings implemented
* o-saft-man.pm: EF: --format=html option generated for --help=gen-cgi (o-saft.cgi.html)
* o-saft-man.pm: EF: --cgi-no-header added to quick options for o-saft.cgi.html
* t/Makefile.tcl: ET: target testcmd-tclinteractive-* and test.GUI added; testcmd-tcl---gui-* added
* t/Makefile.tcl: ET: new test targets
* t/Makefile.dev: ET: more individual targets for EXE.osaft (calling contrib/bunt.pl)
* t/Makefile.misc: ET: targets test.keys and test.values
* t/Makefile.misc: ET: targets cloc.csv and cloc.total added
* t/cloc-total.awk: EF: check calculated vs. reported values
* t/cloc-total.awk: EF: print comments reported by cloc
* o-saft.tcl: EF: read configuration from static files; new option --no-docs
* o-saft.tcl: EF: --stdin (reading data from STDIN) implemented
* o-saft.tcl: EF: options --test=FILE --layout=table implemented
* o-saft.tcl: EF: degugging improved; default configuration for Android improved
* o-saft.tcl: ET: option --test-tcl added
* INSTALL.sh: EF: --check and --install check for installed wish
* INSTALL.sh: EF: use unique error numbers
* INSTALL.sh: EF: use --install as default if no option given
* INSTALL.sh: EF: check for optional executables
* INSTALL.sh: EF: functionality and documentation improved
* Dockerfile: EF: build with debian supported
* Dockerfile: EF: using alpine:3.10
* Dockerfile: EF: Workaround for docker/alpine (bug or race condition) added
* contrib/o-saft.php: EF: moved to .
* contrib.bunt.pl: EF: improved for ciphrs with OWASP rating
* contrib.bunt.pl: ED: documentation improved
* Makefile.cipher: EF: new targets for testing +cipher with options
* Makefile.cmds: ET: renamed to Makefile.cmd
* OSaft/Doc/tools.txt: ED: checkAllCiphers.pl and contrib/alertscript.pl added
* OSaft/Doc/Data.pm: EF: fix for strange Perl behaviour on older Mac OSX
* OSaft/Ciphers.pm: BF: list command returns sorted list of files
* contrib/gen_standalone.sh: EF: check improved if source file exists
* contrib/gen_standalone.sh: ET: less noisy "ls" if called by make (check OSAFT_MAKE variable)
* contrib/gen_standalone.sh: ED: documentation for generated code improved
* contrib/gen_standalone.sh: EF: handle comments with OSAFT_STANDALONE
* contrib/o-saft.php: EF: improve: search for script to be called (no longer hardcoded)
* contrib/INSTALL-template.sh: EF: options improved; --not-blind added, default is --blind
* contrib/install_openssl.sh: EF: +VERSION and --version added
* contrib/install_openssl.sh: EF: Install Perl modules using "perl -MCPAN" instead of building from .tgz
* contrib/install_openssl.sh: EF: checking preconditions improved; building modules improved
* contrib/install_openssl.sh: EF: option --m to install required Perl modules
* contrib/install_openssl.sh: EF: adapting .o-saft.pl improved
* o-saft-man.pm: EF: _man_squeeze() and _man_use_tty() implemented for --tty option
* o-saft-man.pm: EF: output of man_help(), man_table() may have fixed width
* o-saft-man.pm: EF: CSS improved for o-saft.cgi.html
* o-saft: EF: option -line added
* o-saft: EF: options -colour -blind and -prg=* added
* o-saft*: EF: use print_pod() to print own help
* o-saft-dbx.pl: EF: --test implemented
* o-saft.pl: BF: allow $cfg{'ignore-out'} to set empty
* o-saft.pl: BF: intended functionality of --enabled --disabled corrected
* o-saft.pl: BF: initial time corrected if < 0: set $cfg{'time0'}
* o-saft.pl: EF: use Encode::decode("UTF-8", ...) for all printed values
* o-saft.pl: ED: formal changes in %ciphers (adaption to openssl 1.1.1k)
* o-saft.pl: ED: useless debug output removed; avoid duplicate commands
* o-saft.pl: EF: do not print same message (warning) multiple times; --warnings-dups added
* o-saft.pl: EF: check for Extended master secret
