Back to Documentation

Release Notes - Version 2.0.3.131

TYCHON Quantum Readiness Scanner

Version 2.0.3.131

Latest Release Major Feature Release

Release Date: June 2026

This is the largest feature release since 2.0.0. Version 2.0.3.131 introduces application-centric scanning output, Windows Kerberos encryption type detection, encrypted file discovery, VDI stable host identity, a native macOS crypto library scanner, hardware PQC benchmarking, an opt-in encrypted tracking database, expanded PQC algorithm coverage, and over a dozen targeted bug fixes across all output formats. OpenSSL has been removed as a runtime dependency — all previously covered CVEs are addressed through native implementations.

What's New at a Glance

Application-Centric Output
New -cipherscanquick mode consolidates all port, certificate, and memory findings by process — not by port.
Kerberos Encryption Detection
Detects whether Windows hosts allow RC4, DES, AES128, or AES256 for Kerberos authentication — surfaced in quantum readiness scoring.
Encrypted File Discovery
Detects encrypted Office OOXML files, PGP/GPG archives, and encrypted containers within application directories.
VDI Stable Host Identity
Persistent identity for non-persistent VDI pools using a 4-tier resolution chain including profile file and username hash fallbacks.
macOS Native Dylib Scanner
New native macOS crypto library scanner using dyld shared cache inspection — no longer relying solely on process memory reads.
OMB M-23-02 CSV Report
Standalone 34-column federal cryptographic inventory CSV — one row per application, aligned to NSM-10 agency reporting requirements.
Enhanced Memory Scanning
In-memory private key (RSA, EC, ED25519, encrypted) and X.509 certificate detection expanded across Linux and macOS using native OS memory APIs.
Config & Keystore Discovery
Process app roots are scanned for TLS cert references in config files (nginx, Apache, Spring, HAProxy, Envoy) and keystores (JKS, PKCS#12, OS stores).
IIS Site Detection (Windows)
Reads applicationHost.config to enumerate IIS sites, HTTPS bindings, SNI virtual hosts, app pools, and physical paths. IIS version from registry.
Go 1.25.9 — OpenSSL Removed
Go runtime resolves CVE-2025-61726. OpenSSL dropped as a dependency — all 19 previously covered CVEs remain addressed through native TLS and crypto primitives.
PQC Hardware Benchmarking
New -hardware-benchmark flag measures ML-DSA and ML-KEM throughput on the local CPU. Console summary table shows ops/sec and pass/fail for all 15 algorithm operations.
Encrypted Tracking Database
Opt-in change-tracking database (-enable-tracking) stores all values AES-256-GCM encrypted + gzip compressed with owner-only (0600) file permissions.
Expanded PQC Algorithm Coverage
Passive HRR detection surfaces BIKE-L1/L3/L5 and FrodoKEM on PQC-only servers. All 721 Open Quantum Safe ports enumerable. 35+ KEX groups supported.

New Features

TQR-309 NEW

Application-Centric Scan Output (-cipherscanquick)

The scanner now defaults to application-centric mode in local scans. Instead of organizing findings by port, all TLS, certificate, in-memory crypto library, and filesystem certificate results are consolidated under the owning application process. This produces a dramatically more actionable output for asset inventory and remediation workflows.

New NDJSON Event Datasets
  • tychon.cipher_quick — per-port quick cipher result
  • tychon.application — full application rollup
  • tychon.connected_quick — outbound connection findings
JSON app_report Structure
  • applications[] — one entry per executable
  • • Multiple PIDs sharing an exe are merged
  • • Each entry carries quantum_grade
  • orphan_findings for unattributed ports

Flag aliases: -cipherscanquick, -quickscancipher, -cipherquickscan (all equivalent). Default is true. -cipherscan has been deprecated.

Note: Application-centric output (app_report) is only built in local scan mode. Remote mode continues to use port-centric output. CSV output format now requires cipherscanquick mode.

