version 2.0

⚠️ major API change - breaks backwards compatibility with v1.x branch

Changelog

• TLS 1.3 draft18 - #85
• (!) Removal of pycrypto dependency, replaced by pycryptodome
• (!) Refactor of TLSSessionCtx. External interface preserved, but scripts depending on TLSSessionCtx variables will need to be adjusted
• Support for TLS 1.2 AEAD ciphers (GCM and CCM)
• Support for TLS 1.2 cipher defined KDF
• Refactored Crypto containers
• Introduction of Asymmetrical, Key Exchange and Symmetrical keystores
• Client-side support for TLS session resumption (ticket, session_id)

commit log

version 1.2.3.4

v1.2.3 maintenance release

Changelog

• (#115) fix dnet dependency on macos error by switching to pydumbnet (cherry-picked 7f641da from master)

version 1.2.3.3

v1.2.3 maintenance release

Changelog

• (!) (#109) TLSSignatureHashAlgorithm.hash_algorithm changed to TLSSignatureHashAlgorithm.hash_alg
• (!) (#109) TLSSignatureHashAlgorithm.signature_algorithm changed to TLSSignatureHashAlgorithm.sig_alg
• (!) (#109) TLSExtSignatureAndHashAlgorithm.algorithms changed to TLSExtSignatureAndHashAlgorithm.algs

version 1.2.3.2

Maintenance Release for v1.2.3

Changelog:

• fixes wrong definition of TLSServerHello #91 (#92)

version 1.2.3.1

• fixes #79 - pip installing unsupported scapy version

version 1.2.3

• Fixes pip/setup.py installation with multiple site-packages directories and setup.py picking the wrong one
• Adds certificate_verify message/layer
• Adds passive scanning mode to examples/security_scanner and various new checks
• Adds server-side support (examples: RSA Server)
• Adds client mutual authentication support
• Fixes a bug with scapy 3.2.1 (path to raw_packet_cache_fields changed)
• Updates do_dissect to match scapy 2.3.1 interface
• Fixes SSLv2 parsing
• Updates requirements.txt to pin scapy to version <=2.3.2 (due to major api breaking changes in 2.3.3)
• Adds Client Automata
• Adds Server Automata
• Fixes minor code quality issues and problems with imports for examples

version 1.2.2

• client ECDHE support
• client automata
• updated tls registry
  • names for ExtensionTypes[padding,SessionTicket_TLS],CertificateTypes[X_509,Raw_Public_Key] and ALPN have changed, see: 79e0997
• fixed normalization for tls_registry update util.
• moved CI from cloudbees (discontinued) to travis-ci

version 1.2.1

• Adds support for TLS 1.2
• Adds basic fragmentation support
• Fixes conditional extension length for rdpcap/sniff
• Fixes dependencies for OSX
• Fixes FieldListFields elements in .show/repr() being displayed as numeric instead of human readable representation
• Fixes uninmplemented TLSExtensions messing up the dissector

version 1.2

• Updates TLS registries as they're now synced with the official ones provided by IANA (ciphers and various other message types)
• Fixes dissection of stacked handshakes
• Adds support for TLSv1.1
• Adds support for client-side DHE-RSA
• Fixes sniffer / pcap example
• Fixes security_scanner example (starttls support), adds heartbleed check
• Updates Readme

version 1.1

fixes:

• moved TLSRecord splitting to SSL compound class; removed do_dissect in
  TLSRecord as this is an upperlayer issue
• fixed various Extensions to act like leaf layers (extract_padding)
• fixed Client/ServerHello never got filled due to issues with
  ConditionalFields; seems like the condition "do we have items in
  extension list" was never met since the field was not yet processed.
• removed TLSKeXParamEncryptedPremasterSecret - wasn't used. will show up as Raw and thats fine.

new:

• automatic decryption of protocols
• Added example of a full TLS connection
• added handshake: new_session_ticket
• added extensions: renegotiation_info, session_ticket_tls
• made TLSRecord sense for Ciphertexts
• removed attrib 'mac' from TLSCipherText. We'll have an extra class for that
• dissection of tls_hello extensions
• java integration suite