* o-saft.pl: EF: checking CA paths and files for Android improved
* o-saft.pl: EF: options --format-* and --ty implemented
* o-saft.pl: EF: TLS 1.3 cipher-suites added
* o-saft.pl: EF: ciphers 0x00,0x7x added (ciphers for openpgp extension)
* o-saft.pl: EF: warning and hint messages unified
* o-saft.pl: EF: check for openssl executable only if openssl required
* o-saft.pl: EF: --test implemented
* o-saft.pl: EF: --test* options unified
* o-saft.pl: EF: ECDHE-ECDSA-* ciphers are classified with "unknown" security
* osaft.pm: EF: +http_body disabled by default
* osaft.pm: EF: cfg{regex]{OWASP_AA} added; formal changes in %ciphers
* osaft.pm: EF: cipher names adapted to openssl 1.1.1k
* osaft.pm: EF: own _warn() and _dbx() if missing
* osaft.pm: EF: export STR_MAKEVAL
* osaft.pm: ED: formal changes; permanent hint texts defined here
* osaft.pm: EF: cfg{warnings_no_dups} and cfg{warnings_printed} added
* osaft.pm: EF: master_secret added to cmd-quick
* osaft.pm: EF: ca_paths and ca_files improved for Android
* osaft.pm: EF: new TLS_EXTENSIONS data structure
* osaft.pm: EF: cipher suites from rfc6367 added
* osaft.pm: EF: ca_paths[], openssl_cnfs[] improved
* osaft.pm: EF: reserved ciphers removed from cipher ranges
* osaft.pm: EF: ECDHE-ECDSA-* ciphers are classified with "unknown" security
* osaft.pm: EF: primary and alias name of some RSA-PSK-AES* cipher changed
* osaft.pm: ED: VERSION added for POD
* o-saft: EF: cal o-saft.tcl if no STDOUT available
* o-saft.cgi: EF: print all error for any invalid parameter
* o-saft.cgi: ED: POD and internal documentation improved
* o-saft.cgi: EF: pass parameter --format=html to o-saft.pl too
* o-saft.cgi: EF: printing HTTP headers conditionally; --cgi-header and --cgi-no-header implemented
* o-saft.cgi: EF: improved to check for invalid arguments without --*= prefix
* o-saft.cgi: EF: disallow IPv4-mapped IPv6 addresses
* o-saft.cgi: EF: disallow IPv4-mapped or incomplete IPv6 addresses; disallow integer addresses
* o-saft-*.pm: ED: documentation improved
* t/Makefile*: ED: ALL.tests and ALL.tests.log are set in Makefile
* t/Makefile*: ED: documentation improved
* t/Makefile*: ET: --trace-CLI option added to most o-saft.pl calls
* t/Makefile*: ET: do not force setting of EXE.pl for testcmd-%
* t/Makefile*: ET: qa.pod - check generated pod file
* Makefile: EF: dependency on tags file improved
* Makefile, t/Makefile*: ET: targets and documentation unified and improved
* o-saft-dbx.pm: ED: description for ciphers_sorted and ciphers_overview improved
* o-saft-dbx.pm: EF: avoid printing random value for cfg{time0} if OSAFT_MAKE ist set
* o-saft-dbx.pm: EF: avoid printing random value for cfg{time0} if OSAFT_MAKE ist set
* o-saft-dbx.pm: EF: $cfg{'trace*'} --> $cfg{'out'}->{'trace*'}
* o-saft-dbx.pm: EF: $VERSION renamed to $mainsid to avoid conflicts withother modules
* o-saft-dbx.pm: EF: output for --v improved (host:port/path)
* o-saft-man.pm: EF: --h improved (remove internal markup)
* o-saft-man.pm: EF: print own help if called without arguments
* o-saft-man.pm: EF: mobile-friendly title= attributes in generated HTML
* o-saft-man.pm: EF: help button to show o-saft.html for --help=cgi added
* o-saft-man.pm: EF: setting document title in generated .html improved
* o-saft.tcl: EF: docker_status_99x29_magenta.png added
* o-saft.tcl: EF: filename for saving contains name of TAB
* o-saft.tcl: EF: testing and debugging options --help-* renamed to --test-*
* o-saft.tcl: EF: --help=opts option implemented
* o-saft.tcl: EF: o-saft.pl initially called if +command arguments are given
* o-saft.tcl: EF: --rc improved; contrib/.o-saft.tcl removed
* o-saft.tcl: ED: searching for text starting with - in help text improved