WINDOWS NEW

Kerberos Encryption Type Detection

The scanner now reads the Windows SupportedEncryptionTypes registry value to detect which Kerberos encryption algorithms the host permits. RC4-HMAC for Kerberos is deprecated (RFC 8429), exploitable via Kerberoasting and MS14-068, and prohibited by CNSA 2.0. This detection closes a critical compliance gap for DoD and federal environments.

Group Policy (Priority 1)
SOFTWARE\...\Kerberos\Parameters
LSA Direct (Priority 2)
SYSTEM\...\Lsa\Kerberos\Parameters
OS Default (Fallback)
Inferred from Windows version

When the registry key is absent, the scanner infers the OS default based on Windows version:

  • Windows 10/11 / Server 2016+: RC4 + AES128 + AES256 — is_explicitly_configured: false
  • Windows 7 / Server 2008 R2: DES + RC4 + AES128 + AES256 — is_explicitly_configured: false

Output fields emitted in tychon.quantum_readiness:

kerberos.config_source kerberos.is_explicitly_configured kerberos.has_rc4 kerberos.has_des kerberos.has_aes128 kerberos.has_aes256 kerberos.is_quantum_safe kerberos.raw_bitmask kerberos.supported_types

Quantum Score Impact: Kerberos configuration now influences the SystemCryptoScore component of the quantum readiness grade. DES enabled: −15 pts | RC4 explicit: −10 pts | RC4 by OS default: −5 pts | AES-only (explicit): no penalty. Score is floored at 0.

ALL PLATFORMS NEW

Non-TLS Protocol Cipher Detection (SMB3, SNMPv3, Kerberos)

The scanner now detects encryption algorithm usage in three protocols that implement their own cryptographic stacks rather than delegating to TLS. Each protocol emits a unified tychon.non_tls_cipher NDJSON event and a non_tls_ciphers[] entry in scanning_system_info. Field names mirror tychon.cipher.* for consistent downstream processing.

SMB3 (port 445)
TCP NEGOTIATE probe — detects dialect (SMB1/2/3.x/3.1.1) and negotiated encryption cipher (AES-128-CCM, AES-128-GCM, AES-256-CCM, AES-256-GCM). Windows registry check augments with EncryptData enforcement status.
SNMPv3 (port 161)
Config file parse (/etc/snmp/snmpd.conf) on Linux/macOS — extracts USM auth (MD5, SHA-1, SHA-256, SHA-512) and priv (DES, 3DES, AES-128, AES-256) protocols. Windows SNMP service registry check reports v1/v2c community-string auth.
Kerberos (port 88)
Config file parse (/etc/krb5.conf) on Linux/macOS — reads permitted_enctypes, allow_weak_crypto from [libdefaults]. Windows reads SupportedEncryptionTypes registry bitmask (existing detection path).

PQC assessment output fields (all emitted under tychon.cipher.*):

tychon.cipher.protocol tychon.cipher.port tychon.cipher.supported_ciphers tychon.cipher.insecure_ciphers tychon.cipher.weak_ciphers tychon.cipher.auth_algorithms tychon.cipher.is_encrypted tychon.cipher.pqc_vulnerable tychon.cipher.pqc_readiness tychon.cipher.quantum_risk tychon.cipher.migration_priority tychon.cipher.config_source

Detection note: SMB3 probes 127.0.0.1:445 — the result reflects what the local SMB server advertises. SNMPv3 and Kerberos detection is passive (config file/registry read only); no active network probes are sent for those protocols. Detection is included in every scan mode.

NEW

Encrypted File Discovery

The scanner now detects encrypted files within application directories and roots as part of the filesystem walk. A confidence scoring system classifies files by detection strength. Private keys are excluded from the encrypted-file detector (they are reported separately via the existing key detection pipeline).

  • Office OOXML encrypted packages — detects password-protected .docx, .xlsx, .pptx files via CFB container inspection
  • PGP/GPG encrypted archives — binary and ASCII-armored detection
  • Generic encrypted containers — entropy-based heuristic with confidence scoring
  • App-root scoped — filesystem walk is shared across all detectors for efficiency; results scoped to process working directories in cipherscanquick mode
TQR-308 NEW

VDI Stable Host Identity (-vdi / -host-id)

Non-persistent VDI pools (Azure Virtual Desktop, Citrix, VMware Horizon) recycle machine names and SIDs between sessions, breaking asset correlation across scans. The scanner now supports a four-tier stable identity resolution chain:

  1. 1. CLI override-host-id MY-STABLE-ID
  2. 2. Profile file — persistent identity JSON stored at %APPDATA%\Tychon\certscanner-id.json (Windows)
  3. 3. Username hash — SHA-256 of the logged-in username, stable per user across pool refreshes
  4. 4. System hostname — standard hostname fallback (original behavior)

VDI detection uses registry keys for VMware VDM Client, Citrix, and Microsoft MSRDP. New output fields on all quantum readiness events:

observer.is_vdi_environment observer.vdi_identity_source
macOS NEW

Native macOS Crypto Library Scanner

macOS now uses a native dylib scanner that directly inspects the dyld shared cache and loaded dynamic libraries per-process, replacing the previous approach that relied solely on process memory pattern matching. This produces more accurate crypto library identification across Apple Silicon and Intel Macs.

  • • Correctly identifies CommonCrypto, SecureTransport, OpenSSL, and third-party crypto dylibs
  • • Resolves framework symlinks to canonical paths
  • • Reduces false positives from shared memory region pattern matching
TQR-1 ENHANCED

Enhanced In-Memory Private Key & Certificate Detection

Significantly expanded process memory scanning for live private key material and X.509 certificates. The scanner now reads directly from process heap and anonymous memory regions using native OS APIs, detects encrypted key containers, and hardened key handling to avoid capturing raw key material in output.

Private Key Types Detected (in-memory)
  • RSA — PKCS#1 and PKCS#8 DER patterns
  • EC / ECDSA — SEC1 format (P-256, P-384, P-521)
  • ED25519 — scalar DER patterns
  • DSA — legacy key format
  • Encrypted private keys — PKCS#8 EncryptedPrivateKeyInfo
Memory Regions Scanned
  • Linux — heap and anonymous regions via native OS interfaces (cap: 32 MB/region)
  • macOS — process heap inspection using native macOS VM APIs; vnode file descriptor enumeration

Security improvement: Raw key material (modulus, exponents, curve coordinates) is no longer captured in output. Keys are reported by type, bit length, curve, and SHA-256 fingerprint only. The is_encrypted field distinguishes unprotected keys (higher-severity finding) from encrypted containers.

Certificate detection improvements: CA certificates are now filtered — only leaf (end-entity) certificates are reported. Deduplication by SHA-1 fingerprint prevents the same cert appearing multiple times per process. In-memory certs are enriched with full PQC readiness assessment (pqc_vulnerable, pqc_readiness).

Key output fields: private_key.key_type private_key.key_bits private_key.curve private_key.is_encrypted private_key.sha256_fingerprint certificate.is_private_key

NEW

Process Configuration & Keystore Discovery

The scanner now performs two additional discovery passes against each detected process's working directory and app root: a configuration file scan that extracts TLS certificate and key references from config files, and a keystore scan that locates and inspects certificate stores on disk and from the OS.

Configuration File Scan

Config files up to 4 directory levels deep are parsed for 36+ TLS property patterns across major servers and frameworks:

Supported Config Formats .conf, .cfg, .xml, .properties, .yaml, .yml, .toml, .ini, .env, .json, .plist
Servers & Frameworks Recognized nginx / OpenResty, Apache httpd, HAProxy, Java / Spring Boot, Envoy / gRPC, environment variables (SSL_CERT_FILE, TLS_KEYSTORE), macOS plist

Config references are resolved to absolute paths and the referenced certificate or key is extracted and assessed for PQC readiness.

Keystore Discovery

Keystores are located by extension, filename, and parent directory name within process app roots, then inspected for certificate content and encryption metadata:

Keystore Types JKS, PKCS#12 (.p12/.pfx), PEM bundle, PKCS#7 (.p7b/.p7c)
OS Certificate Stores Windows MY/ROOT/CA stores, macOS Keychain, Linux NSS database, Linux system certs
Encryption Metadata KDF algorithm, iteration count, MAC, IV/salt length, PQC vulnerability flag

Output datasets: event.dataset: "keystore" — keystore inventory with encryption profile. event.dataset: "config_cert" — certificates and keys referenced from config files. Key fields include keystore.type, keystore.encryption.algorithm, keystore.encryption.kdf, keystore.encryption.vulnerable, config.property_key, config.resolved_path.

WINDOWS NEW

IIS Site & TLS Binding Detection

On Windows hosts running Internet Information Services (IIS), the scanner now reads %SystemRoot%\System32\inetsrv\config\applicationHost.config to enumerate all IIS sites and their TLS port bindings. IIS version is retrieved from the Windows registry. This fills a critical gap for Windows-heavy enterprise environments where IIS is the dominant TLS endpoint.

Detected Per Site
  • • Site name and numeric site ID
  • • Protocol binding strings — IP:PORT:hostname
  • • SNI virtual hosts — multiple hostnames per port
  • • Application pool name
  • • Physical root path (with %SystemRoot% / %SystemDrive% expanded)
  • • IIS version from registry (InetStp\VersionString)
Output Fields
  • iis.site_name
  • iis.site_id
  • iis.binding
  • iis.app_pool_name
  • iis.physical_path
  • iis.version, iis.manufacturer

IIS bindings are resolved per port: when the scanner finds an open port that matches an IIS HTTPS binding, the site metadata is attached to the port result and flows into the application-centric output model. SNI-based virtual hosting is handled — all virtual hosts sharing a port are enumerated.

Platform: Windows only. Output Model: IIS site metadata is attached to the port-level scan result as iis.site_name, iis.site_id, iis.binding, iis.app_pool_name, iis.physical_path, iis.version, and iis.manufacturer fields. These fields appear inline on the existing port/cipher events (event.dataset: "tychon.cipher_quick" in flat NDJSON, event.dataset: "tychon.pqc_inventory" in app-centric mode). There is no standalone event.dataset: "iis" event.

FEDERAL NEW

OMB M-23-02 Cryptographic Inventory CSV (-outputformat csv)

Federal agencies can now generate a standalone OMB-formatted cryptographic inventory report directly from a local scan. The CSV output maps to the OMB Memorandum M-23-02 / NSM-10 cryptographic inventory requirements, providing the 34-column format agencies use to report quantum readiness and cryptographic module usage for FISMA systems. One row is emitted per application — making it ready to paste directly into agency inventory submissions.

OMB Inventory Characteristics
  • • 34 columns matching OMB data field names exactly
  • • One row per asset (port, protocol instance, certificate, or network config)
  • • Applications with no detected crypto emit a single summary row
  • • UTF-8 encoded, RFC 4180 compliant CSV
  • • Header row included automatically
  • • File extension: .csv (auto-added if omitted)
Auto-Populated Fields
  • Quantum-readiness — CRQC-vulnerable algorithms auto-detected (RSA, ECDSA, ECDHE) vs PQC (Dilithium, Kyber, ML-KEM)
  • OS, hosting, cloud provider — populated from system info scan
  • Vendor/version — from process metadata and file version resources
  • FIPS status — from FIPS mode detection
  • Tagging overrides — FISMA ID, HVA flags, FY dates injectable via tagging rules, CLI flags, or Windows registry (GPO-deployable)
Invocation
./certscanner -mode local -cipherscanquick -outputformat csv -output omb-inventory.csv

Support Multiple Formats at a time. OMB is a limited subset of formatted data. For this reason, you are not limited to a single output type. You can combine OMB output with any other format so you don't need to scan twice. csv-output writes a secondary OMB CSV report alongside your primary output.

Compliance target: OMB M-23-02 "Migrating to Post-Quantum Cryptography" — the mandatory cryptographic inventory agencies must maintain and report. The output is structured to match the DoW inventory spreadsheet format used in agency submissions. Password manager vault inventory is also included when -detect-password-managers is active.

NEW

Config Encryption Hardening & HTTPS Enforcement

Sensitive fields in scanner configuration (license keys, API tokens) are now encrypted at rest using AES-256-GCM. All scanner-to-service communication (Elasticsearch, Splunk, S3) now requires HTTPS. HTTP endpoints are rejected at startup with a clear configuration error rather than silently connecting insecurely.

NEW

Scan Progress Indicators

Port scan loops now display an ASCII progress bar showing current port position, percentage complete, and elapsed time. Startup log noise has been reduced; key scan milestones are printed as structured status messages rather than raw debug output.

Bug Fixes

Application-Centric Model

FIX

Application model empty when -scanmemory not passed

The application model now enumerates running processes even when memory scanning is disabled. Applications without crypto library findings still appear in the model with their port and certificate data.

FIX

app_report JSON nesting incorrect — results placed two levels too deep

The app_report field was nested under a spurious intermediate key. JSON output now places app_report directly at the report root.

FIX

In-memory certificates missing for processes discovered outside the port scan

Processes found through the system process list (rather than the port scan result index) were not enriched with in-memory certificate data. All process discovery sources now feed the same enrichment pipeline.

FIX

Port scan disabled when only -cipherscanquick passed (no explicit port list)

Specifying -cipherscanquick without an explicit -ports argument now correctly runs the default port list rather than skipping the port scan entirely.

FIX

Empty applications filtered from app_report; results[] suppressed in app-centric JSON

Applications with no ports, certificates, or crypto findings are now excluded from the application model. The legacy results array is omitted from the JSON root when app_report is present.

Output Format & Field Alignment

TQR-254

Split-outputs compatibility validation and empty-file prevention

-split-outputs with -detail-level minimal produced empty files for some datasets. Field-level filtering is now applied correctly before the split writer selects content. CBOM and HTML formats now emit a clear error when -split-outputs is specified (incompatible combination).

FIX

FlatNDJSON field alignment — quantum OS fields, IPSec, and filesystem certificates

Seventeen fields were misaligned between the Elasticsearch connector mapping and the FlatNDJSON emitter. All fields now use identical paths across both output channels. IPSec field names, quantum readiness OS boolean fields, and filesystem certificate file metadata fields were corrected.

FIX

Elasticsearch mapping conflict for upgrade_pathway field type

The upgrade_pathway field was mapped as both keyword and text in the index template, causing indexing failures on first write. Now consistently mapped as keyword.

FIX

Quantum readiness OS boolean fields missing on Windows

Fields such as observer.os.fips_enabled and observer.os.secure_boot_enabled were not populated in the quantum readiness event on Windows hosts. These are now correctly emitted.

FIX

Early validation for -outputformat — invalid values now rejected before scan starts

An invalid output format (e.g., -outputformat xls) previously caused a fatal error after completing the full scan. The flag is now validated at startup.

Probe, Timeout & Scan Behavior

FIX

Local TLS and SSH probe timeouts reduced — scans no longer stall on unresponsive local ports

Local mode TLS probe timeout reduced from 30s to 5s per port. SSH probe timeout reduced similarly. Local scans on hosts with many unresponsive ports now complete in seconds rather than minutes.

TQR-256

OpenSSL helper process not cleaned up on Ctrl-C or startup failure

The bundled OpenSSL subprocess was left running after an interrupted scan or early startup error. Signal handling now ensures the subprocess is always terminated on exit.

