« SSL Labs RC4 deprecation plan | Main | SSL Labs 1.17: RC4, Obsolete Crypto, and Logjam »

What's new in SSL Labs 1.16

April 28, 2015

Yesterday, we released a new version of SSL Labs. In this blog post I'd like to quickly go over what was changed: there were a healthy number of improvements, a few fixes, and a large number of additions to the API.

New features and assessment improvements:

  • Added checks for Certificate Transparency in certificate, stapled OCSP response and TLS extensions
  • Stapled OCSP responses are now always checked, with any errors shown in the UI
  • Java 8 simulation takes into account the 2048-bit DH parameter limit
  • Java simulations take into account that Java aborts TLS handshakes if it sees unrecognized_name TLS warning
  • When a strong suite is used with weak or insecure DH parameters, only the parameters are highlighted (using orange or red, as appropriate). This should make it easier to understand exactly what is problematic.
  • Tests for TLS version intolerance to TLS 1.3+ now use 0x0301 version at the record layer. This change aligns our testing with the recent similar change in the TLS 1.3 specification, which aims to minimise intolerance issues.
  • Enabled throttling for assessments submitted via the web site. Previously, throttling was enabled only for the API, but, unfortunately, we're seeing out-of-control scrapers that push our load for no good reason and use an unfair share of resources. Throttling is now uniformly implemented, with limits on per IP address-basis. Only new assessment requests are checked; if your IP address already has too many concurrent requests, you will be asked to come later. However, you're not actually supposed to see this message unless you're submitting automated assessments. If you do, please get in touch with us and tell us your IP address. Perhaps our throttling configuration needs to be tuned.

Other smaller changes and fixes:

  • Updated root store to the latest from Mozilla (only one weak 1024-bit root left!)
  • Updated browser simulations: Chrome 42, Firefox 37, IE11, and IEMobile 11
  • The terms and conditions now cover the case when our APIs are used by infrastructure providers (no need to contact us any more!)
  • All times are now shown in UTC
  • Fixed A+ awarded with 1024-bit DH parameters
  • Lots of other smaller changes

API improvements:

  • Added EndpointDetails.freak
  • New ChainCert fields: notBefore, notAfter, sigAlg, keyAlg, keySize, keyStrength
  • Added Cert.sct
  • Added EndpointDetails.hasSct
  • Added EndpointDetails.poodle
  • New EndpointDetails fields: staplingRevocationStatus and staplingRevocationErrorMessage
  • New Cert fields: crlRevocationStatus and ocspRevocationStatus
  • New ChainCert fields: revocationStatus, crlRevocationStatus and ocspRevocationStatus
  • Added Endpoint.gradeTrustIgnored
  • Field ChainCert.issues is now set to zero if there are no issues. Previously this field wouldn't exist in the JSON structure.
  • Fixed ChainCert.issues didn't flag weak (e.g., SHA1) certificates
MY BOOK: If you like this blog post, you will love Bulletproof TLS and PKI. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.