SSL Labs Changelog

Document created by Ivan Ristić on Jul 21, 2016Last modified by Nayan Kakati on Apr 16, 2020
Version 55Show Document
  • View in full screen mode

Version 2.1.4

Released to production on 16th April 2020



  • GitHub: False positive on Windows IIS server for Zombie Poodle/ GOLDENDOODLE (#741, #778)
  • First assessment through API gives the current assessments as 0 (#783)
  • HSTS not recognized by SSL Labs scan when browsing through WAF (#Community)


  •  Increased the server capabilities to handle more requests.


Version 2.1.3

Released to production on 16th March 2020



  • TLSv1.3 bug: server-preferred order detection broken due to Chacha20 (#657)
  • Internal technical enhancements


Version 2.1.0

Released to production on 31th January 2020




Version 2.0.7

Released to production on 14th January 2020




  •  Make Client Test more accessible to clients with poor capabilities (#372, #765)


Version 2.0.5

Released to production on 30th December 2019


  • This  change is internal to SSL Labs and no specific changes to customer


Version 1.36.3

Released to production on 14 November 2019



Version 1.36.2

Released to production on 11 October 2019



  • Prepone grade change for supporting TLS1.0/1.1 to January 2020, Also changed in Summary messages


Version 1.36.1

Release to production on 30 September 2019

  • Updated the trust store in SSL Labs for Mozilla, Apple, Android, Java, and Windows
  • Show a warning summary message for supporting TLS 1.0 and 1.1 (Qualys Blog)
  • Updated Android 7.0 handshake bytes
  • Added Android 8.0.0 to the user agent capabilities test (#672)
  • Added Openssl 1.1.0 or newer to Simulations (#536)


Version 1.35.3

Released to production on 03 September 2019



  •  Updated/Added clients to User agent capabilities(#720, #703, #719)
  •  Changed the error summary message to information for not implementing mandatory cipher suite (TLS_AES_128_GCM_SHA256) for TLS 1.3

Version 1.35.1

Released to production on 30 May 2019



  • SSL Pulse: Added charts for Zombie POODLE, GOLDENDOODLE, 0-Length Padding Oracle and Sleeping POODLE vulnerabilities
  • Update API to label weak cipher suite (Qualys community)
  • Applied 'F' grade for Zombie POODLE, GOLDENDOODLE, 0-Length Padding Oracle and Sleeping POODLE vulnerabilities



Version 1.34.2

Released to production on 26 April 2019.
New Feature
  • Added Zombie POODLE, GOLDENDOODLE, 0-Length Padding Oracle and Sleeping POODLE test for the server that supports CBC suites
  • Cipher suites using CBC modes will now be marked weak and text color changed to orange. Note: No impact on the grade


Version 1.33.1

Released to production on 14 March 2019.


New Feature


Version 1.32.15

Released to production on 24 January 2019.
  • Apache threads stuck at 100% after scan (Qualys community)
  • Client test incorrectly reports "No" instead of "Firewall" for TLS 1.3 (#607)
  • Server out of compliance with TLS 1.3 Cipher Suites (RFC 8446) should be reported (#668)
  • Investigate grade mismatch between API and SSL Labs UI (#671)  


Version 1.32.13

Released to production on 29 November 2018.


New Features

  • TLS v1.3 added in Protocol Support chart of SSL Pulse
  • Text color of TLS v1.1 changed to Orange in the scan result  


Version 1.32.6

Released to production on 25 September 2018.


New Features

  • TLS v1.3 feature added to SSL Labs

Version 1.32.5

Released to production on 04 September 2018.


New Features

  • Trust stores updated
  • Distrust all Symantec CA Certificates


  • Unable to scan servers that have a ECGOST3410 certificate (#113)
  • Symantec distrust warning shown for new DigiCert certificate (Qualys Community)


Version 1.32.3

Released to production on 17 July 2018.


New Features

  • TLS 1.3 server test updated to final draft 28


Version 1.32.2

Released to production on 05 June 2018.


New Features

  • TLS 1.3 server test updated to final draft 23
  • ROBOT graph chart added to SSL Pulse

Version 1.31.0

Released to production on 1 March 2018.


New Features

  • Grading change: Grading changes for ROBOT vulnerability, Forward secrecy and AEAD ciphers (blog post)
  • Grading change: Distrust Symantec certificates issued before June 2016 (blog post)
  • Handshake simulations update: Java 8, Googlebot and Edge 15
  • Added ROBOT chart in SSL Pulse charts


  • SNI-only site should not be considered vulnerable to POODLE (#519)
  • Protocol-relative path redirect misinterpreted (#521)


Version 1.30.5

Released to production on 3 January 2018.


