SSL Labs Changelog

Document created by Ivan Ristić on Jul 21, 2016Last modified by Bhushan Lokhande on Mar 5, 2018
Version 32Show Document
  • Comment0
  • View in full screen mode

Version 1.31.0

Released to production on 1 March 2018.

 

New Features

  • Grading change: Grading changes for ROBOT vulnerability, Forward secrecy and AEAD ciphers (blog post)
  • Grading change: Distrust Symantec certificates issued before June 2016 (blog post)
  • Handshake simulations update: Java 8, Googlebot and Edge 15
  • Added ROBOT chart in SSL Pulse charts

Fixes

  • SNI-only site should not be considered vulnerable to POODLE (#519)
  • Protocol-relative path redirect misinterpreted (#521)

 

Version 1.30.5

Released to production on 3 January 2018.

 

New Features

  • ROBOT (Return Of Bleichenbacher's Oracle Threat) vulnerability detection
  • Added support for certificate validation against multiple trust store (Mozilla Apple Android Java Windows)
  • SSL Labs Co-branding site for GeoCert SSL
  • Warn if server uses blocked Symantec certificate

Fixes

  • Incorrect SSL labs certificate mismatch other domain names

 

Version 1.29.2

Planned for release to production on 29 June 2017.

 

New Features

  • Detection of TLS 1.3 draft 18 (#352)
  • SSL Pulse migrated to the SSL Labs web site
  • Warn if SubjectAltName is missing (#486)
  • Warn if certificate serial numbers are more than 20 bytes in length (#498)

Fixes

  • Support RFC 7919 (#446)
  • Check revocation of DROWN certificates (#451)
  • CNNIC root shouldn't be fully trusted (#488)
  • Explain that simulations don't check trust (#494)
  • Links to test.drownattack.com no longer valid (#492)
  • News title ampersand double-encoded on the SSL Labs homepage (#491)
  • cipher not marked as insecure (#487)
  • Windows 10.14393.51 vs Logjam (#377)

 

Version 1.28.3

Released to production 3 April 2017.

 

New Features

  • Grading change: 3DES and other ciphers that use short block-sizes are now deprecated (blog post)
  • Grading change: SHA1 is now deprecated (blog post)
  • Ticketbleed (CVE-2016-9244) vulnerability detection #458
  • Added support for static public key pinning (based on Chromium source code)
  • Added detection of ALPN protocols

Fixes

  • Unexpected version number: 250 (#473)
  • EV certificate OIDs not parsed correctly (#452)
  • Better CAA documentation (#449)
  • Certificate serial numbers not displayed in API (#453)

 

Version 1.26.5

Released to production on 13 January 2017.

 

New Features

  • Improved cipher suite testing. Results are now provided on per-protocol basis and also without SNI. The testing is also faster.
  • Detection of CAA policies (#274)
  • Detection of ECDHE server parameter reuse
  • New test to determine all server-supported named curves and the order of preference (#391)
  • API v3 extended to have simulations include negotiated DHE and ECDHE parameters (#403)
  • SSL Client Test: added support for GREASE suites (#423)
  • SSL Client Test: added support for TLS 1.3 suites (#427)

Fixes

  • Incorrect key exchange reported on some servers (#431)

 

Version 1.25.2

Released to production on 19 November 2016.

 

New Features

  • Now showing all certificates discovered during assessment. This includes RSA, ECDSA and non-SNI certificates.
  • New mini SSL Labs site for Secure128: secure128.ssllabs.com
  • Improved high-resolution report icons

Fixes

  • When an assessment stops because of certificate name mismatch, the list of suggested hostnames to try was empty.
  • Intermediates reported as invoked when only the leaf is revoked (#408)
  • Missing "Ignore mismatch" option in some cases (#412)
  • HSTS false negative in some case (#416)
  • No error messages for insecure ciphers (#419)

 

Version 1.24.4

Released to production on 21 October 2016.

 

New Features

  • New User Agents added: Firefox 49, Android 7, Chrome 53, Safari 10, Chrome 49/XP, and so on.

Fixes

  • Incorrect "contains anchor message for self-signed certificates (#324)
  • SSL Labs not showing HSTS on www.google.com (#374)
  • Warning required if not all trust paths are pinned (#375)
  • Domains preloaded for pinning in Chrome show as preloaded for HSTS (#392)
  • Error with chain of trust with multiple intermediates with same name (#332)
  • Remove "viaform" parameter when report is cached (#395)
  • Checking preloading with Tor doesn't work in production (#394)
  • Discrepancy between the API and the website regarding the strength of 3DES ciphers (discussion thread)
  • API hpkpPolicy object pins encoding issue (#400)
  • API Simulation object should contain DHE and ECDHE information (#403)

 

Version 1.24.0

Released to production on 1 September 2016.

 

New Features

  • Google's experimental post-quantum suites correctly detected in the client test (#384)
  • Intolerance information exposed in the API (#370)
  • Added Content Security Policy headers
  • Added a link to beekpr-ssllabs (#366)

 

Version 1.23.50

Released to production on 21 July 2016.

 

New Features

  • Detection of must-staple certificates (#347)
  • Firefox 47 supports ChaCha20/Poly1305 cipher suites (#351)
  • Added support for "new" Windows cipher suites (#358)
  • Improved usage of HTTP security headers on SSL Labs web site itself

Fixes

  • RC4 is marked as weak instead of insecure (#273)
  • API: incorrect rc4WithModern value (#360)
4 people found this helpful

Attachments

    Outcomes