Hello thanks for this lovely Tool, I have this error when I run the tool

└─$ java -jar apps/TLS-Server-Scanner.jar -connect target.com

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
INFO : Main - Performing Scan, this may take some time...
ERROR: TrustAnchorManager - Could not load TrustAnchors. This means that you are running TLS-Scanner without its submodules. If you want to evaluate if certificates are trusted by browsers you need to initialize submodules.You can do this by running the following command:'git submodule update --init --recursive'
+++Common bugs probe executed
+++Server name indication (SNI) probe executed
+++Compression probe executed
+++Protocol version probe executed
+++Cipher suite order probe executed
+++Client certificate authentication support probe executed
+++Signature Hash Algorithm Order probe executed
+++Record fragmentation probe executed
+++Early CCS probe executed
+++Tokenbinding probe executed
+++HTTP header probe executed
+++Cipher suite probe executed
+++Extensions probe executed
+++EC point formats probe executed
+++Signature and hash algorithm probe executed
+++TLS Fallback SCSV probe executed
+++Hello retry probe executed
+++ESNI probe executed
+++HTTP false start probe executed
ERROR: CertificateChain - Cannot check if the chain is complete since the trust manager is not initialized
ERROR: CertificateChain - Cannot check if the chain is complete since the trust manager is not initialized
ERROR: CertificateChain - Cannot check if the chain is complete since the trust manager is not initialized
+++Certificate probe executed
+++Resumption probe executed
+++Renegotiation probe executed
+++Padding oracle probe executed
+++Bleichenbacher probe executed
+++Alpaca attack probe executed
+++Named groups probe executed
+++Named groups order probe executed
+++OCSP probe executed
WARN : TlsServerProbe - Benign handshake failed for TLS13>SECP256R1>UNCOMPRESSED>TLS_AES_128_GCM_SHA256 - omitting from Invalid Curve
+++Invalid curve probe executed
+++Certificate transparency (CT) probe executed
INFO : ThreadedScanJobExecutor - Finished scan
INFO : Main - Scanned in: 552s

Exception in thread "main" java.lang.NullPointerException
at de.rub.nds.tlsscanner.serverscanner.trust.TrustAnchorManager.hasCustomTrustAnchros(TrustAnchorManager.java:276)
at de.rub.nds.tlsscanner.serverscanner.report.ServerReportPrinter.appendCertificate(ServerReportPrinter.java:495)
at de.rub.nds.tlsscanner.serverscanner.report.ServerReportPrinter.appendCertificates(ServerReportPrinter.java:480)
at de.rub.nds.tlsscanner.serverscanner.report.ServerReportPrinter.getFullReport(ServerReportPrinter.java:148)
at de.rub.nds.tlsscanner.serverscanner.report.ServerReport.getFullReport(ServerReport.java:482)
at de.rub.nds.tlsscanner.serverscanner.Main.main(Main.java:49)

Checked with schokokeks.org

• RSA is set to true, even if no RSA cipher suite is offered
• prefers PFS is set to false
• Diverse RSA vulnerabilities (like Bleichenbacher) are set to unknown
• Heartbleed is set to unkknown
  ...

/cc @hannob

Hi,

Is there a way to pass a custom CA bundle to validate the cert?

Thanks

Exception in thread "Thread-208" java.lang.NullPointerException
at de.rub.nds.tlsscanner.probe.certificate.CertificateJudger.isWeakHashAlgo(CertificateJudger.java:58)
at de.rub.nds.tlsscanner.report.result.CertificateResult.merge(CertificateResult.java:46)
at de.rub.nds.tlsscanner.ScanJobExecutor.execute(ScanJobExecutor.java:66)
at de.rub.nds.tlsscanner.TlsScanner.scan(TlsScanner.java:97)

Renameing class "NamedCurve" to "NamedGroup" breaks TLS-Scanner on various points.

Also there are some changes in the tlsConfig that breaks some probes (i. e. ExtensionProbe).

