SSL Labs Changelog

Document created by Ivan Ristić on Jul 21, 2016Last modified by Yash KS on May 29, 2019
Version 41Show Document
  • Comment0
  • View in full screen mode

Version 1.35.1

Released to production on 30 May 2019

 

Feature

  • SSL Pulse: Added charts for Zombie POODLE, GOLDENDOODLE, 0-Length Padding Oracle and Sleeping POODLE vulnerabilities
  • Update API to label weak cipher suite (Qualys community)
  • Applied 'F' grade for Zombie POODLE, GOLDENDOODLE, 0-Length Padding Oracle and Sleeping POODLE vulnerabilities

Fixes

 

Version 1.34.2

Released to production on 26 April 2019.
New Feature
  • Added Zombie POODLE, GOLDENDOODLE, 0-Length Padding Oracle and Sleeping POODLE test for the server that supports CBC suites
  • Cipher suites using CBC modes will now be marked weak and text color changed to orange. Note: No impact on the grade

 

Version 1.33.1

Released to production on 14 March 2019.

 

New Feature

 

Version 1.32.15

Released to production on 24 January 2019.
Fixes
  • Apache threads stuck at 100% after scan (Qualys community)
  • Client test incorrectly reports "No" instead of "Firewall" for TLS 1.3 (#607)
  • Server out of compliance with TLS 1.3 Cipher Suites (RFC 8446) should be reported (#668)
  • Investigate grade mismatch between API and SSL Labs UI (#671)  

 

Version 1.32.13

Released to production on 29 November 2018.

 

New Features

  • TLS v1.3 added in Protocol Support chart of SSL Pulse
  • Text color of TLS v1.1 changed to Orange in the scan result  

 

Version 1.32.6

Released to production on 25 September 2018.

 

New Features

  • TLS v1.3 feature added to SSL Labs


Version 1.32.5

Released to production on 04 September 2018.

 

New Features

  • Trust stores updated
  • Distrust all Symantec CA Certificates

Fixes

  • Unable to scan servers that have a ECGOST3410 certificate (#113)
  • Symantec distrust warning shown for new DigiCert certificate (Qualys Community)

 

Version 1.32.3

Released to production on 17 July 2018.

 

New Features

  • TLS 1.3 server test updated to final draft 28

 

Version 1.32.2

Released to production on 05 June 2018.

 

New Features

  • TLS 1.3 server test updated to final draft 23
  • ROBOT graph chart added to SSL Pulse

Version 1.31.0

Released to production on 1 March 2018.

 

New Features

  • Grading change: Grading changes for ROBOT vulnerability, Forward secrecy and AEAD ciphers (blog post)
  • Grading change: Distrust Symantec certificates issued before June 2016 (blog post)
  • Handshake simulations update: Java 8, Googlebot and Edge 15
  • Added ROBOT chart in SSL Pulse charts

Fixes

  • SNI-only site should not be considered vulnerable to POODLE (#519)
  • Protocol-relative path redirect misinterpreted (#521)

 

Version 1.30.5

Released to production on 3 January 2018.

 

New Features

  • ROBOT (Return Of Bleichenbacher's Oracle Threat) vulnerability detection
  • Added support for certificate validation against multiple trust store (Mozilla Apple Android Java Windows)
  • SSL Labs Co-branding site for GeoCert SSL
  • Warn if server uses blocked Symantec certificate

Fixes

  • Incorrect SSL labs certificate mismatch other domain names

 

Version 1.29.2

Planned for release to production on 29 June 2017.

 

New Features

  • Detection of TLS 1.3 draft 18 (#352)
  • SSL Pulse migrated to the SSL Labs web site
  • Warn if SubjectAltName is missing (#486)
  • Warn if certificate serial numbers are more than 20 bytes in length (#498)

Fixes

  • Support RFC 7919 (#446)
  • Check revocation of DROWN certificates (#451)
  • CNNIC root shouldn't be fully trusted (#488)
  • Explain that simulations don't check trust (#494)
  • Links to test.drownattack.com no longer valid (#492)
  • News title ampersand double-encoded on the SSL Labs homepage (#491)
  • cipher not marked as insecure (#487)
  • Windows 10.14393.51 vs Logjam (#377)

 

Version 1.28.3

Released to production 3 April 2017.

