Released to production on 16th April 2020
- GitHub: False positive on Windows IIS server for Zombie Poodle/ GOLDENDOODLE (#741, #778)
- First assessment through API gives the current assessments as 0 (#783)
- HSTS not recognized by SSL Labs scan when browsing through WAF (#Community)
- Increased the server capabilities to handle more requests.
Released to production on 16th March 2020
- TLSv1.3 bug: server-preferred order detection broken due to Chacha20 (#657)
- Internal technical enhancements
Released to production on 31th January 2020
- CVE-2020-0601 aka CurveBall is made available for Client testing at https://clienttest.ssllabs.com
- SSLLabs now cap the server grade to B for supporting TLS 1.0 and TLS 1.1(Qualys Community)
Released to production on 14th January 2020
Released to production on 30th December 2019
- This change is internal to SSL Labs and no specific changes to customer
Released to production on 14 November 2019
Released to production on 11 October 2019
- Prepone grade change for supporting TLS1.0/1.1 to January 2020, Also changed in Summary messages
Release to production on 30 September 2019
- Updated the trust store in SSL Labs for Mozilla, Apple, Android, Java, and Windows
- Show a warning summary message for supporting TLS 1.0 and 1.1 (Qualys Blog)
- Updated Android 7.0 handshake bytes
- Added Android 8.0.0 to the user agent capabilities test (#672)
- Added Openssl 1.1.0 or newer to Simulations (#536)
Released to production on 03 September 2019
Released to production on 30 May 2019
- SSL Pulse: Added charts for Zombie POODLE, GOLDENDOODLE, 0-Length Padding Oracle and Sleeping POODLE vulnerabilities
- Update API to label weak cipher suite (Qualys community)
- Applied 'F' grade for Zombie POODLE, GOLDENDOODLE, 0-Length Padding Oracle and Sleeping POODLE vulnerabilities
- IPv6 problems for TLS 1.3 only servers (#669 & Qualys community)
- Client result vs server result "rating" coloring (#704)
- Added Zombie POODLE, GOLDENDOODLE, 0-Length Padding Oracle and Sleeping POODLE test for the server that supports CBC suites
- Cipher suites using CBC modes will now be marked weak and text color changed to orange. Note: No impact on the grade
Released to production on 14 March 2019.
- Added 0-RTT test for TLS 1.3 enabled servers (Qualys community)
- Apache threads stuck at 100% after scan (Qualys community)
- Client test incorrectly reports "No" instead of "Firewall" for TLS 1.3 (#607)
- Server out of compliance with TLS 1.3 Cipher Suites (RFC 8446) should be reported (#668)
- Investigate grade mismatch between API and SSL Labs UI (#671)
Released to production on 29 November 2018.
- TLS v1.3 added in Protocol Support chart of SSL Pulse
- Text color of TLS v1.1 changed to Orange in the scan result
Released to production on 25 September 2018.
- TLS v1.3 feature added to SSL Labs
Released to production on 04 September 2018.
- Trust stores updated
- Distrust all Symantec CA Certificates
- Unable to scan servers that have a ECGOST3410 certificate (#113)
- Symantec distrust warning shown for new DigiCert certificate (Qualys Community)
Released to production on 17 July 2018.
- TLS 1.3 server test updated to final draft 28
Released to production on 05 June 2018.
- TLS 1.3 server test updated to final draft 23
- ROBOT graph chart added to SSL Pulse
Released to production on 1 March 2018.
- Grading change: Grading changes for ROBOT vulnerability, Forward secrecy and AEAD ciphers (blog post)
- Grading change: Distrust Symantec certificates issued before June 2016 (blog post)
- Handshake simulations update: Java 8, Googlebot and Edge 15
- Added ROBOT chart in SSL Pulse charts
- SNI-only site should not be considered vulnerable to POODLE (#519)
- Protocol-relative path redirect misinterpreted (#521)
Released to production on 3 January 2018.