When testing the ALPACA probe I see that the SNI name is set to "notarealtls-attackerhost.com" in the isSupportingStrictSni method, however on my server trace the SNI value is still set to the default (localhost). This causes the SNI mitigation test to fail for the server even though I have implemented strict SNI logic, it seems he SNI value is not being set correctly in the TLSScanner client.

The program has the following output:

--|Guideline BSI TR-02102-2
Passed: 24
Skipped: 0
Failed: 1
Uncertain: 0

However, it does not list which recommondations are given due to which guideline.

The CertificateReportGenerator throws an index out of bounds exception if the certificate has no CN

Caused by: java.lang.ArrayIndexOutOfBoundsException: 0
	at de.rub.nds.tlsscanner.probe.certificate.CertificateReportGenerator.setSubject(CertificateReportGenerator.java:70)
	at de.rub.nds.tlsscanner.probe.certificate.CertificateReportGenerator.generateReport(CertificateReportGenerator.java:47)
	at de.rub.nds.tlsscanner.probe.certificate.CertificateReportGenerator.generateReports(CertificateReportGenerator.java:39)
	at de.rub.nds.tlsscanner.probe.CertificateProbe.executeTest(CertificateProbe.java:44)
	at de.rub.nds.tlsscanner.probe.TlsProbe.call(TlsProbe.java:57)
	at de.rub.nds.tlsscanner.probe.TlsProbe.call(TlsProbe.java:22)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

Hello,

i just try this script and got error:

$ sudo docker run -t tlsscanner -connect https://domain.com/
INFO : Main - Performing Scan, this may take some time...
+++Common bugs probe executed
+++Server name indication (SNI) probe executed
+++Compression probe executed
+++Protocol version probe executed
+++Cipher suite order probe executed
+++Client certificate authentication support probe executed
+++Signature Hash Algorithm Order probe executed
+++Record fragmentation probe executed
+++Early CCS probe executed
+++Tokenbinding probe executed
+++HTTP header probe executed
+++Cipher suite probe executed
+++Extensions probe executed
+++EC point formats probe executed
+++Signature and hash algorithm probe executed
+++TLS Fallback SCSV probe executed
+++Hello retry probe executed
+++ESNI probe executed
+++HTTP false start probe executed
+++Certificate probe executed
+++Direct RACCOON probe executed
+++Resumption probe executed
+++Renegotiation probe executed
+++ALPN probe executed
+++Alpaca attack probe executed
+++Heartbleed probe executed
+++Named groups probe executed
Exception in thread "main" java.lang.UnsupportedOperationException: The provided group 'FFDHE2048' is not supported by this method.
        at de.rub.nds.tlsattacker.core.crypto.ec.CurveFactory.getCurve(CurveFactory.java:95)
        at de.rub.nds.tlsscanner.serverscanner.probe.InvalidCurveProbe.adjustConfig(InvalidCurveProbe.java:145)
        at de.rub.nds.tlsscanner.serverscanner.probe.InvalidCurveProbe.adjustConfig(InvalidCurveProbe.java:52)
        at de.rub.nds.scanner.core.execution.ThreadedScanJobExecutor.update(ThreadedScanJobExecutor.java:188)
        at de.rub.nds.scanner.core.execution.ThreadedScanJobExecutor.executeProbesTillNoneCanBeExecuted(ThreadedScanJobExecutor.java:124)
        at de.rub.nds.scanner.core.execution.ThreadedScanJobExecutor.execute(ThreadedScanJobExecutor.java:74)
        at de.rub.nds.tlsscanner.serverscanner.execution.TlsServerScanner.scan(TlsServerScanner.java:298)
        at de.rub.nds.tlsscanner.serverscanner.Main.main(Main.java:45)

Add a Constructor which accepts a threadpoolexecutor

I have installed TLS-Scanner-3.0.2 and tried below basic command to test a server but it gives error as below

java -jar apps/TLS-Scanner.jar -connect :
INFO : Main - Performing Scan, this may take some time...
Exception in thread "main" java.lang.IllegalArgumentException: argument "src" is null
at com.fasterxml.jackson.databind.ObjectMapper._assertNotNull(ObjectMapper.java:4413)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3241)
at de.rub.nds.tlsscanner.trust.TrustAnchorManager.readPlatform(TrustAnchorManager.java:92)
at de.rub.nds.tlsscanner.trust.TrustAnchorManager.(TrustAnchorManager.java:63)
at de.rub.nds.tlsscanner.trust.TrustAnchorManager.getInstance(TrustAnchorManager.java:55)
at de.rub.nds.tlsscanner.TlsScanner.scan(TlsScanner.java:147)
at de.rub.nds.tlsscanner.Main.main(Main.java:46)