New Features

  • ROBOT (Return Of Bleichenbacher's Oracle Threat) vulnerability detection
  • Added support for certificate validation against multiple trust store (Mozilla Apple Android Java Windows)
  • SSL Labs Co-branding site for GeoCert SSL
  • Warn if server uses blocked Symantec certificate


  • Incorrect SSL labs certificate mismatch other domain names


Version 1.29.2

Planned for release to production on 29 June 2017.


New Features

  • Detection of TLS 1.3 draft 18 (#352)
  • SSL Pulse migrated to the SSL Labs web site
  • Warn if SubjectAltName is missing (#486)
  • Warn if certificate serial numbers are more than 20 bytes in length (#498)


  • Support RFC 7919 (#446)
  • Check revocation of DROWN certificates (#451)
  • CNNIC root shouldn't be fully trusted (#488)
  • Explain that simulations don't check trust (#494)
  • Links to no longer valid (#492)
  • News title ampersand double-encoded on the SSL Labs homepage (#491)
  • cipher not marked as insecure (#487)
  • Windows 10.14393.51 vs Logjam (#377)


Version 1.28.3

Released to production 3 April 2017.


New Features

  • Grading change: 3DES and other ciphers that use short block-sizes are now deprecated (blog post)
  • Grading change: SHA1 is now deprecated (blog post)
  • Ticketbleed (CVE-2016-9244) vulnerability detection #458
  • Added support for static public key pinning (based on Chromium source code)
  • Added detection of ALPN protocols


  • Unexpected version number: 250 (#473)
  • EV certificate OIDs not parsed correctly (#452)
  • Better CAA documentation (#449)
  • Certificate serial numbers not displayed in API (#453)


Version 1.26.5

Released to production on 13 January 2017.


New Features

  • Improved cipher suite testing. Results are now provided on per-protocol basis and also without SNI. The testing is also faster.
  • Detection of CAA policies (#274)
  • Detection of ECDHE server parameter reuse
  • New test to determine all server-supported named curves and the order of preference (#391)
  • API v3 extended to have simulations include negotiated DHE and ECDHE parameters (#403)
  • SSL Client Test: added support for GREASE suites (#423)
  • SSL Client Test: added support for TLS 1.3 suites (#427)


  • Incorrect key exchange reported on some servers (#431)


Version 1.25.2

Released to production on 19 November 2016.


New Features

  • Now showing all certificates discovered during assessment. This includes RSA, ECDSA and non-SNI certificates.
  • New mini SSL Labs site for Secure128:
  • Improved high-resolution report icons


  • When an assessment stops because of certificate name mismatch, the list of suggested hostnames to try was empty.
  • Intermediates reported as invoked when only the leaf is revoked (#408)
  • Missing "Ignore mismatch" option in some cases (#412)
  • HSTS false negative in some case (#416)
  • No error messages for insecure ciphers (#419)


Version 1.24.4

Released to production on 21 October 2016.


New Features

  • New User Agents added: Firefox 49, Android 7, Chrome 53, Safari 10, Chrome 49/XP, and so on.


  • Incorrect "contains anchor message for self-signed certificates (#324)
  • SSL Labs not showing HSTS on (#374)
  • Warning required if not all trust paths are pinned (#375)
  • Domains preloaded for pinning in Chrome show as preloaded for HSTS (#392)
  • Error with chain of trust with multiple intermediates with same name (#332)
  • Remove "viaform" parameter when report is cached (#395)
  • Checking preloading with Tor doesn't work in production (#394)
  • Discrepancy between the API and the website regarding the strength of 3DES ciphers (discussion thread)
  • API hpkpPolicy object pins encoding issue (#400)
  • API Simulation object should contain DHE and ECDHE information (#403)


Version 1.24.0

Released to production on 1 September 2016.


New Features

  • Google's experimental post-quantum suites correctly detected in the client test (#384)
  • Intolerance information exposed in the API (#370)
  • Added Content Security Policy headers
  • Added a link to beekpr-ssllabs (#366)


Version 1.23.50

Released to production on 21 July 2016.


New Features

  • Detection of must-staple certificates (#347)
  • Firefox 47 supports ChaCha20/Poly1305 cipher suites (#351)
  • Added support for "new" Windows cipher suites (#358)
  • Improved usage of HTTP security headers on SSL Labs web site itself


  • RC4 is marked as weak instead of insecure (#273)
  • API: incorrect rc4WithModern value (#360)
5 people found this helpful