* o-saft.tcl: EF: debugging improved
* o-saft.tcl: EF: avoid creating multiple option enty fields
* o-saft.pl: EF: +traceSUB removed, is now --test-sub (see o-saft-dbx.pm 1.110)
* o-saft.pl: EF: print ciphers for --no-enabled and --legacy=owasp also
* o-saft.pl: EF: $VERSION renamed to $mainsid to avoid conflicts withother modules
* o-saft.pl: EF: avoid duplicate settings in @INC; setting @INC simplified; set . but not ./
* o-saft.pl: EF: --exitcode does not count "no (<<..>>)" results
* o-saft.pl: ED: typos
* o-saft.pl: EF: use URL if any to connect to target
* Net/SSLhello.pm: $main::cfg{'trace*'} --> $Net::SSLhello::trace*
* Net/SSLhello.pm: version string corrected
* Net/SSLhello.pm: EF: usinag IANA constant names for cipher suites instead of openssl constant names
* Net/SSLinfo.pm: ED: formal change: use $STR{WARN}
* Net/SSLinfo.pm: EF: check for Extended master secret
* Net/SSLinfo.pm: ET: improved verbose and debug messages
* Net/SSLinfo.pm: EF: prepared for improved extracting of PEM data
* Net/SSLinfo.pm: EF: empty headers in Net::SSLeay::get_http() removed
* Net/SSLinfo.pm: EF: use URL if any to connect to target
* Net/SSLinfo.pm: EF: --test-* and +VERSION options added
NEW
* t/Makefile: ET: set O-SAFT_MAKE
* t/cloc-total.awk: EF: added
* contrib/symbol.pl: new
* contrib/*_completion_o-saft: EF: completion for o-saft.tcl added
* contrib/INSTALL-template.sh: various adaptions to previous changes
* t/Makefile: ET: set O-SAFT_MAKE
* t/Makefile.misc: ET: testing CLI with *pm
* t/Makefile.doc: ET: testing internal documentation
* OSaft/Ciphers.pm: EF: --usage implemented
* OSaft/Doc/help.txt: ED: --test* options added
* OSaft/Doc/Data.pm: EF: --usage implemented
* Net/SSLinfo.pm: EF: _verbose()
* Net/SSLinfo.pm: EF: Net::SSLinfo::use_https and ::target_url added
* o-saft.tcl: EF: --help=opts option implemented
* o-saft.pl: EF: --use-https implemented
* o-saft.pl: EF: new functionality: +public_key_len +session_id_ctx
* o-saft.pl: EF: +sstp implemented
* o-saft.pl: EF: print warning if --port used after host argument
* o-saft-man.pm: EF: generate nroff format implemented
* o-saft-man.pm: EF: message box for "CGI Usage Note" added to gen-cgi
* o-saft-dbx.pm: ET: --test* option implemented
* o-saft-dbx.pm: ET: write real date and time only if O-SAFT_MAKE environment variable does not exist
Version: 19.01.19
BUGFIX
* t/Makefile.*: BT: macro ALL.inc.type corrected
* osaft.pm: BF: +fingerprint_sha2 honors --format=hex
* o-saft.pl: BF: printing header (for list of ciphers) corrected
* o-saft.pl: BF: "Ciphers: Summary" prints correct numbers if no ciphers found
* o-saft.pl: BF: --legacy=key disabled; --label=key enabled (honors --header option)
CHANGES
* t/Makefile.*: ET: targets simplified and unified; critic345 implemented
* o-saft.pl: EF: +cipher results are sorted according "severity/security risk"
NEW
* o-saft.pl: NF: --help=cmd and --help=cfg-cmd added
* o-saft.pl: NT: +session_startdate and +session_starttime added
* o-saft.pl: NF: new option --legacy=owasp for +cipher
* o-saft.pl: NF: new option --label=long|short|key
* o-saft.pl: NF: alias commands for CVEs added
* t/Makefile.misc: targets for profiling
Version: 18.10.18
BUGFIX
* o-saft-docker: use correct VERSION in docker_build()
* o-saft-man.pm: output for --help=cfg-text correctd
* o-saft-man.pm: HTML encode << ; CSS improved
* o-saft.pl: warning added if https request failed
* o-saft.pl: --exit=MAIN corrected
* o-saft.tcl: value None not highlighted
* o-saft.tcl: --docker and --id=* handled correctly
* t/Makefile.opt: added (missed at github)
* t/Makefile: message-% rule description to avoid syntax errors
* Makefile: missing files t/Makefile.exit, t/Makefile.FQDN added to ALL.Makefiles
