
Version: 19.01.19
  BUGFIX
    * t/Makefile.*: BT: macro ALL.inc.type corrected
    * osaft.pm: BF: +fingerprint_sha2 honors --format=hex
    * o-saft.pl: BF: printing header (for list of ciphers) corrected
    * o-saft.pl: BF: "Ciphers: Summary" prints correct numbers if no ciphers found
    * o-saft.pl: BF: --legacy=key disabled; --label=key enabled (honors --header option)
  CHANGES
    * t/Makefile.*: ET: targets simplified and unified; critic345 implemented
    * o-saft.pl: EF: +cipher results are sorted according "severity/security risk"
  NEW
    * o-saft.pl: NF: --help=cmd and --help=cfg-cmd added
    * o-saft.pl: NT: +session_startdate and +session_starttime added
    * o-saft.pl: NF: new option --legacy=owasp for +cipher
    * o-saft.pl: NF: new option --label=long|short|key
    * o-saft.pl: NF: alias commands for CVEs added
    * t/Makefile.misc: targets for profiling

Version: 18.10.18
  BUGFIX
    * o-saft-docker: use correct VERSION in docker_build()
    * o-saft-man.pm: output for --help=cfg-text correctd
    * o-saft-man.pm: HTML encode << ; CSS improved
    * o-saft.pl: warning added if https request failed
    * o-saft.pl: --exit=MAIN corrected
    * o-saft.tcl: value None not highlighted
    * o-saft.tcl: --docker and --id=* handled correctly
    * t/Makefile.opt: added (missed at github)
    * t/Makefile: message-% rule description to avoid syntax errors
    * Makefile: missing files t/Makefile.exit, t/Makefile.FQDN added to ALL.Makefiles
    * Makefile: dependencies for generated files improved
  CHANGES
    * o-saft-docker: docker_build() uses OSAFT_VM_SHA_OSAFT environment variable
    * contrib/build_openssl.sh renamed to contrib/install_openssl.sh
    * o-saft-dbx.pm: trace and verbose output use cfg{prefix_trace} and cfg{prefix_verbose} instead of cfg{mename}
    * t/Makefile.*: various minor bugfixes
    * Makefile: install target improved
    * Net::SSLinfo.pm: set https_body to private string if https request fails
    * osaft: call other tools with proper path
    * osaft.pm: cipher suites for RFC 8446 (TLS 1.3) added
    * o-saft-man.pm: new button to change schema in generated o-saft.cgi.html
    * o-saft-man.pm: online documentation in generated html improved
    * --help: section TESTING added
    * o-saft.tcl: using o-saft.pl in docker container improved
    * t/o-saft_bench renamed to t/o-saft_bench.sh
    * t/Makefile* improved
  NEW
    * "help"-Button foreach --help=* in o-saft.cgi.html
    * --help=cipherpattern added
    * options -comp and -no_comp implemented (OP_NO_COMPRESSION)
    * Makefile.help: cloc* target added
    * o-saft-man.pm: cgi and html page provides discrete commands
    * o-saft-man.pm: cgi page provides input fields for options with values
    * o-saft-man.pm: "return to top" button in generated .cgi.html added

Version: 18.07.18
  BUGFIX
    * o-saft: pass $* instead of $@
    * o-saft-docker: check for image IDs corrected
    * o-saft-docker: ENTRYPOINT corrected; usage corrected
    * o-saft-docker: get correct number of ciphers from docker
    * o-saft.tcl: workaround for X error BadAlloc implemented
    * o-saft.tcl: highlight of code examples corrected
    * o-saft.tcl: size of help window adapted to larger font size
    * content of o-saft.tgz corrected (gernerated by makefile)
    * o-saft.pl: +cipher-dh requires openssl
    * o-saft.pl: use of $cfg{'openssl'}->{'-msg'} corrected
    * o-saft.pl: print warning when trying to read RC-file in cgi mode
    * o-saft.pl: avoid Use of uninitialized value in $CFG{sni_name}
    * o-saft.pl: avoid Use of uninitialized value in _init_openssldir()
    * o-saft-dbx.pm: avoid Use of uninitialized value $cfg{"sni_name"}
    * o-saft-man.pm: --help=html does not contain "start" buttons (like --help=cgi)
    * Net::SSLinfo.pm: initialize Net::SSLinfo::file_sclient
    * Net::SSLinfo.pm: verify_altname(); avoid uninitialized value
    * Net::SSLinfo.pm: verify_alias()
  CHANGES
    * +ocsp_response and +ocsp_stapling (check) implemented
    * print !!Hint when multiline data is not printed                                
    * "reading:" message only printed with --v or --warning
    * +vulns also contains: +compression +fallback +resumption +renegotiation
    * +compression is information (+info) and check (+check, +vulns)
    * o-saft-docker: build improved; build supports some environment variables
    * Dockerfile: handle master directory from github, move it to $OSAFT_DIR if found
    * Dockerfile: add -rpath flag to build SSLeay.so
    * o-saft_bench: write result on STDOUT instead of hardcoded file
    * o-saft_bench moved to test/
    * INSTALL.sh renamed to INSTALL-template.sh; INSTALL.sh generated by Makefile
    * LHS condition check
    * contrib/INSTALL-template.sh: improved (--check, --openssl)
    * contrib/Dockerfile.alpine:3.6 renamed to contrib/Dockerfile.alpine-3.6
    * Net::SSLhello.pm: better handling of SSL/TLS connection errors
    * prepared for +ccs
  NEW
    * o-saft.cgi: avoid infinite loop if no parameter given
    * o-saft.cgi: first parameter must be --cgi or --cgi=
    * contrib/build_openssl.sh
    * Makefile; complete test suite in test/Makefile*
    * INSTALL-template.sh
    * o-saft.tcl: +quit option (for usage in Makefiles)
    * o-saft.tcl: scrolling with keys and mouse whell in help window implemented
    * o-saft-man.pm: --help=exit implemented
    * o-saft-man.pm: POD added
    * o-saft: modes/options -gui -cli -docker added
    * o-saft-docker: mode sshx to tunnel X suing ssh

Version: 18.01.18
  BUGFIX
    * markup for generated documentation corrected
    * various Perl warnings (in rare runtime situations) fixed
    * hostname, SNI and certificate subject checks are case insensitive
  CHANGES
    * --help=tools added to give an overview of all tools comming with O-Saft
    * use of $cfg{'sni_name'} and $cfg{'usesni'} improved (--sni --no-sni --sniname= )
    * SSLv3 cipher checks are done without SNI (automatically disabled just for SSLv3)
    * simple connection check to avoid "hanging" connection
    * documentation moved from o-saft-man.pm to OSaft/Doc/help.txt
    * Net::SSLinfo.pm: treat "failed handshake" only as error when * Net::SSLinfo::ignore_handshake is not set
    * contrib/zap_config.xml: description improved
    * +version prints starting directory (PWD)
    * +sni command contains +certfqdn
    * detecting host and port improved
    * use relative instead of absolute timestamps for --traceTIME
  NEW
    * wrapper script: o-saft
    * --traceCLI option added
    * --std-format= options implemented (allows generating files with any charset)
    * o-saft.tcl: write result of o-saft.pl in Tcl table (experimental)
    * +robot ROBOT added
    * --ignore-handshake implemented
    * --time-absolut to write absolute timestamps for --traceTIME

Version: 17.11.17
  BUGFIX
    * o-saft.cgi: IPv6 addresses are not allowed
    * do not print prefered cipher for SSLv2, as it has no such cipher
    * no warning (401) for SSLv2 selected cipher
    * do not complain about cipher mismatch (warning 411) for SSLv2
    * missleading hint message for WARNING 126 corrected
    * check for bit-length of serial number corrected (approx aproach)
  CHANGES
    * --help=cgi generated HTML for cgi usage improved
    * +protocols and +vulns documentation added
    * warnings and hints improved if SNI used with/for SSLv3
    * remove non-printable characters from HTTPS Status line
    * Dockerfile: build Net::SSLeay and IO::Socket::SSL based on enhanced openssl-chacha
    * +cipherall uses same output format as +cipher
    * documentation improved
  NEW
    * o-saft.tcl: trace implemented; option --trace

Version: 17.09.17
  BUGFIX
    * bugfix: avoid sub-subdomain matching againt subdomain wildcard
    * bugfix: BEAST check (https://github.com/OWASP/O-Saft/pull/99)
    * Net::SSLinfo.pm: support timeout commands which require -t option (BusyBox)
    * Net::SSLinfo.pm: handle binary IP address in certificate's altname attribut
    * regex to detect port numbers in URL: {1,5} quantifier instead of {1-5}
    * Dockerfile: install perl-readonly for alpine also
  CHANGES
    * Dockerfile build openssl with GOST and KRB5 ciphers (for alpine:edge)
    * Dockerfile supports environment variables
    * Net::SSLinfo.pm: checking for Alt-Svc, X-Firefox-Spdy headers improved
  NEW
    * o-saft-docker: checks for proper installed images
    * o-saft-docker: rmi command implemented; status command improved

Version: 17.07.17
  BUGFIX
    * +tr-02102+ corrected (len_sigdump check)
    * check for redirect HTTP to HTTPs corrected (+http_https)
    * Net::SSLinfo.pm: do_ssl_new() improved (avoid "Segmentation fault" or "double free or corruption .. Abort" in rare cases)
    * o-saft.pl: setting ALPN and NPN options with Net::SSLeay improved (avoid "Segmentation fault" in rare cases)
    * warning message for --experimental corrected
    * avoid perl warning "Argument isn't numeric" for +tr_02102 checks
    * osaft.pm: export printhint()
    * print hint for +info commands also
  CHANGES
    * check for heartbleed only if requested
    * hint for DROWN check added
    * error and warning messages have a unique number
    * print warning for trailing spaces in options read from RC-file
    * contrib/gen_standalone.sh: generates working script
    * *.pl and *.om improved for use with contrib/gen_standalone.sh
    * o-saft-lib.pm: initialization of %cfg with dynamic data done in _osaft_init()
    * trace output improved
    * contrib/* more examples added
  NEW
    * --connect-delay implemented
    * --cipher-range=* implemented for +cipher command
    * OSaft/Doc/Glossary.pm, use OSaft::Doc::Rfc
    * contrib/JSON-*.awk
    * o-saft-lib.pm: new cipher-ranges: c0xx, ccxx, ecc
    * +host command (to display host and DNS information) added
    * --exit=WARN implemented
    * --v prints each checked cipher for +cipher
    * more aliases for commands and options added (mainly from testssl.sh)
    * new options: --hint-check and --hint-info

Version: 17.06.17
  BUGFIX
    * counting exitcode for -exitcode corrected
    * reading +commands from RC-FILE
  CHANGES
    * names of +cipher* commands unified
    * cfg{ciphers_openssl} --> cfg{ciphers_local}
  NEW
    * --rc=path/to/RC-FILE added
    * --cfg-cipher=CIPHER=TEXT added
    * +rfc_2818_names implemented
    * +subjectaltnames added (alias)

Version: 17.05.17
  BUGFIX
    * o-saft-lib.pm: missing commands added to need-cipher list
    * --protosnpn=, corrected
    * +selected does not need to check for all ciphers
    * enable ALPN and NPN when testeing for ciphers (+cipher)
    * NET::SSLinfo.pm: passing -alpn and -nextprotoneg option to openssl corrected
  CHANGES
    * missing ciphers and missing cipher descriptions added
    * +info does no onger complain for missing ALPN/NPN functionality
    * NET::SSLinfo.pm: checks improved to detect handshake fail for HTTPS
    * NET::SSLinfo.pm: ::next_protos replaced by ::alpn_protos and ::npn_protos
    * check and warning messages for available functionality improved
  NEW

Version: 17.04.17
  BUGFIX
    * NET::SSLinfo.pm: avoid "Segmentation fault" when connection fails
    * NET::SSLinfo.pm: pass errors from openssl to caller (simple workaround)
    * label texts corrected for modulus_size_oldssl and modulus_exp_oldssl
    * print correct OpenSSL version for +version
    * do not load NET::SSLinfo for +cipherraw
    * o-saft-lib.pm: +lucky13 requires a cipher check: added to list * 'need-cipher'
  CHANGES
    * NET::SSLinfo.pm: %_OpenSSL_opt and s_client_*() for openssl capabilities * implemented
    * NET::SSLinfo.pm: internal method _stcmd improved
    * o-saft.pl: warning message improved if connection without SNI fails
    * o-saft.pl: --ignore-no-reply option added for more proper +heartbleed check
    * o-saft.pl: +modulus_exp_size renamed to +modulus_exp_oldssl
    * o-saft.pl: +modulus_size renamed to +modulus_size_oldssl
    * o-saft.pl: -trace-time improved
    * o-saft.pl: +npn renamed to +hasnpn; label texts adapted
    * o-saft-lib.pm: @npn renamed to cfg{next_protos}; cfg{usealpn} and cfg{usenpn} added
    * documentation improved
    * _load_modules(), _check_versions(), _check_methods() implemented
  NEW
    * NET::SSLinfo.pm: new function _ssleay_ssl_np() to set ALPN and NPN option
    * NET::SSLinfo.pm: do_ssl_new() and do_ssl_free() implemented
    * --ssl-error --ssl-error-max --ssl-error-timeout implemented
    * o-saft.pl: +alpn and +npn implemented
    * o-saft.pl: remove leading spaces for options when reading .o-saft.pl
    * o-saft.pl: better checks for ancient perl modules; documentation improved
    * .o-saft.pl: new command +fingerprints
    * o-saft.tcl: --load=FILE option implemented

Version: 17.03.17
  BUGFIX
    * bugfix: remove eading spaces in some values
    * Net::SSLeay.pm: set NPN option when used with sockets
    * "use of uninitialized value" at _useopenssl() call
    * assume CGI mode with --cgi-exec
    * better check of cfg{ca_path} (avoid uninitialized value)
    * wrong ca_path instead of ca_paths in trace output
    * don't complain "need Time::Local module for this check"
  CHANGES
    * +ocsp (check) command renamed to +ocsp_uri
    * +ocsp-subject-hash +ocsp-public-hash
    * o-saft-man.pm: HTML generated by --help=cgi improved
    * o-saft-man.pm: improved for --help=cgi (Full GUI)
    * o-saft-man.pm: improved for --help=cgi (Simple GUI)
    * Net::SSLinfo::::protocols renamed to ::next_prots
    * check withh --yeast-data improved
    * better check for Time::Local
    * +version reports information about Time::Local
    * documentation for options improved
  NEW
    * +ocsp (in .o-saft.pl)
    * +fingerprint_sha2
    * osaft.pm: @npn - list for NPN added
Version: 17.01.17
  BUGFIX
    * avoid useless data checks for +info command
    * no heartbleed check for +info
    * output format for +ocspid corrected
    * Net::SSLinfo.pm: parsing and extracting data for ocsp* corrected
    * Net::SSLinfo.pm: ocspid fully returned (workaround for openssl problem with "x509 -ocspid")
    * +selfsigned returns correct value (yes) if not self signed
    * +fingerprint_type returns type without additional strings
    * using path for --ca-path corrected
  CHANGES
    * --exitcode counts weak ciphers and protocols also
    * .o-saft.pl: documentation improved
    * +fingerprint_sha is alias for +fingerprint_sha1
  NEW
    * options --exitcode-no-* implemented
    * options --file-sclient= and --file_pem= added
    * +fallback_protocol implemented
    * options -CAfile and -CApath (as alias) added

Version: 16.12.16
  BUGFIX
    * processing commands and options improved (more variations allowed)
    * avoid crash if IO::Socket::SSL::get_sslversion() is missing
    * close and open socket if SSL connection failed
    * avoid "Segmentation fault" when X509 data is missing
    * avoid "Segmentation fault" when $x509 is empty or undef
  CHANGES
    * checking for (default) selected cipher improved
    * better error handling if connection to target fails
    * o-saft-man.pm: layout for +help=* commands improved
    * o-saft-dbx.pm: print exitcode with --trace only
    * Net::SSLinfo.pm: set user-specified timout for TCP and SSL connection
  NEW
    * +fingerprint-sha2 implemented
    * +cipher-default implemented
    * --rc option implemented
    * --socket-reuse added and implemented
    * o-saft.tcl: STDOUT button added
    * contrib/zap_config.xml added

Version: 16.11.16
  BUGFIX
    * avoid perl warning when checking certificate dates
    * better check for ext_crl and ocsp_uri (avoid perl warnings)
    * osaft.pm: regex->TR-02102  corrected
    * .o-saft.pl: cmd-info should not contain selected
  CHANGES
    * o-saft-man.pm: comments? description for TR-02102-2 (2016-01) instead of TR-02102-2 (2013-01)

Version: 16.11.14
  BUGFIX
    * Net::SSLinfo.pm: avoid "Segmentation fault" if $x509 is empty or undef
    * avoid "Use of uninitialized value ..." in some rare cases
    * *ARIA-* cipher descriptions improved
  CHANGES
    * Net::SSLinfo.pm: support modern Net::SSLeay::CTX_* methods
    * Net::SSLinfo.pm: better check if X509 certificate data is available
    * Net::SSLinfo.pm: test_ssleay -> ssleay_test
  NEW
    * Net::SSLinfo.pm: new ssleay_methods()

Version: 16.09.29
  BUGFIX
    * avoid "Use of uninitialized value ..." for $version::VERSION (see issue 51)
    * PSK-* cipher descriptions improved; PSK-* cipher descriptions improved
    * check for CN improved (DV and EV certificates)
    * contrib/.o-saft.tcl: syntax error corrected
    * some regex non-capturing groups corrected (parsing options only)
  CHANGES
    * commands for cipher checks unified (+*_cipher); alias commands added
    * check for CRIME improved (SPDY/3 is vulnerable)
    * Net/SSLinfo.pm: sequence for "nextprotoneg" reversed (weakest first)
  NEW
    * searching documentation improved
    * return exit status for checks with result with option --exitcode
    * +cnt_checks_no and +cnt_checks_yes implemented
    * +cbc_cipher and +des_cipher command added
    * ARIA ciphers descriptions added
    * cfg(TKPOD) added (external viewer for POD files)

Version: 16.09.16
  BUGFIX
    * filter scripts contrib/* adapted to new formats; print all lines
  CHANGES
    * files removed: generate_ciphers_hash, openssl_h-to-perl_hash, INSTALL-devel.sh
  NEW
    * INSTALL.sh

Version: 16.08.01
  BUGFIX
    * print warning if OPENSSLDIR is missing (see https://github.com/OWASP/O-Saft/issues/29 )
    * remove trailing path when compareing FQDNs
    * output for --legacy=compact corrected (bug since 1.407)
    * handle arguments after --trace option correctly
    * don't call openssl if not available
    * avoid "uninitalited value" in checks if no certificate data is available
  CHANGES
    * --v print performed cipher checks
    * better check of required versions; warning messages unified
    * o-saft-man.pm: "Using outdated modules" section added; documentation improved
  NEW
    * o-saft.tcl: quick access for O-Saft options added
    * Net::SSLinfo.pm: detect more SPDY protocols (h2c,npn-spdy/2) and X-Firefox-Spdy

Version: 16.08.01
  BUGFIX
    * handle missing data in .o-saft.tcl properly
    * bugfix: on some Mac OS X tk_getSaveFile has no -confirmoverwrite option
  CHANGES
    * use IO::Socket::SSL without version, but warn if not sufficient
    * o-saft.tcl: layout improved
  NEW
    * Sweet32 implemented and added to glossar
    * HEIST added to glossar

Version: 16.06.01
  BUGFIX
    * check for supported ciphers uses full match
    * parsing X509 data improved (avoids: Use of uninitialized value ...)
    * missing host and port parameter added in some check* functions added
    * +sts_maxage0d checks corrected (check if STS reset aka max-age=0)
    * o-saft.tcl: do not set tooltip if fontchooser misses
    * do not print Cipher Summary for legacy formats
    * print selected ciphers from --legacy=format only once
    * allow mixed case in customized texts (--cfg-*= options)
    * --legacy=sslscan without perl warnings
    * some texts corrected in o-saft.tcl
  CHANGES
    * o-saft.tcl: better detection of section header lines in help
    * o-saft.tcl: context sensitive help buttons
    * o-saft.tcl: hash-bang line improved
    * o-saft-README disabled as most people are not willing to read it
    * critic.sh: check for potential repository files and skipp check for them
  NEW
    * Sweet32 implemented and added to glossar
    * HEIST added to glossar
    * new commands can be added with --cfg-cmd=*
    * +hsts_httpequiv +hsts_preload added
    * o-saft.tcl: home, back, next button added

Version: 16.05.10
  BUGFIX
    * print properly aligned text for --help=cfg-*
    * output for "Total number of checked ciphers" corrected
    * +ciphers command honors --legacy option
    * avoid perl warning "Argument isn't numeric" when getting bits of a cipher
  CHANGES
    * --help=* simplified (formal change)
    * printing of internal data with --help=* simplified and unified
    * --cfg-* settings improved
    * print Hint for +renegotiation check
    * Net::SSLinfo.pm: new variables: starttls and proxy*
  NEW
    * --help=hint implemented
    * --hint and --no-hint implemented
    * man_alias() implemented for --help=alias
    * man_pod() implemented for --help=gen-pod
    *

Version: 16.04.14
  CHANGES
    * %cfg no defined in osaft.pm only
    * use !!Hint instead of **Hint
    * description for compliance checks improved
  NEW
    * +crl_valid, +ocsp_valid: check if CRL and OSCP from certificate are valid
    * +rfc7525 implemented
    * contrib/.o-saft.tcl

Version: 16.04.02
  CHANGES
    * perlcritic: eval, grep with block form
    * perlcritic: use lexical loop iterator
    * documentation improved
    * o-saft.tcl: table of content improved for help
    * o-saft.tcl: don't show button for empty configuration window
  NEW
    * --checks implemented (compatibility with TLS-Check.pl)
    * osaft_sleep() as wrapper for IO::select added
    * +sts_expired added: STS max-age < certificate's validity
    * new options --starttls-phase* and --starttls-error*
    * contrib/critic.sh added

Version: 16.03.30
  BUGFIX
    * Net/SSLinfo.pm: prototypes for do_openssl() and do_ssl_open() corrected
    * Net/SSLhello.pm: constants added; $me* variables removed
    * Net/SSLhello.pm: setting _trace variable in version() removed
  NEW
    * Net/SSLinfo.pm: dummy function net_sslinfo_done() added
    * Net/SSLhello.pm: dummy function net_sslhello_done() added

Version: 16.03.27
  CHANGES
    * o-saft.pl: configuration moved to osaft.pm
  NEW
    * +drown check for DROWN attack vulnerability

Version: 16.03.26
  CHANGES
    * o-saft.pl: configuration moved to osaft.pm

Version: 16.03.16
  BUGFIX
    * duplicate hint message for +quit corrected
  CHANGES
    * o-saft-dbx.pm: _yeast_args() improved
    * o-saft-man.pm: Program Code documentation improved
    * o-saft-man.pm: typos corrected and more glossar
  NEW
    * o-saft-man.pm: hint to check Net::SSLeay methods added to INSTALLATION
    * --slow-server-delayand --sni-toggle added

Version: 16.01.16
  BUGFIX
    * duplicate hint message for +quit corrected
  CHANGES
    * most configuration now in osaft.pm
  NEW
    * experimental: SLOTH check
    * contrib/bunt.pl: postprocess script to colourize shell output
    * contrib/bunt.sh: postprocess script to colourize shell output

Version: 30.12.15
  BUGFIX
    * do not print cipher summary if no ciphers were checked
    * --help=wiki prints wiki list items with leading : (colon)
    * pretty-print path in output for +version
  CHANGES
    * USAGE improved; no more +cipher as default command
    * checking DH parameters simplified
    * +version prints path of included (use) module
    * _trace_1arr() renamed to _trace_cmd()
    * INSTALLATION section improved
    * help: SECURITY section moved to top
    * collect *ARG* variables in %cfg for debugging
    * o-saft_bench: output format improved; accept host as parameter
  NEW
    * description for some more CHACHA cipher suites added
    * --exit=* for debugging implemted
    * --trace-me and --trace-not-me implemented
    * +cipher-sh implemented
    * o-saft-man.pm: INSTALLATION section

Version: 15.12.15
  BUGFIX
    * some command aliases corrected
    * label for protocols corrected
  CHANGES
    * report ciphers with DH parameters if possible
    * description of compatibility options improved
  NEW
    * description for KCI and Invalid Curve Attack
    * new options --format=0x and --format=\x
    * more command aliases

Version: 15.11.15
  BUGFIX
    * o-saft-dbx.pm: avoid infinite loop for trace>2
  CHANGES
    * avoid warning if protocol disabled: cannot get default cipher
    * warning if openssl does not return DH parameters
    * checking DH paramters improved
    * workaround to avoid perl (Net::SSLeay) warnings for unsupported protocols
  NEW
    * --help=error --help=warning --help=problem added

Version: 15.10.15
  BUGFIX
    * Net::SSLinfo.pm: call Net::SSLeay::CTX_set_ssl_version() corrected
    * Net::SSLinfo.pm: alpn(), next_protocol() added
    * Net::SSLinfo.pm: handling of hex conversion on poor 32-bit systems improved
    * o-saft.tcl: quick & dirty fix to simplefy startup on Mac OSX
  CHANGES
    * o-saft.pl: checking protocols (and default) cipher improved
    * o-saft-dbx.pm: debug output improved
    * o-saft.tcl: layout improved
    * Net::SSLinfo.pm: more alternate protocols
  NEW
    * --linux_debug and --slowly option (passed to Net::SSLeay)
    * o-saft.pl: print hint about using +cipherall
    * o-saft.tcl: new Filter TAB; more filter rules
    * o-saft.tcl: more verbose output added

Version: 15.09.15
  CHANGES
    * output for +version improved
    * use perl constants for some strings in o-saft.pl
    * o-saft.tcl improved
    * respect --no-header option for output of --help=*
    * documentation, glossar improved
  NEW
    * new command  +help=ourstr  to print regex for matching own strings
    * logjam implemented

Version: 15.06.19
  BUGFIX
    * handle checks for EC public keys correctly
    * DTLSv09 is 0x0100
    * missing shorttexts added
    * support serial number in hex format; use Math::BigInt if necessary
    * check for +sernumber corrected
  CHANGES
    * all o-saft-*.pm print help if called by themselfs
  NEW
    * dh_parameter implemented
    * detect id-ecPublicKey as known and good encryption
    * support public key with EC parameters
    * DTLSv1x added (experimental)
    * +modulus_exp_size +modulus_size and +pub_encryption implemented

Version: 15.06.09
  BUGFIX
    * setting of path for CAs corrected (when --openssl=Tool is used)
    * using --openssl=TOOL corrected
  CHANGES
    * use VERSION as string constants
    * using string constants
  NEW
    * _yeast_prot() implemented in o-saft-dbx.pm
    * +session_protocol added to +protocols
    * +session_protocol +session_timeout added
    * improved +version

Version: 15.05.15

Version: 15.04.15
  CHANGES
    * o-saft.tcl markup for help text improved
    * support proxy and STARTTLS (no longer experimental)
  NEW
    * prepared for RFC 7525 check

Version: 15.04.05
  CHANGES
    * some texts for compliance texts changed
  NEW
    * --ignore-{cmd,output, --no-{cmd,output} implemented

Version: 15.04.04
  CHANGES
    * o-saft-dbx.pm: added $cfg{'ignore-out'}

Version: 15.04.02
  BUGFIX
    * check for wildcards in certificate's CN also


Version: 15.01.07
  BUGFIX
    * avoid huge memory consumtion (fix for issue/39)
  CHANGES
    * command line parsing improved
  NEW
    * new files in contrib/

Version: 14.12.07
    * new tarball

Version: 14.11.23
  BUGFIX
    * text for checks{hostname} corrected (check was ok, but proided text not accurate)
  CHANGES
    * cipherrange vor SSLv2 improved
  NEW
    * pass --mx option to SSLhello
    * pass --starttls-delay=SEC option to SSLhello
    * Net::SSLinfo hostname for SNI can be specified in $Net::SSLinfo::use_SNI
    * --sni-name=NAME added

Version: 14.11.22
  BUGFIX
  CHANGES
    * o-saft-man.pm: generating various formats improved
  NEW
    * new check: Certificate private key signature is SHA2
    * .o-saft.pl new check sha2signature added to +check and +quick

Version: 14.11.21
  BUGFIX
    * missing useecc parameter passed to Net::SSLhello
    * --h same as --help
    * better handling of results for +sigkey_algorithm
  NEW
    * --use-ec-point option passed to Net::SSLhello

Version: 14.11.20
  CHANGES
    * get VERSION for --help from caller
  NEW
    * o-saft-man.pm

Version: 14.11.19
  CHANGES
    * documentation improved
  NEW
    * o-saft-man.pm

Version: 14.11.18
  CHANGES
    * markup in documentation improved

Version: 14.11.17
  BUGFIX
    * check version mismatch

Version: 14.11.16
  CHANGES
    * beast-default removed

Version: 14.11.15
  NEW
    * --help=opt and --help=options implemented

Version: 14.11.14
  NEW
    * check for Poodle attack
    * --trace-time implemented
    * o-saft-dbx.pm: trace command prints timestamp for --trace-time
    * options for +cipherraw command documented
  BUGFIX
    * --showhost  print host:port
    * keys in internal hashes in lower case letters
    * .o-saft.pl: duplicate commands in -cfg_cmd=check removed
  CHANGES
    * _yeast_init() prints SSL versions to be checked with --v
    * .o-saft.pl: list of commands for +quick improved

Version: 14.10.12
  NEW
    * --cipherrange=shifted

Version: 14.07.27
  CHANGES
    * formal changes

Version: 14.07.26
  BUGFIX
    * @INC set in BEGIN{}

Version: 14.07.25
  CHANGES
    * using (require) modules and files simplified; documentation improved
    * warnings unified and improved
    * o-saft-usr.pl: usr_version() and usr_pre_init() added; formal (name) changes
  NEW
    * +TLS_FALLBACK_SCSV added
    * +VERSION implemented

Version: 14.07.18
  CHANGES
    * +ciphers and +list command improved (handle different output formats)

Version: 14.07.17
  BUGFIX
    * corrected output (counts) for command  +list --v
  CHANGES
    * cipher descriptions improved; missing descriptions added
    * print version mismatch (openssl vs. Net::SSLeay)
    * lazy commands added

Version: 14.07.16
  BUGFIX
    * avoid uninitialized value and WARNING messages for some commands
  CHANGES
    * options -v and -V improved
    * formal changes

Version: 14.07.15
  BUGFIX
    * avoid uninitialized value in +list command

Version: 14.07.14
  CHANGES
    * cipher descriptions improved; security and score qualification adapted

Version: 14.07.07
  CHANGES
    * check for low memory
    * backticks replaced by qx()