I'm by no means an expert on Java or Maven but I believe these dependencies are missing from Maven's repo

Here's the full error message:

[ERROR] Failed to execute goal on project TLS-Scanner: Could not resolve dependencies for project de.rub.nds.tlsscanner:TLS-Scanner:pom:4.1.2: The following artifacts could not be resolved: de.rub.nds.tlsattacker:TLS-Core:jar:3.7.2, de.rub.nds.tlsattacker:Attacks:jar:3.7.2: Could not find artifact de.rub.nds.tlsattacker:TLS-Core:jar:3.7.2 in central (https://repo.maven.apache.org/maven2) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException

Hope this helps !

Cheers

Context

Using the README.md instructions to build the docker

Log

$ docker build . -t tlsscanner
STEP 1: FROM maven:3.6.1-jdk-8 AS build-image
STEP 2: WORKDIR /build
--> Using cache 16a985e05e4adbfae9ae1c414a41bd606896da2792ef47c448a2c154f3465e79
--> 16a985e05e4
STEP 3: RUN git clone https://github.com/RUB-NDS/TLS-Scanner.git --recurse-submodules
--> Using cache 72a9309a7c4e9c458c0747077a1cac4b192d31c1808ec94f65c441208251e423
--> 72a9309a7c4
STEP 4: WORKDIR /build/TLS-Scanner
--> Using cache 657586fc119af18078efcdbdfd5020bf8df45c67933b009340a0bb2f8469100a
--> 657586fc119
STEP 5: RUN mvn clean install -DskipTests=true
--> Using cache 15f5140a03e7879c738c570dca42d7f7c23304c4c9ccf0454f404bec716e98b4
--> 15f5140a03e
STEP 6: FROM openjdk:8-alpine
STEP 7: COPY --from=build-image /build/TLS-Scanner/apps /apps
--> Using cache abffe5c0c40ab0021976a32a236b3d8b6ed9b784d13148fb8ea1ed5a174cb89c
--> abffe5c0c40
STEP 8: WORKDIR /apps
--> Using cache 6f87a199faaa4e4190d9a1e2b1c351d1a42fd22d9273058e8286d48a28c3f1cd
--> 6f87a199faa
STEP 9: ENTRYPOINT ["java", "-jar", "TLS-Scanner.jar"]
--> Using cache 3168de0fc6be91fb344bcaeb1b5d01a6fbe3537a8e6101e11067bba1ba77a7f9
STEP 10: COMMIT tlsscanner
--> 3168de0fc6b
3168de0fc6be91fb344bcaeb1b5d01a6fbe3537a8e6101e11067bba1ba77a7f9

$ docker run -t tlsscanner
Error: Unable to access jarfile TLS-Scanner.jar

My guess is that the jar is not build with this name:

/apps # find
.
./TLS-Server-Scanner.jar
./TLS-Client-Scanner.jar
./lib
./lib/jcommander-1.78.jar
./lib/istack-commons-runtime-3.0.11.jar
./lib/opentest4j-1.2.0.jar
./lib/guava-29.0-jre.jar
./lib/X509Attacker-1.1.0.jar
./lib/Utils-3.6.0.jar
./lib/log4j-api-2.13.3.jar
./lib/junit-platform-engine-1.5.2.jar
./lib/javassist-3.26.0-GA.jar
./lib/junit-platform-commons-1.5.2.jar
./lib/jaxb-runtime-2.3.3.jar
./lib/siv-mode-1.4.0.jar
./lib/jackson-dataformat-yaml-2.10.0.jar
./lib/jaxb-api-2.3.1.jar
./lib/txw2-2.3.3.jar
./lib/bcprov-jdk15on-1.64.jar
./lib/javax.activation-api-1.2.0.jar
./lib/jakarta.xml.bind-api-2.3.3.jar
./lib/snakeyaml-1.24.jar
./lib/junit-jupiter-engine-5.5.2.jar
./lib/json-simple-1.1.1.jar
./lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
./lib/Attacks-3.6.0.jar
./lib/junit-jupiter-api-5.5.2.jar
./lib/slf4j-api-1.7.30.jar
./lib/failureaccess-1.0.1.jar
./lib/slf4j-log4j12-1.7.30.jar
./lib/reflections-0.9.12.jar
./lib/ModifiableVariable-3.0.0.jar
./lib/apiguardian-api-1.1.0.jar
./lib/dnsjava-2.1.9.jar
./lib/log4j-core-2.13.3.jar
./lib/joda-time-2.10.5.jar
./lib/jsr305-3.0.2.jar
./lib/jackson-databind-2.10.0.jar
./lib/checker-qual-2.11.1.jar
./lib/jackson-core-2.10.0.jar
./lib/commons-lang3-3.11.jar
./lib/Asn1Tool-1.2.0.jar
./lib/commons-math3-3.6.1.jar
./lib/log4j-1.2.17.jar
./lib/Transport-3.6.0.jar
./lib/TLS-Server-Scanner-4.0.0.jar
./lib/TLS-Scanner-Core-4.0.0.jar
./lib/bcpkix-jdk15on-1.60.jar
./lib/TLS-Core-3.6.0.jar
./lib/jackson-annotations-2.10.0.jar
./lib/error_prone_annotations-2.3.4.jar
./lib/j2objc-annotations-1.3.jar
./lib/jakarta.activation-api-1.2.2.jar

As seen in #83, header matching is case-sensitive, but need to be lowercase for HTTP/2 - or maybe should be case insensitive in general.
This issue should be reviewed / fixed in the whole codebase.

I get the following Build Failure after running this command:

docker build . -t tlsscanner

It seems to make a lot of progress, but then fails in the end.

It is complaining about a missing artifact. Could this mean a JAR file was deleted or updated? If so, perhaps this could be easily resolved.

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  5.289 s
[INFO] Finished at: 2020-07-27T14:37:48Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project TLS-Scanner: Could not resolve dependencies for project de.rub.nds.tlsscanner:TLS-Scanner:jar:3.0.2: The following artifacts could not be resolved: de.rub.nds.tlsattacker:TLS-Core:jar:3.3.1, de.rub.nds.tlsattacker:Attacks:jar:3.3.1: Could not find artifact de.rub.nds.tlsattacker:TLS-Core:jar:3.3.1 in central (https://repo.maven.apache.org/maven2) -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
The command '/bin/sh -c mvn clean install -DskipTests=true' returned a non-zero code: 1

I've no experience with maven so I'm a bit at loss here:

• I've cloned the TLS-Attacker and Scanner Repos and build the TLS-Attacker (downgraded my Java to version 8 for that), that worked flawlessly.
• Executing mvn clean package in the TLS-Scanner Repo I get the error
  [ERROR] Failed to execute goal on project TLS-Scanner: Could not resolve dependencies for project de.rub.nds.tlsscanner:TLS-Scanner:jar:3.0.2: The following artifacts could not be resolved: de.rub.nds.tlsattacker:TLS-Core:jar:3.3.1, de.rub.nds.tlsattacker:Attacks:jar:3.3.1: Could not find artifact de.rub.nds.tlsattacker:TLS-Core:jar:3.3.1 in central (https://repo.maven.apache.org/maven2)

I suppose that it is a problem on your side, if that's not the case: any idea what the problem might be?

Just in case this wasn't already known.

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by de.rub.nds.tlsattacker.core.crypto.PseudoRandomFunction (file:[redacted]/TLS-Scanner/apps/lib/TLS-Core-3.7.0.jar) to field javax.crypto.spec.SecretKeySpec.key
WARNING: Please consider reporting this to the maintainers of de.rub.nds.tlsattacker.core.crypto.PseudoRandomFunction
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Hello!