* Makefile: dependencies for generated files improved
CHANGES
* o-saft-docker: docker_build() uses OSAFT_VM_SHA_OSAFT environment variable
* contrib/build_openssl.sh renamed to contrib/install_openssl.sh
* o-saft-dbx.pm: trace and verbose output use cfg{prefix_trace} and cfg{prefix_verbose} instead of cfg{mename}
* t/Makefile.*: various minor bugfixes
* Makefile: install target improved
* Net::SSLinfo.pm: set https_body to private string if https request fails
* osaft: call other tools with proper path
* osaft.pm: cipher suites for RFC 8446 (TLS 1.3) added
* o-saft-man.pm: new button to change schema in generated o-saft.cgi.html
* o-saft-man.pm: online documentation in generated html improved
* --help: section TESTING added
* o-saft.tcl: using o-saft.pl in docker container improved
* t/o-saft_bench renamed to t/o-saft_bench.sh
* t/Makefile* improved
NEW
* "help"-Button foreach --help=* in o-saft.cgi.html
* --help=cipherpattern added
* options -comp and -no_comp implemented (OP_NO_COMPRESSION)
* Makefile.help: cloc* target added
* o-saft-man.pm: cgi and html page provides discrete commands
* o-saft-man.pm: cgi page provides input fields for options with values
* o-saft-man.pm: "return to top" button in generated .cgi.html added
Version: 18.07.18
BUGFIX
* o-saft: pass $* instead of $@
* o-saft-docker: check for image IDs corrected
* o-saft-docker: ENTRYPOINT corrected; usage corrected
* o-saft-docker: get correct number of ciphers from docker
* o-saft.tcl: workaround for X error BadAlloc implemented
* o-saft.tcl: highlight of code examples corrected
* o-saft.tcl: size of help window adapted to larger font size
* content of o-saft.tgz corrected (gernerated by makefile)
* o-saft.pl: +cipher-dh requires openssl
* o-saft.pl: use of $cfg{'openssl'}->{'-msg'} corrected
* o-saft.pl: print warning when trying to read RC-file in cgi mode
* o-saft.pl: avoid Use of uninitialized value in $CFG{sni_name}
* o-saft.pl: avoid Use of uninitialized value in _init_openssldir()
* o-saft-dbx.pm: avoid Use of uninitialized value $cfg{"sni_name"}
* o-saft-man.pm: --help=html does not contain "start" buttons (like --help=cgi)
* Net::SSLinfo.pm: initialize Net::SSLinfo::file_sclient
* Net::SSLinfo.pm: verify_altname(); avoid uninitialized value
* Net::SSLinfo.pm: verify_alias()
CHANGES
* +ocsp_response and +ocsp_stapling (check) implemented
* print !!Hint when multiline data is not printed
* "reading:" message only printed with --v or --warning
* +vulns also contains: +compression +fallback +resumption +renegotiation
* +compression is information (+info) and check (+check, +vulns)
* o-saft-docker: build improved; build supports some environment variables
* Dockerfile: handle master directory from github, move it to $OSAFT_DIR if found
* Dockerfile: add -rpath flag to build SSLeay.so
* o-saft_bench: write result on STDOUT instead of hardcoded file
* o-saft_bench moved to test/
* INSTALL.sh renamed to INSTALL-template.sh; INSTALL.sh generated by Makefile
* LHS condition check
* contrib/INSTALL-template.sh: improved (--check, --openssl)
* contrib/Dockerfile.alpine:3.6 renamed to contrib/Dockerfile.alpine-3.6
* Net::SSLhello.pm: better handling of SSL/TLS connection errors
* prepared for +ccs
NEW
* o-saft.cgi: avoid infinite loop if no parameter given
* o-saft.cgi: first parameter must be --cgi or --cgi=
* contrib/build_openssl.sh
* Makefile; complete test suite in test/Makefile*
* INSTALL-template.sh
* o-saft.tcl: +quit option (for usage in Makefiles)
* o-saft.tcl: scrolling with keys and mouse whell in help window implemented
* o-saft-man.pm: --help=exit implemented
* o-saft-man.pm: POD added
* o-saft: modes/options -gui -cli -docker added
* o-saft-docker: mode sshx to tunnel X suing ssh