Version: 14.06.30
  CHANGES
    * TECHNICAL INFORMATION added
  NEW
    * --starttls=PROT added (experimental)
    * --ssl-maxciphers added

Version: 14.06.16
  BUGFIX
    * printing warnings enabled
  CHANGES
    * --experimental option added

Version: 14.06.15
  CHANGES
    * formal changes

Version: 14.06.14
  BUGFIX
  CHANGES
    * printmediawiki() moved to o-saft-usr.pm::usr_printwiki()
    * commands unified: +gen-html +gen-wiki +gen-cgi

Version: 14.06.13
  BUGFIX
    * bugfix: parsing --trace (without argument) corrected (bug since 14.06.08)
    * honor --noSSL options for +cipherraw command
  CHANGES
    * improvements for CGI usage; internal option --cgi-exec
    * formal changes in documentation

Version: 14.06.12
  CHANGES
    * avoid error messages when gethostbyaddr() fails

Version: 14.06.11
  CHANGES
    * store all --usr* options and arguments in $cfg{'usr-args'}

Version: 14.06.10
  BUGFIX
    * avoid perl's uninitalized value after GET request
    * +cipher and cipherraw (commnad line parsing) corrected
    * no SNI for SSLv3 with +cipherraw

Version: 14.06.08
  CHANGES
    * --no-rc option added
    * scanning options and arguments from command line simplified and improved
  NEW
    * --help=range implemented
    * +quit command implemented

Version: 14.06.07
  CHANGES
    * -ssl-* options for +cipherraw command added; check with and without SNI for +checkraw

Version: 14.06.05
  CHANGES
    * +version improved (print more informations about Net::SSLeay)

Version: 14.06.04
  BUGFIX
    * bugfix: print usage with correct script name

Version: 14.06.01
  NEW
    * --cipherrange=RANGE implemented; +cipherall supports full range

Version: 14.05.31
  CHANGES
    * print $Net::SSLhello::VERSION with --trace and --version

Version: 14.05.27
  BUGFIX
    * using scalar() instead of length() for array

Version: 14.05.26
  NEW
    * --help=wiki implemented

Version: 14.05.25
  CHANGES
    * avoid some check warnings for +cipherall

Version: 14.05.24
  NEW
    * --no-md5-cipher implemented (avoids some error messages)

Version: 14.05.23
  BUGFIX
    * avoid some checks and connections if not required by given command

Version: 14.05.22
  CHANGES
    * better compatibility to ssldiagnose.exe
    * compatibility ssl-cert-check, THCSSLCheck
  NEW
    * +constraints check implemented
    * --protocol SSL implemented; better compatibility to ssldiagnose.exe
    * --printavailable as alias for +ciphers

Version: 14.05.21
  BUGFIX
    * +ciphers command re-enabled

Version: 14.05.21
  NEW
    * +tlsextensions implemented

Version: 14.05.20
  CHANGES
    * +ext_* commands enabled
    * more TLS extensions added

Version: 14.05.17
  BUGFIX
    * parsing command line argunents improved

Version: 14.05.16
  CHANGES
    * output for --legacy=compact improved

Version: 14.05.15
  CHANGES
    * output for --tracecmd improved
    * output for --no-http improved
    * passing options and arguments to openssl improved

Version: 14.05.14
  CHANGES
    * detect more TLS extensions; +heartbeat and --no-tlsextdebug implemented

Version: 14.05.13
  NEW
    * prepared for TLSv1.3

Version: 14.05.12
  NEW
    * +cipherall implemented with Net/SSLhello.pm; ALPHA version!
    * Net/SSLhello.pm

Version: 14.05.11
  CHANGES
    * some missing cipher descriptions added

Version: 14.05.10
  BUGFIX
    * "None" values are mainly treated as "no" for checks

Version: 14.05.09
  BUGFIX
    * setting default +cipher command corrected if no command given
    * bugfix: avoid "Broken Pipe" if connection fails

Version: 14.05.08
  BUGFIX
    *
  CHANGES
    * o-saft-dbx.pm: _yeast_init() improved

Version: 14.05.07
  BUGFIX
    * missing descriptions for KRB5* ciphers added

Version: 14.05.07
  CHANGES
    * print warning for invalid command combinations (defense, user-friendly programming)

Version: 14.05.06
  NEW
    * --ssl-lazy option implemented

Version: 14.05.05
  NEW
    * --no-warning implemented

Version: 14.04.28
  NEW
    * +cipherall ALPHA version implemented

Version: 14.04.27
  CHANGES
    * more _trace*() functions added

Version: 14.04.26
  NEW
    * --proxy* options added (but no functionality)

Version: 14.04.24
  BUGFIX
    * output corrected for  --showhost --legacy=full
  CHANGES
    * improved path settings for windows

Version: 14.04.10
  NEW
    * +heartbleed implemented

Version: 14.02.17
  BUGFIX
    * +sts implies --http
    * +sts command re-implemented

Version: 14.02.01
  BUGFIX
    * use SNI if possible for cipher checks (+cipher command)
  CHANGES
    * +version improved
  NEW
    * --force-sni added

Version: 14.1.31
  CHANGES
    * code cleanup

Version: 14.1.30
  CHANGES
    * --cipher no longer alias for +cipher so we can support "--cipher CIPHER" option

Version: 14.1.29
  CHANGES
    * code cleanup for checkciphers()
    * check Net::SSLeay::cipher_local() can return array
    * check Net::SSLeay::VERSION < 1.49

Version: 14.1.28
  CHANGES
    * +default can get cipher using openssl

Version: 14.1.27
  BUGFIX
    * parsing options and commands improved
  CHANGES
    * documentation improved
    * +quick command uses common output format (instead of --legacy=quick)

Version: 14.1.26
  CHANGES
    * typos documentation corrected
  NEW
    * --call=METHOD implemented

Version: 14.1.25
  CHANGES
    * allow --exe-path=PATH and --lib-path=PATH
    * --lib= and --exe= can be used multiple times
    * debugging improved; _yeast_args() added; _yeast_init() improved

Version: 14.1.24
  CHANGES
    * allow --exe-path=PATH and --lib-path=PATH
    * --lib= and --exe= can be used multiple times
    * debugging improved; _yeast_args() added; _yeast_init() improved

Version: 14.1.23
  BUGFIX
    * +pfs command enabled
  CHANGES
    * SSL protocol options (SSL version, cipher list) improved
    * collecting SSL information improved
  NEW
    * commands +options +sslversion +cert_type +error_verify +error_depth

