TLS-Canary tools release: 4.0.0

This release improves embeddability by extracting the framework elements to a seperate module (thanks @cr!). The reason for the major version bump is that we're dropping Python 2.x compatability with this release.

TLS Canary experimental release: 3.3.0a1

This is an experimental release that incorporates various fixes for nightly regressions which are becoming increasingly frequent. Also this version now requires python3. Python2 support is dropped completely.

This release is not available through regular PyPI. To install it via pip, you must use testpypi as package resource:

$ pip install -i https://test.pypi.org/pypi tlscanary --pre

TLS Canary hotfix release 3.2.2

This is a hotfix release for the single issue #166, resulting in JS errors on Firefox Nightly 63.

TLS Canary hotfix release 3.2.1

This release fixes the server_cert.getChain is not a function error caused by the removal of this function in current nightly. See issue #163.

TLS Canary feature release 3.2.0

What's new?

This release has a completely new UI for both report pages and main project index page. As a result, we have removed legacy HTML and JS files, as well as the legacy htmlreport log command. This change is not backwards-compatible.

Also included is better integration with OneCRL tools and tests. The regression mode now uses a known revoked certificate to verify that OneCRL is working properly before running any tests. In addition, the project contains updated links to the OneCRL tool repo and stable release.

The new --remove_certs option prevents cert data from being written to logs, reducing log size to roughly a quarter.

Changelog

• Updated OneCRL tool code to point to new directory
• Improved regression mode to support configurable scans and caching
• Integrated OneCRL sanity test into regression mode
• Upgraded certificate database files for Firefox's use_sqldb feature
• Switched default OneCRL pin to 'stable' tag
• New UI for report pages, built on jQuery bootgrid
• Report pages consume native JSON logs
• Port new UI code to index page
• Added webreport to log mode to support the above
• Removed htmlreport and all old HTML/JS files
• Added --remove_certs option for keeping leaner logs (#155)
• Fixed nightly regression in JS worker after bug 792808 removed XPCOM from XHR.

TLS Canary bugfix and stability release 3.1.2

What's new?

This release is mostly for fixing #123 which was breaking TLS Canary deployments in the field, but it also includes various stability improvements that had accumulated since our last release. Most notably, TLS Canary 3.1.2 is now using only a fraction of memory (#44). Full scan runs previously required up to 90 GBytes of memory. Incremental logging brought this down to a much more manageable 3 GBytes.

Changelog

• Replaced obsolete nsILocalFile with nsIFile, fixing #123.
• Preventing idle RunLogs from hogging file descriptors, fixing #126.
• Added chunking and fixed progress logging. The Python process now takes at most 2.5 GBytes of memory. Each Firefox instance requires 50 to 100 MBytes. (#44)
• Added sources_size to log metadata. (#36)
• Fixed bootstrapping script for Linux.
• Top sites host database update. There are now only 460k hosts. We weeded out ~80k hosts that were always throwing errors, resulting in shorter scan time for the whole set.
• HTML reports now include the profiles again.
• Added extensive integration and unit testing to repo since the last release.

TLS Canary hotfix release 3.1.1

This is a hotfix for upstream breakage in OneCRL-Tools. It introduces the argument --onecrlpin for pinning OneCRL-Tools to a specific git commit. The default value is 244e704 which is the last known-working commit in that repo. Note that the 3.1.1 effectively disables OneCRL-Tools updates. You must manually specify --onecrlpin=master to work with the latest release.

TLS Canary feature release 3.1.0

What's new?

• TLS Canary is now a proper Python package. Stable releases can be installed with a simple pip install tlscanary.
• Run modes performance, regression, and scan now log into a central logging facility that stores compressed run logs in ~/.tlscanary/log. Producing a report now requires a separate call to tlscanary. To generate the legacy HTML report, use a variation of tlscanary log -a htmlreport.
• Introduced a new run mode called log for maintaining the run log database and generating reports. See tlscanary log --help for details.
• Introduced a new JSON-based log format, produced by tlscanary log -a json.
• The -t/--test and -b/--base arguments now also take paths to Firefox package files or build trees.
• You can now set prefs in the test candidates using the -p/-p1/p2 arguments, just like in good old ssl_compat days.
• Much more metadata is collected about the test candidates and stored in the run log.
• Windows PowerShell is now a fully supported platform.
• Introduced a srcupdate run mode for updating host databases. See tlscanary srcupdate --help and the README for details.
• Command line now takes "run modes" as first positional argument. Internally the argument parser employs subparsers for this, thus shared arguments like --workdir and --debug must now be given before the run mode argument.
• Scans are temporarily limited to 100k hosts per default. This hotfix was introduced to work around instabilities on some machines that do not have sufficient amount of swap memory. You can override this by setting -l 500000, but your results may vary.
• Introduced several internal architecture changes that made all those new features possible.

TLS Canary bugfix release 3.0.1

What happened?

This is a bugfix release working around temporary upstream breakage in OneCRL-Tools.

TLS Canary "The Python" 3.0.0

What's new?

This is the first release of TLS Canary, a Python port of @mwobensmith's ssl_compat project.