I want to use the TLS-Client-Scanner to scan the client side.
Are there any documentations for TLS-Client-Scanner.jar or more description on how this tool can be used or how it works?
I have looked at the -help argument to see all the different commands and tried the command:

java -jar apps/TLS-Client-Scanner.jar -port 8080 -run "curl google.com"

However, it doesn't return anything and hangs.

$ java -jar apps/TLS-Scanner.jar -connect localhost:4433
Error: Unable to access jarfile apps/TLS-Scanner.jar

... suggests that README should be updated to explicitly invoke the 'Server' .jar:

$ java -jar apps/TLS-Server-Scanner.jar -connect localhost:4433

It would also be helpful to explicitly include the submodule setup in the README:

ERROR: TrustAnchorManager - Could not load TrustAnchors. This means that you
are running TLS-Scanner without its submodules. If you want to evaluate if 
certificates are trusted by browsers you need to initialize submodules.You can 
do this by running the following command:'git submodule update --init --recursive'

java -jar apps/TLS-Server-Scanner.jar -connect test.de:443 -reportDetail ALL

----|Passed Checks:

Grundsätzlich werden TLS 1.2 und TLS 1.3 empfohlen.
	SUPPORTS_TLS_1_2=TRUE
Grundsätzlich werden TLS 1.2 und TLS 1.3 empfohlen.
	SUPPORTS_TLS_1_3=TRUE
TLS 1.0 und TLS 1.1 werden nicht empfohlen.
	SUPPORTS_TLS_1_0=FALSE
TLS 1.0 und TLS 1.1 werden nicht empfohlen.
	SUPPORTS_TLS_1_1=FALSE
SSL v2 und SSL v3 werden nicht empfohlen.
	SUPPORTS_SSL_2=FALSE
SSL v2 und SSL v3 werden nicht empfohlen.
	SUPPORTS_SSL_3=FALSE

It might still be interesting for non-germans to understand the recommondations.

The TLS-Core refactoring broke the scanner.
Some things could be fixed by now.

https://github.com/RUB-NDS/TLS-Scanner/blob/refactorFix/src/main/java/de/rub/nds/tlsscanner/probe/CiphersuiteProbe.java and https://github.com/RUB-NDS/TLS-Scanner/blob/refactorFix/src/main/java/de/rub/nds/tlsscanner/probe/ProtocolVersionProbe.java got some problems left.

It has to do with the workflow traces.
@ic0ns could you take a look at the refactorfix branch?

When the tools scans a system, it says:

----|Failed Checks:

Die folgenden Diffie-Hellman Gruppen werden empfohlen.
	The following groups were supported but not recommended:
	ECDH_X25519

The German sentence means "The following Diffie-Hellman Groups are recommended", but then groups are listed that are not recommended.

The additonal ECDH_X25519 group (https://en.wikipedia.org/wiki/Curve25519) does not mean that the system is insecure, it only means that it's not listed as recommended in the BSI TR-02102-2 recommondation.

This does not deserve a "failed check" and is not the same category as e.g. supporting TLS 1.0.

Most workflows in the Scanner do not expect the Server to respond with a CertificateRequest message, which can cause the WorkflowTraces to not execute as expected. If this is the case all sorts of weird behavior occurs and the results are not reliable anymore.
What needs to be done:

• Check which WorkflowTraces and Probes are affected
• Scan for ClientAuthentication
• Adjust Probes to work even with ClientAuthentication

When I try to scan my own webpage - see
https://tls-scanner.cs.uni-paderborn.de/report/hboeck.de
I get a warning that it would not support the Encrypt-then-MAC extension:

 Encrypt-then-MAC extension support: FALSE (Score: -50) 

This server runs a pretty standard apache+openssl setup, and openssl enables the EtM extension by default if applicable. Apache does not disable it, so it should work. I can also see the extension if I manually connect to the server with TLS 1.3 disabled.

I have a guess why this check is not working: The EtM extension is not supported in TLS 1.3. It only applies to old CBC mode ciphers, and those are only supported in TLS <= 1.2. Possibly, TLS-Scanner is just checking the list of extensions it sees with a connection with TLS 1.3, and doesn't see it there.

