Beta 5.1.16

Summary

• Fix bugs w/handling of version handling (e.g., dvversion)
• Misc improvements to project/build files (e.g., .gitignore)
• Various improvements to the build process to support publishing artifacts to Maven Central

Note(s):
N1 - isDeepVioletSnapShot() does not return the correct state occasionally. Fixed in the snapshot build.

More DV improvements

• DV versioning functions getDeepVioletMajorVersion(), getDeepVioletMinorVersion(), getDeepVioletBuildVersion(), return versioning information directly from the Maven build process. The advantage is that build version information is taken directly from Maven and not hard-coded class variables that may be out of date. isDeepVioletSnapShot() has been added to tell if the build is beta or release status.

• DVFactory.getDVEng(IDVSession, IDVSession.CIPHER_NAME_CONVENTION, DVBackgroundTask), new method allows caller specify the ciphersuite naming convention for returning human readable ciphersuite names and background task for improved status (see following).

• Develop DVBackgroundTask so callers can have status updates as scanning jobs proceed. This keeps a steady flow of interesting status for users so they understand scanning progress. Use in your programs extend DVBackgroundTask and override as necessary. See UIBackgroundScanTask and MainFrm.updateLongRunningUIStatus() for sample implementation code.

See main project page for Maven POM dependency information.

Beta 5.1.0

This pre-release is for teams to begin reviewing the new features/changes, identify effort to implement. More improvements and documentation will be made available as DV closes on the release. --Milton

Improvement 1(COMPLETE), It would be awesome if session properties were set based on constants or enums for the keys, eg: https://github.com/spoofzu/DeepViolet/blob/5113cf8ddbc7df211f34e1b2617a824a3e548cf8/src/main/java/com/mps/deepviolet/api/DVFactory.java#L104 So that when users want to do something like,
String[] hshake_list = session.getPropertyValue("ENABLED_PROTOCOLS").split(",");
they're not bound to a string for the key name which could change and break things in the future. (via kingthorin+owaspzap)

Improvement 2(COMPLETE), Vulnerability Analysis
Perform analysis for various attacks against TLS. This has been requested by a several people as being a valuable feature for them. Originally, SSLServer included support for BEAST, CRIME, and FREAK. Along with these I will add support for ROBOT.

Improvement 3(COMPLETE), Ciphersuite Name Convention May be Specified
Support popular ciphersuite name conventions: GnuTLS, NSS, IANA, OpenSSL. Convention may be specified when calling, IDVEng.getCipherSuites(CIPHER_NAME_CONVENTION CIPHER_NAME_CONVENTION) if no naming convention is specified then CIPHER_NAME_CONVENTION.IANA is the default.

Improvement 4(COMPLETE), Update Mozzila JSON Documents
DV ships with two files, 1) ciphermap.json. This file provides a mapping to desired ciphersuite naming convention described in Improvement 5. 2) server-side-tls-conf-4.0.json. This file provides the mapping to ciphersuite strength evaluations. The json information is gathered online and placed into static files that ship with DV so that DV does not open connections to Mozilla at runtime. In any case, this information has been refreshed with the latest from Mozilla.

Bug/Fix It Items

1. Errors in ciphersuite selection during the TLS handshake should be communicated differently. Following is a sample error message, "Error: server wants to use cipher suite 35 which client did not announce".

---

Parking Lot:, Progressbar support.
Test progress and early abort if taking too long. Refer to comments in, zaproxy/zaproxy#2532 (via thc202_owaspzap)
Note(3/7/2018 Milton): I have code like sort of like this for the DeepVioletTools UI so that scanning occurs outside the callers thread. This helps keep the UI status fresh while the user is waiting. To make this work I would instead need to push the functionality down into the API. The feature definitely makes sense for callers like ZAP. I just need to find some time to get it done. ;o).

Parking Lot: Scoring System
Consider moving to a scoring system similar to Qualys SSL Labs scoring and TLS Observatory. Today there is no analysis, with the exception of a strong, medium, and weak evaluation of cipher suites.
Note(1/18/2018 Milton): I like the idea but I'm concerned about implementing it since it seems a bit misleading since DV is not comprehensive. My concern may be roughly summarized in the following, if I don't find any problems and I provide a grade of "A" or similar status it may be misleading since there could still be a problem in other types of attacks or areas I don't check. Outside of a useful rubrik to communicate results to users, I would like to postpone this for now.

Parking Lot: JSON Report
Several attendees at Black Hat EU 2016 mentioned exporting reports in JSON would be a big compatibility benefit. Easy integration with Splunk was one example. Considering how best to implement.

Beta 5.0.3

Minor improvements over 5.0.2

Improvement 1, Bind to slf4j interfaces only, allows caller to choose underlying logging bindings for the API.
Improvement 2, Change the format of the version string, version string for major, minor, and build versions now reflects the build tag.

Beta 5.0.2

Minor clean-up for DV Beta 5 release

Improvement 1, DVEng.VERSION_MAJOR and DVEng.VERSION_MINOR reporting the wrong build, 1.4.0. Changed to report 5.0.2.

Improvement 2, Remove DVX509OffCertificate.java and other deprecated references to offline certificate processing.

Improvement 3, within CipherSuiteUtil.supportedSuites(InetSocketAddress,int,Set) if the server responds with a ciphersuite that we did not choose we display error. Server should only ask for a cipher that we provide. For now, set to debug to turn message off.