- ROBOT (Return Of Bleichenbacher's Oracle Threat) vulnerability detection
- Added support for certificate validation against multiple trust store (Mozilla Apple Android Java Windows)
- SSL Labs Co-branding site for GeoCert SSL
- Warn if server uses blocked Symantec certificate
- Incorrect SSL labs certificate mismatch other domain names
Planned for release to production on 29 June 2017.
- Detection of TLS 1.3 draft 18 (#352)
- SSL Pulse migrated to the SSL Labs web site
- Warn if SubjectAltName is missing (#486)
- Warn if certificate serial numbers are more than 20 bytes in length (#498)
- Support RFC 7919 (#446)
- Check revocation of DROWN certificates (#451)
- CNNIC root shouldn't be fully trusted (#488)
- Explain that simulations don't check trust (#494)
- Links to test.drownattack.com no longer valid (#492)
- News title ampersand double-encoded on the SSL Labs homepage (#491)
- cipher not marked as insecure (#487)
- Windows 10.14393.51 vs Logjam (#377)
Released to production 3 April 2017.
- Grading change: 3DES and other ciphers that use short block-sizes are now deprecated (blog post)
- Grading change: SHA1 is now deprecated (blog post)
- Ticketbleed (CVE-2016-9244) vulnerability detection #458
- Added support for static public key pinning (based on Chromium source code)
- Added detection of ALPN protocols
- Unexpected version number: 250 (#473)
- EV certificate OIDs not parsed correctly (#452)
- Better CAA documentation (#449)
- Certificate serial numbers not displayed in API (#453)
Released to production on 13 January 2017.
- Improved cipher suite testing. Results are now provided on per-protocol basis and also without SNI. The testing is also faster.
- Detection of CAA policies (#274)
- Detection of ECDHE server parameter reuse
- New test to determine all server-supported named curves and the order of preference (#391)
- API v3 extended to have simulations include negotiated DHE and ECDHE parameters (#403)
- SSL Client Test: added support for GREASE suites (#423)
- SSL Client Test: added support for TLS 1.3 suites (#427)
- Incorrect key exchange reported on some servers (#431)
Released to production on 19 November 2016.
- Now showing all certificates discovered during assessment. This includes RSA, ECDSA and non-SNI certificates.
- New mini SSL Labs site for Secure128: secure128.ssllabs.com
- Improved high-resolution report icons
- When an assessment stops because of certificate name mismatch, the list of suggested hostnames to try was empty.
- Intermediates reported as invoked when only the leaf is revoked (#408)
- Missing "Ignore mismatch" option in some cases (#412)
- HSTS false negative in some case (#416)
- No error messages for insecure ciphers (#419)
Released to production on 21 October 2016.
- New User Agents added: Firefox 49, Android 7, Chrome 53, Safari 10, Chrome 49/XP, and so on.
- Incorrect "contains anchor message for self-signed certificates (#324)
- SSL Labs not showing HSTS on www.google.com (#374)
- Warning required if not all trust paths are pinned (#375)
- Domains preloaded for pinning in Chrome show as preloaded for HSTS (#392)
- Error with chain of trust with multiple intermediates with same name (#332)
- Remove "viaform" parameter when report is cached (#395)
- Checking preloading with Tor doesn't work in production (#394)
- Discrepancy between the API and the website regarding the strength of 3DES ciphers (discussion thread)
- API hpkpPolicy object pins encoding issue (#400)
- API Simulation object should contain DHE and ECDHE information (#403)
Released to production on 1 September 2016.
- Google's experimental post-quantum suites correctly detected in the client test (#384)
- Intolerance information exposed in the API (#370)
- Added Content Security Policy headers
- Added a link to beekpr-ssllabs (#366)
Released to production on 21 July 2016.
- Detection of must-staple certificates (#347)
- Firefox 47 supports ChaCha20/Poly1305 cipher suites (#351)
- Added support for "new" Windows cipher suites (#358)
- Improved usage of HTTP security headers on SSL Labs web site itself