Version: 14.1.22
  BUGFIX
    * +default command enabled
    * avoid uninitialized value
  CHANGES
    * set SSL protocol version for connections
    * Net::SSLinfo::do_ssl_close() with version list parameter

Version: 14.1.21
  NEW
    * existing socket for connection can be provided with $Net::SSLinfo::socket
    * usr_pre_open() added

Version: 14.1.12
  UPDATE
    * get list of ciphers improved: cipher_list() uses Net::SSLeay::new() to get list of ciphers
  NEW
    * new sub usr_pre_info() in o-saft-usr.pm

Version: 14.1.4
  BUGFIX
    * bugfix: regex for pubkey_value on windows
    * bugfix: empty len_public_key and len_sidump on windows corrected
  UPDATE
    * documentation improved

Version: 14.1.3
  BUGFIX
    * bugfix: avoid perl warning for +cipher
    * bugfix: avoid perl warning in Net::SSLinfo::do_openssl()

Version: 14.1.2
  BUGFIX
    * bugfix: avoid perl warning in Net::SSLinfo::do_openssl()

Version: 14.1.1
  NEW
    * option --win-CR implemented

Version: 13.12.31
  BUGFIX
    * bugfix: separator in output for --trace-corrected
    * bugfix: no checks for master_key and session_id to avoid perl warnings
    * bugfix: initialization of check values corrected
  UPDATE
    * Net::SSLeay initialization inside BEGIN{}
    * use Net::SSLeay::set_tlsext_host_name() for SNI

Version: 13.12.30
  BUGFIX
    * check for +ev improved
  NEW
    * +dv command and checks added

Version: 13.12.29
  BUGFIX
    * bugfix: missing \n added when printing checks with --legacy=full
  UPDATE
    * check for CN= in checkev()
    * +ev improved
    * special handling for +ev removed (use --legacy=full now)

Version: 13.12.28
  NEW
    * +chain_verify command added
    * documentation according +verify, +selsigned added

Version: 13.12.27
  NEW
    * options --ca-file  --ca-path --ca-depth implemented

Version: 13.12.26
  BUGFIX
    * print hostname correctly with --showhost
    * reset checks when multiple hosts are given
    * --tracekey and --showhost was missing for +check

Version: 13.12.25
  NEW
    * --usr option for o-saft-usr.pm implemented
    * new file o-saft-usr.pm

Version: 13.12.24
  NEW
    * --tab option added
    * contrib file

Version: 13.12.21
  UPDATE
    * --help=cfg_{check,data,text} and --cfg_{check,data,text}= implemented the same way

Version: 13.12.20
  UPDATE
    * don't read external files in CGI mode

Version: 13.12.19
  UPDATE
    * formal changes
    * --yeast implemented to call _yeast_data()
    * _yeast_data() improved; documentation improved in o-saft-dbx.pl
    * don't read external files in CGI mode

Version: 13.12.18
  UPDATE
    * --cfg_* configuration options implemented
    * CUSTOMIZATION description added

Version: 13.12.17
  UPDATE
    * samples to redefine texts in Deutsch added in .o-saft.pl
    * --cfg_text* implemented
    * print internal data with --help=* simplified
    * --set-score renamed to --cfg_score
Version: 13.12.16
Version: 13.12.15
  BUGFIX
    * (issue 16) define $_timeout variable when missing (Mac OS X problem)
    * reading score values from files corrected; allow + in score settings
  UPDATE
    * get subject_hash and issuer_hash from Net::SSLeay
    * commands issuer and issuer_hash added to --cfg_cmd-info in .o-saft.pl
  NEW
    * +chain to retrive Certificate Chain implemented
    * +protocols to retrive supported protocols by target (requres openssl
      with -nextprotoneg support)

Version: 13.12.14
  NEW
    * Serial Number <= 20 octets (RFC5280, 4.1.2.2. Serial Number)
    * new commands len_sernumber and sernumber added to --cfg_cmd-check in .o-saft.pl

Version: 13.12.13
  UPDATE
    * documentation improved (better English)

Version: 13.12.12
  BUGFIX
    * error handling for DNS corrected (if something failed)
    * no scoring for +info (avoids some "unitialised" warnings too)
    * avoid some warnings with --cmd-* in .o-saft.pl
    * reverse hostname computation corrected
    * --cfg_cmd-check withoud valid command in .o-saft.pl
  NEW
    * --cfg_cmd-quick added in .o-saft.pl

Version: 13.12.11
  BUGFIX
    * STS check corrected
  UPDATE
    * +http improved
    * huge code cleanup; checks improved; scoring now in sub scoring()
    * Net/SSLinfo.pm: hsts_pins renamed to https_pins; hsts renamed to https_sts
  NEW
    * o-saft-README file implemented
    * o-saft-dbx.pm with functions for debug, trace and verbose output
    * .o-saft.pl as local resource file implemented
    * --cfg_text-*  and --cfg_cmd-* options implemented

Version: 13.12.09
  UPDATE
    *  duplicate messages removed

Version: 13.12.08
  BUGFIX
    * bugfix: check for renegotiation and resumption corrected
  UPDATE
    * --no-header avoids printing most formating lines

Version: 13.12.07
  BUGFIX
    * --showhost works for +check too
    * checks corrected if --no-http was used
    * checks improved  if --no-cert was used
    * bugfix: missing (..) added in sub checkhttp
  UPDATE
    * code cleanup and simplified, all %check_* --> %checks
    * documentation improved
  NEW
    * --help=cmd, --help=commands, --help=intern

Version: 13.11.30
  UPDATE
    * _yeast_data() implemented; documentation improved for o-saft-dbx.pm
    * cleanup for texts

Version: 13.11.29
  BUGFIX
    * some warnings (perl -w) corrected (for --no-cert option)
  UPDATE
    * code cleanup for checkssl()
    * output for +check sorted
    * output improved for --no-cert option

Version: 13.11.28
  UPDATE
    * check hostname vs. certificate name improved

Version: 13.11.27
  UPDATE
    * omit cipher checks if protocoll not supported for BSI TR-02102

Version: 13.11.26
  BUGFIX
    * better extraction of certificate extensions details
  NEW
    * check invalid characters in extensions added

Version: 13.11.25
  BUGFIX
    * checks for CRL, OCSP corrected;
    * missing EV checks for AIA, CRL and OCSP added
    * ouput of certificate extensions corrected
  NEW
    * commands for details of certificate extensions added
      ext_authority, ext_cps, ext_crl, ...

