Warn on TLSv1.1. Fixes #241

Author: rbsec

Changelog

@@ -1,5 +1,11 @@
 Changelog
 =========
+Version: 2.0.9
+Date   : 24/03/2021
+Author : rbsec <robin@rbsec.net>
+Changes: The following are a list of changes
+		 > Warn on TLSv1.1, as it's now deprecated by RFC 8996
+
 Version: 2.0.8
 Date   : 12/02/2021
 Author : rbsec <robin@rbsec.net>

README.md

@@ -61,7 +61,7 @@ Key changes are as follows:
 * Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 `--no-cipher-details`.
 * Flag weak DHE keys with OpenSSL >= 1.0.2 `--cipher-details`.
 * Flag expired certificates.
-* Flag TLSv1.0 ciphers in output as weak.
+* Flag TLSv1.0 and TLSv1.1 protocols in output as weak.
 * Experimental OS X support (static building only).
 * Support for scanning PostgreSQL servers (credit nuxi).
 * Check for TLS Fallback SCSV support.

sslscan.c

@@ -1591,6 +1591,9 @@ void outputCipher(struct sslCheckOptions *options, SSL *ssl, const char *cleanSs
     if (strcmp(cleanSslMethod, "TLSv1.3") == 0) {
       printf("%sTLSv1.3%s  ", COL_GREEN, RESET);
     }
+    else if (strcmp(cleanSslMethod, "TLSv1.1") == 0) {
+      printf("%sTLSv1.1%s  ", COL_YELLOW, RESET);
+    }
     else if (strcmp(cleanSslMethod, "TLSv1.0") == 0) {
       printf("%sTLSv1.0%s  ", COL_YELLOW, RESET);
     } else
@@ -3344,10 +3347,10 @@ int testHost(struct sslCheckOptions *options)
 
     if ((options->sslVersion == ssl_all) || (options->sslVersion == tls_all) || (options->sslVersion == tls_v11)) {
       if ((options->tls11_supported = checkIfTLSVersionIsSupported(options, TLSv1_1))) {
-	printf("TLSv1.1   enabled\n");
+	printf("TLSv1.1   %senabled%s\n", COL_YELLOW, RESET);
 	printf_xml("  <protocol type=\"tls\" version=\"1.1\" enabled=\"1\" />\n");
       } else {
-	printf("TLSv1.1   disabled\n");
+	printf("TLSv1.1   %sdisabled%s\n", COL_GREEN, RESET);
 	printf_xml("  <protocol type=\"tls\" version=\"1.1\" enabled=\"0\" />\n");
       }
     }