Hello!

In the report there is a list of supported SignatureAndHash algorithms. This summarizes the algorithms used for signing during the handshake and for the signature of the certificate used. So this is technically correct, but perhaps for clarity it would be better if these algorithms were output in two distinct report entries. Otherwise, the protocol traces may have to be used to determine which alogrithm is used for which process.

Add a flag to suppress colours

I ran java -jar TLS-Server-Scanner.jar -connect neuromancer.sk:443 using the latest release (4.0.0).
When it printed out the Certificate Chain it printed the following as the PublicKey entry:

 PublicKey			 : de.rub.nds.tlsattacker.core.crypto.keys.CustomRsaPublicKey@26cc7912

So I guess a toString or some other serialization method implementation is missing to display the pubkey.

Hello.

Sometimes scanning process of TLS-Scanner does not finish - on some particular hosts scanner can work for hours (for example, the longest run until successful results were gained was about 3 hours) or even can get stuck at some point in an infinite loop (especially when TLS-Scanner on the latest steps of scanning, for example, about 21/24 or 22/24 step in console output).

As I noticed, this behavior does not depend on "-parallelProbes" or "-overallThreads" flags and can be reproduced with the most basic options.

Examples of this behavior can be seen on the next hosts:

67.59.100.154:443
185.42.19.133:443

And can be reproduced with the next commands:

java -jar TLS-Scanner.jar -connect 67.59.100.154:443
java -jar TLS-Scanner.jar -connect 185.42.19.133:443

From the RFC:

2.5.1.2. Missing SRP Extension

The client may offer SRP cipher suites in the hello message but omit
the SRP extension. If the server would like to select an SRP cipher
suite in this case, the server SHOULD return a fatal
"unknown_psk_identity" alert (see Section 2.9) immediately after
processing the client hello message.

mvn clean package

[INFO] BUILD FAILURE [ERROR] Failed to execute goal on project TLS-Scanner: Could not resolve dependencies for project de.rub.nds.tlsscanner:TLS-Scanner:jar:3.0.2: The following artifacts could not be resolved: de.rub.nds.tlsattacker:TLS-Core:jar:3.3.1, de.rub.nds.tlsattacker:Attacks:jar:3.3.1: Failure to find de.rub.nds.tlsattacker:TLS-Core:jar:3.3.1 in https://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal on project TLS-Scanner: Could not resolve dependencies for project de.rub.nds.tlsscanner:TLS-Scanner:jar:3.0.2: The following artifacts could not be resolved: de.rub.nds.tlsattacker:TLS-Core:jar:3.3.1, de.rub.nds.tlsattacker:Attacks:jar:3.3.1: Failure to find de.rub.nds.tlsattacker:TLS-Core:jar:3.3.1 in https://repo.maven.apache.org/maven2 was cached in the local repository, resolution will not be reattempted until the update interval of central has elapsed or updates are forced

Machine:
Apache Maven 3.6.3
Linux PC 5.6.0-kali2-amd64 #1 SMP Debian 5.6.14-2kali1 (2020-06-10) x86_64 GNU/Linux

Docker error:
[ERROR] Failed to execute goal on project Utils: Could not resolve dependencies for project de.rub.nds.tlsattacker:Utils:jar:3.5.0: Could not find artifact de.rub.nds:X509Attacker:jar:1.0 in central (https://repo.maven.apache.org/maven2) -> [Help 1]

Probes should also work indepently

Some older Apache versions (like 2.4.6 in RHEL / CentOS 7) don't support a limited lifetime for session tickets. This could undermine the forward secrecy for long running processes if session tickets are enabled. In those cases recommending session tickets over session resumption (or even using them at all) probably isn't a good idea.

I'm not really sure how the recommendations could be improved, though. This is probably only a problem with some very specific Apache versions.

Checking on log4j 2 status for this project.

I've looked within the documentation and there doesn't appear to be the facility to output the results of the scan to a file (e.g. JSON or XML) is this possible?

Many thanks,

Matt