Improvement 4, Improve to return all ciphers returned for each version of TLS handshake. CipherSuiteUtil.getServerMetadataInstance() to return ciphersuites for each TLS version. Change DeepScanTask.printSupportedCipherSuites() in the DeepVioletTools project to print all ciphersuites for each TLS handshake. Previously would only print the unique ciphers.

Beta 5

Beta 5 release notes. For the original notes see, #5

(DELIVERED) Improvement 1, Improve Analysis of Ciphersuite strength evaluation
There are some ciphers in the list that are marked strong that are no longer strong. See, Mozilla Cipher Recommendations. Coordinating with ZAP team, see #2532.

(DELIVERED) Improvement 2, Improve Cipher Suite Naming and Mapping
Today DV includes the IANA cipher names, consider alternative mappings to Mozilla's Cipher Names Correspondence Table. See, Mozilla Cipher Recommendations. Also add improvement for key length evaluation, #8. Coordinating with ZAP team, see #2532.

(DROPPING) Improvement 3, Improve Command Line/GUI Output
Running DV from the command line produces a poorly formatted certificate output. Clean-up and standardized. (Sep17, Milton) Dropping this back to the feature grab bag since it's not very important to most people.

(PARTIAL DELIVERY) Improvement 4, Improve Test Cases
DV test cases are too simple. Need better test cases that test various types of trust chains like cross signing certificates, revoked certificates, malformed certificates, both positive/negative cases etc. (NotesMS Dec7) Test cases have been improved but more improvements need to be made. Beyond scope/depth of testing the test cases need to be thoughtfully arranged so to better coincide with the Maven deployment. For example, development check in should be quick testing but tests for pull requests should be more comprehensive prior to merge. After the merge testing should be run for historical reasons but we may not check the results unless their is a problem. This keeps test overhead to a minimum but applies the most comprehensive tests when needed the most.

(DELIVERED)Improvement 5, Include X.509 certificate tests from badssl.com
Internal improvement in the projects test TLS test suites. Badssl.com provides various servers on their site to perform negative certificate testing. Negative certificate tests can be difficult to setup and maintain so these tests help the DV team identify weaknesses in the API and fix them quickly.

(DELIVERED)Improvement 6, Test cases for Mozilla JSON
Internal improvement to validate Mozilla JSON files. Test cases added to assess quality of ciphermap.json and server-side-tls-conf-4.0.json files from the Mozilla project.

(PARTIAL DELIVERY) Improvement 7, Move source for Desktop/Command Line reference tools
Move reference tools out of the DeepViolet project and create a new project for them. The reason is that most people that need the API don't care about the tools. The tools just clutter up the API project. I isolating the core API from everything else is a better organizational approach. (NotesMS Dec7) For now the code has been moved out. A new repo has yet to be created but in any case it's not strictly required for Beta 5 objectives.

(DELIVERED)Improvement 8, Remove support for offline processing
Originally the API was designed to include some support for offline certificate analysis. In hind site this feature has limited usefulness an will be removed. The feature to save PEM encoded certificates may need to be cleaned up on the tools are split out from the main project. The feature to save PEM encoded certs can likely be removed since redirecting the output stream of the command line tool can effectively do the same thing.

Misc Enhancements/Bugs
Project documentation improvements, #9

Beta4

Note: pull request that goes along with this release was mislabeled as Beta3.

Release summary

• Added API support for those who want to use DeepViolet features
  in their own projects. See com.mps.deepviolet.api
• Added samples package with sample code to demonstrate new API
• Refactored existing code for the command line support and UI to
  use the new API.
• 2 new command line options for debugging added, -d and -d2.
  d turns on Java SSL/TLS debugging. -d2 assigns DV debug
  logging priority.
• Generated JavaDocs for Public APIs, see com.mps.deepviolet.docs
• javadoc.xml added to generate JavaDocs
• Support for dock icon on OSX for the UI

The new feature means 3 jar binaries will be created for every release,
dvUI.jar, dvCMD.jar, dvAPI.jar

Essentially, all jars contain the same code with a slight change to
the manifest to each that enables running via desktop double-click.

Beta3

• Remove dvCMD.jar and dvUI.jar from the project root. Available in Releases tab.
• Add -debug option to print SSL/TLS enable Java debugging. Update command line options.
• Improve main thread to check when worker thread finished. Faster clean-up and exit when program ends.
• When operating in command line mode don't print any worker thread busy messages unless at least 15 seconds of inactivity elapsed.
• Load operating system look and feel manager for cleaner windows
• Load dock icon on OSX
• Misc error message clean-up, remove spaces, etc

Beta 2

Include several new command line improvements,

• Read and write PEM encoded certificates. [-wc | -rc ]
• Specify individual report sections. Speeds up reporting and scripts. -s{t|h|r|c|i|s|n}
• Better support edge cases like self-signed untrusted roots
• Improved support for more ASN.1 DER object types
• Check trust of offline certificates (e.g., PEM files) where possible

Minor improvements, stability, and fixes,

• Generate the fingerprint for certificate using signing algorithm
• Communicate expired or invalid certificate status better
• Change the name of the DeepScan button to Scan
• Improved support for creating the DeepViolet working directory, creates directories, permissions checks, etc
• Support for $dv_user_directory (DeepViolet working dir) variable within logback configuration
• Change the name of the log to deepviolet.log
• Minor changes to default logback configuration (logback.xml)

See readme.md page for updated usage information and notes

Initial release

Initial release of DeepViolet