• Add the "strength" field to the XML output for groups
• Add support for PQ hybrid key exchange groups (credit malhotrag)
• Show Show PQ groups in cipher output (credit nuxi)

The 2.2.0 release includes some key changes:

• Support for new post-quantum groups such as X25519MLKEM768.
• Updates to the colouring of various ciphers and algorithms (see #333 for full details).

Additionally, building sslscan now requires a minimum OpenSSL version of 3.5.0 (LTS). As always, static building is recommended, especially if you distro ships an older version of OpenSSL.

This release has been largely down to the excellent work by jtesta, and also from tetlowgm.

Newer version of OpenSSL flag the CCM8 ciphers suites (such as AES256-CCM8/TLS_DHE_RSA_WITH_AES_256_CCM_8) as having a strength of 64 bits due to the short authentication tag, as discussed here:

openssl/openssl#16652

This meant that if sslscan was statically against older versions of OpenSSL built they would show up as 128/256 bits, but if it was built against a newer version (as Kali does for their package) they would show up as 64 bit. To work around this, we manually set the strength for these ciphers to 64 bit (regardless of what the version of OpenSSL we're building against thinks they are), so that all versions should return consistent results.

Makefile improvements

Add --show-certificates option to show the full certificate chain.

• Enable quiet shutdown for scanning (credit jarnfast)
• Fix Docked build on non-x64 architectures (credit jtesta)

Fix certificate and cipher enumeration when unsafe renegotiation is (credit jtesta)

Work around a couple of dodgy TLS implementations.

sslscan is now built against OpenSSL 3.0, due to OpenSSL 1.1.1 reaching its end of life.

• Fix incorrect TLSv1.3 detection for Server 2019 (credit jtesta)
• Fix incorrect XML output related to certificates