Version: 13.11.23
  NEW
    * +extensions implemented; --header, --no-header implemented

Version: 13.11.22
  BUGFIX
    * print cipher totals for all versions; some texts unified

Version: 13.11.21
  BUGFIX
    * "Given hostname is same as reverse resolved hostname" ccorrected
    * check for wildcards in TR-02102-2 compliance corrected
    * +info--v command fixed; _dump() call
  UPDATE
    * texts and output layout unified; prepared for configurable texts
    * debug, trace and verbose functions are emty stubs, now in o-saft-dbx.pm
  NEW
    * o-saft-dbx.pm with functions for debug, trace and verbose output

Version: 13.11.20
  UPDATE
    * texts and output layout unified; prepared for configurable texts
    * certificate's date checks improved

Version: 13.11.19
  BUGFIX
    * some warnings (perl -w) corrected
    * perl warnings fixed for +version command
  UPDATE
    * --trace command improved
    * function calls unified
    * using temporary variables for better (human) readability
  NEW
    * --trace=VALUE implemented; --trace-cmd implemented

Version: 13.11.18
  UPDATE
    * function calls unified
    * using temporary variables for better (human) readability

Version: 13.11.17
  BUGFIX
    * missing labels in output added
    * +bsi does not inhibit other checks
    * +quick with more check (got lost with implementation of +bsi)
  UPDATE
    * some labels in output improved
    * +quick improved with labels

Version: 13.11.16
  UPDATE
    * missing security flag for some ciphers added; documentation improved

Version: 13.11.15
  UPDATE
    * RC4 ciphers degraded as weak

Version: 13.11.14
  UPDATE
    * documentation and glossar improved

Version: 13.11.13
  NEW
    * compliance check: BSI TR-02102 implemented; command +bsi

Version: 13.11.12
  UPDATE
    * glossar improved

Version: 13.11.11
  BUGFIX
    * parsing altname in certificate corrected
  UPDATE
    * +sts alias for +hsts
  NEW
    * check for RC4 implemented

Version: 13.10.22
  UPDATE
    * retrive target data for: krb5 psk_hint psk_identity srp master_key session_id session_ticket

Version: 13.10.20
  BUGFIX
    * connecting with openssl improved for openssl 1.0.1.e
  UPDATE
    * --v honored in various modes
    * --format=hex  includes +fingerprint
  NEW
    * reading options and arguments from rc-file implemented

Version: 13.10.19
  BUGFIX
    * more improvements for perl's -w
    * Net::SSLinfo::do_openssl() uses optional $data parameter; code improved

Version: 13.10.18
  BUGFIX
    * bugfix: variable syntax corrected; more improvements for perl's -w

Version: 13.10.17
  BUGFIX
    * code improved for perl's -w

Version: 13.10.16
  BUGFIX
    * syntax improved for ActivePerl
  UPDATE
    * INSTALLTION part added to README file

Version: 13.10.14
  BUGFIX
    * --cmd=quick is same as +quick
    * --help=checks instead of --help=check

Version: 13.10.11
  BUGFIX
  UPDATE
    * --v honored in various modes
    * --format=hex  includes +fingerprint
  NEW
    * description for CIPHER NAMES

Version: 13.09.29
  BUGFIX
    * check --envlibvar= option
    * +cipher command corrected
  UPDATE
    * fomal code changes in checkciphers()
  NEW
    * --force-openssl implemented to use openssl for cipher checks

Version: 13.09.28
  BUGFIX
    * s_client command corrected
    * PFS check label text corrected
    * Net::SSLinfo::do_openssl() supports ciphers command correctly
  NEW
    * EV-SSL checks implemented
    * +subject_ev implemented

Version: 13.09.27
  UPDATE
    * minor changes of output texts
  NEW
    * --format=hex implemented

Version: 13.09.25
  UPDATE
    * regex and check for compliance and attacks improved

Version: 13.09.16
  BUGFIX
    * label for EDH check corrected
    * RegEx ADHorDHA and DHEorEDH corrected
  UPDATE
    * glossar improved
  NEW
    * --format=raw implemented

Version: 13.09.15
  BUGFIX
    *  +list command exits
  NEW
    * check  for CRIME implemented

Version: 13.09.14
  BUGFIX
    * BEAST check for default cipher corrected

Version: 13.09.13
  UPDATE
    * documentation improved
    * huge amount of code cleanup (no change of functionality)

Version: 13.09.12
    not released

Version: 13.09.11
  BUGFIX
    * reverse hostname lookup corrected; now prints list
    * print host (target) information before doing checks
  UPDATE
    * be greedy to allow +BEAST, +CRIME, etc.
    * cipher names are prependet by SSL version in +check output
    * documentation (COMMANDS, OPTIONS) improved
    * legacy option improved
  NEW
    * -no-dns implemented (workaround for '<gethostbyaddr() failed>)
    * %cfg{regex} added

Version: 13.09.10
  BUGFIX
    * output for some legacy formats corrected (sslscan, ssltest, sslyze)
    * print correct SSL version for ciphers in results
    * legacy option --no-failed corrected
  UPDATE
    * Glossar improved

Version: 13.09.09
  BUGFIX
    * +cipher command corrected

Version: 13.09.08
  NEW
    * --cipher= allows other names;  _find_cipher_name() implemented

Version: 13.09.07
  BUGFIX
    * --short texts corrected
  UPDATE
    * scoring improved
    * documentation improved
  NEW
    * +quick  command for quick and simple check
    * +http   command for HTTP(S) checks
    * --legasy=testsslserver  implemented

Version: 13.07.31
  UPDATE
    * debugging and tracing improved
  NEW
    * STS     checks implemented (scoring not yet perfect)
    * PFS     checks implemented
    * --format=raw implemented
    * new commands:  +sigkey_value, +sigkey_algorithm, +sigkey_len

Version: 13.03.31
  BUGFIX
    * avoid useless or wrong output when --no-cert given
  UPDATE
    * glossar
  NEW
    * --http  implemented
    * --set_score implemented
    * --help=LABEL implemented
    * --ignorecase implemented
    * --showhost implemented
    * scoring implemented (first simple attempt)