 

New Features

  • Grading change: 3DES and other ciphers that use short block-sizes are now deprecated (blog post)
  • Grading change: SHA1 is now deprecated (blog post)
  • Ticketbleed (CVE-2016-9244) vulnerability detection #458
  • Added support for static public key pinning (based on Chromium source code)
  • Added detection of ALPN protocols

Fixes

  • Unexpected version number: 250 (#473)
  • EV certificate OIDs not parsed correctly (#452)
  • Better CAA documentation (#449)
  • Certificate serial numbers not displayed in API (#453)

 

Version 1.26.5

Released to production on 13 January 2017.

 

New Features

  • Improved cipher suite testing. Results are now provided on per-protocol basis and also without SNI. The testing is also faster.
  • Detection of CAA policies (#274)
  • Detection of ECDHE server parameter reuse
  • New test to determine all server-supported named curves and the order of preference (#391)
  • API v3 extended to have simulations include negotiated DHE and ECDHE parameters (#403)
  • SSL Client Test: added support for GREASE suites (#423)
  • SSL Client Test: added support for TLS 1.3 suites (#427)

Fixes

  • Incorrect key exchange reported on some servers (#431)

 

Version 1.25.2

Released to production on 19 November 2016.

 

New Features

  • Now showing all certificates discovered during assessment. This includes RSA, ECDSA and non-SNI certificates.
  • New mini SSL Labs site for Secure128: secure128.ssllabs.com
  • Improved high-resolution report icons

Fixes

  • When an assessment stops because of certificate name mismatch, the list of suggested hostnames to try was empty.
  • Intermediates reported as invoked when only the leaf is revoked (#408)
  • Missing "Ignore mismatch" option in some cases (#412)
  • HSTS false negative in some case (#416)
  • No error messages for insecure ciphers (#419)

 

Version 1.24.4

Released to production on 21 October 2016.

 

New Features

  • New User Agents added: Firefox 49, Android 7, Chrome 53, Safari 10, Chrome 49/XP, and so on.

Fixes

  • Incorrect "contains anchor message for self-signed certificates (#324)
  • SSL Labs not showing HSTS on www.google.com (#374)
  • Warning required if not all trust paths are pinned (#375)
  • Domains preloaded for pinning in Chrome show as preloaded for HSTS (#392)
  • Error with chain of trust with multiple intermediates with same name (#332)
  • Remove "viaform" parameter when report is cached (#395)
  • Checking preloading with Tor doesn't work in production (#394)
  • Discrepancy between the API and the website regarding the strength of 3DES ciphers (discussion thread)
  • API hpkpPolicy object pins encoding issue (#400)
  • API Simulation object should contain DHE and ECDHE information (#403)

 

Version 1.24.0

Released to production on 1 September 2016.

 

New Features

  • Google's experimental post-quantum suites correctly detected in the client test (#384)
  • Intolerance information exposed in the API (#370)
  • Added Content Security Policy headers
  • Added a link to beekpr-ssllabs (#366)

 

Version 1.23.50

Released to production on 21 July 2016.

 

New Features

  • Detection of must-staple certificates (#347)
  • Firefox 47 supports ChaCha20/Poly1305 cipher suites (#351)
  • Added support for "new" Windows cipher suites (#358)
  • Improved usage of HTTP security headers on SSL Labs web site itself


Fixes

  • RC4 is marked as weak instead of insecure (#273)
  • API: incorrect rc4WithModern value (#360)

Attachments

    Outcomes

      Visibility: Certificate Security20737 Views
      Last Modified by Yash KS on May 29, 2019 11:36 PM
      Tags:
      Ratings: