TLS-Scanner v5.2.5
Starting with this release, we attribute the Technology Innovation Institute (@tiiuae) in the license header to reflect the extensive contributions made by its researchers.
This is also the first release supporting DTLS scans. By adding the -dtls flag, you can now evaluate the supported protocol features of a DTLS server and test for common vulnerabilities (Bleichenbacher, Padding Oracle, RACCOON, ALPACA, ...). We also added new probes to evaluate DTLS-specific features such as:
- cookie validation
- protection against DoS amplification attacks
- protection against memory exhaustion DoS attacks
- retransmission support
- fragmentation support
- reordering support
- handling of invalid message sequence numbers
We also added a first version of an application fingerprinting probe for DTLS. Once TLS-Scanner knows the application protocol deployed on the server, more detailed tests for correct handling of improperly protected application data will be executed.
Minor changes in Client-Scanner:
- added new probes to evaluate supported EC Point Formats and minimum public key sizes expected in server certificate
- improved parallelization of extensive probes
- switched towards dynamic extension selection by default instead of hard-coded choices