Version: 18.01.18
BUGFIX
* markup for generated documentation corrected
* various Perl warnings (in rare runtime situations) fixed
* hostname, SNI and certificate subject checks are case insensitive
CHANGES
* --help=tools added to give an overview of all tools comming with O-Saft
* use of $cfg{'sni_name'} and $cfg{'usesni'} improved (--sni --no-sni --sniname= )
* SSLv3 cipher checks are done without SNI (automatically disabled just for SSLv3)
* simple connection check to avoid "hanging" connection
* documentation moved from o-saft-man.pm to OSaft/Doc/help.txt
* Net::SSLinfo.pm: treat "failed handshake" only as error when * Net::SSLinfo::ignore_handshake is not set
* contrib/zap_config.xml: description improved
* +version prints starting directory (PWD)
* +sni command contains +certfqdn
* detecting host and port improved
* use relative instead of absolute timestamps for --traceTIME
NEW
* wrapper script: o-saft
* --traceCLI option added
* --std-format= options implemented (allows generating files with any charset)
* o-saft.tcl: write result of o-saft.pl in Tcl table (experimental)
* +robot ROBOT added
* --ignore-handshake implemented
* --time-absolut to write absolute timestamps for --traceTIME
Version: 17.11.17
BUGFIX
* o-saft.cgi: IPv6 addresses are not allowed
* do not print prefered cipher for SSLv2, as it has no such cipher
* no warning (401) for SSLv2 selected cipher
* do not complain about cipher mismatch (warning 411) for SSLv2
* missleading hint message for WARNING 126 corrected
* check for bit-length of serial number corrected (approx aproach)
CHANGES
* --help=cgi generated HTML for cgi usage improved
* +protocols and +vulns documentation added
* warnings and hints improved if SNI used with/for SSLv3
* remove non-printable characters from HTTPS Status line
* Dockerfile: build Net::SSLeay and IO::Socket::SSL based on enhanced openssl-chacha
* +cipherall uses same output format as +cipher
* documentation improved
NEW
* o-saft.tcl: trace implemented; option --trace
Version: 17.09.17
BUGFIX
* bugfix: avoid sub-subdomain matching againt subdomain wildcard
* bugfix: BEAST check (/~https://github.com/OWASP/O-Saft/pull/99)
* Net::SSLinfo.pm: support timeout commands which require -t option (BusyBox)
* Net::SSLinfo.pm: handle binary IP address in certificate's altname attribut
* regex to detect port numbers in URL: {1,5} quantifier instead of {1-5}
* Dockerfile: install perl-readonly for alpine also
CHANGES
* Dockerfile build openssl with GOST and KRB5 ciphers (for alpine:edge)
* Dockerfile supports environment variables
* Net::SSLinfo.pm: checking for Alt-Svc, X-Firefox-Spdy headers improved
NEW
* o-saft-docker: checks for proper installed images
* o-saft-docker: rmi command implemented; status command improved
Version: 17.07.17
BUGFIX
* +tr-02102+ corrected (len_sigdump check)
* check for redirect HTTP to HTTPs corrected (+http_https)
* Net::SSLinfo.pm: do_ssl_new() improved (avoid "Segmentation fault" or "double free or corruption .. Abort" in rare cases)
* o-saft.pl: setting ALPN and NPN options with Net::SSLeay improved (avoid "Segmentation fault" in rare cases)
* warning message for --experimental corrected
* avoid perl warning "Argument isn't numeric" for +tr_02102 checks
* osaft.pm: export printhint()
* print hint for +info commands also
CHANGES
* check for heartbleed only if requested
* hint for DROWN check added
* error and warning messages have a unique number
* print warning for trailing spaces in options read from RC-file
* contrib/gen_standalone.sh: generates working script
* *.pl and *.om improved for use with contrib/gen_standalone.sh
* o-saft-lib.pm: initialization of %cfg with dynamic data done in _osaft_init()