TQR-259

ARP scan timeout and hostname lookup delays on macOS/Linux

ARP command timeout increased from 10s to 30s. Hostname lookups are now disabled during ARP scan to eliminate DNS resolution delays that were causing ARP scans to stall on macOS and Linux networks with slow or absent reverse DNS.

Code Quality & Infrastructure

TQR-287

ID fields normalized to lowercase for case-insensitive path matching

Several internal ID comparison operations were case-sensitive, causing duplicate or missed entries when executable paths differed only in casing (common on Windows). All ID fields are now normalized to lowercase before comparison.

FIX

S3 upload fails silently when output file does not yet exist

When the scanner was invoked with an S3 destination and the output file path did not exist at start time, the upload silently succeeded with zero bytes. The scanner now validates file existence before initiating the S3 transfer.

FIX

Quantum readiness observer.kernel_version and observer.os.build mismatch

The quantum readiness event emitted a different build string than the observer block for the same host. Both fields now share the same source value.

Improvements & Enhancements

  • Shared filesystem walk (TQR-309): All filesystem-based detectors (certificate finder, private key scanner, encrypted file detector) now share a single directory walk per scan rather than each running an independent traversal. Significantly reduces I/O on large filesystems.
  • Unique event IDs in FlatNDJSON (TQR-272): A _id field is now emitted on all FlatNDJSON events, and tychon.id is added to all Tychon NDJSON event types. Eliminates duplicate indexing issues in Splunk and Elasticsearch pipelines that lack deduplication.
  • FlatNDJSON — 189 missing fields added: Full field parity achieved between FlatNDJSON and the Tychon NDJSON format for filesystem certificates, quantum readiness assessment, and memory scan datasets.
  • Dedicated quantum_readiness_assessment record in FlatNDJSON: The quantum readiness assessment now emits as its own FlatNDJSON record rather than being embedded in the host record, enabling direct Elasticsearch aggregation by assessment fields.
  • Splunk dashboard improvements: SPL syntax fixes, Splunk Dashboard Studio JSON files added, and alias fields for field name compatibility with the Splunk field extraction pipeline.
  • Auto-remove local file after S3 upload: When the scanner writes to a default filename and subsequently uploads to S3, the local file is automatically cleaned up to avoid disk accumulation in automated deployment pipelines.
  • PKCS#12 handling improvements: Better fallback logic for malformed or password-protected PKCS#12 bundles. The former OpenSSL subprocess fallback has been replaced by a fully native implementation, removing the external process dependency entirely.
  • Private key security improvements: Encrypted private key detection added. Unencrypted private keys now generate a higher-severity finding and carry specific remediation recommendations in all output formats.
  • Graceful external delivery failure with structured exit codes (TQR-535): When an external delivery target (Elasticsearch or Splunk) is unreachable and an explicit output file is also specified, the scanner no longer aborts before the scan begins. Instead, it emits a WARNING, completes the full scan, writes the local file, and exits with code 2 so automation pipelines can detect the partial failure and re-attempt delivery. When no file output is specified, the original behavior is preserved — the scan aborts immediately with exit code 1.
    Exit 0
    Scan complete, external delivery succeeded
    Exit 2
    Scan complete, file written, external delivery failed
    Exit 1
    Aborted — external system unreachable, no file output

PQC Hardware Benchmarking

NEW FLAG NEW

Hardware Benchmark Mode (-hardware-benchmark)

Run -hardware-benchmark alone to measure the local CPU's throughput for every NIST PQC algorithm without performing a network or filesystem scan. Results inform the hardware component of the Quantum Readiness score and help identify systems that may struggle with PQC overhead in latency-sensitive workloads.

Algorithms Benchmarked
  • • ML-DSA-44, ML-DSA-65, ML-DSA-87 — keygen / sign / verify
  • • ML-KEM-768, ML-KEM-1024 — keygen / encap / decap
  • • 3 rounds each, best result reported — 15 measurements total
Console Output
  • • Formatted table: Algorithm | Op | Ops/sec | Latency (µs) | Status
  • • Hardware score and overall Quantum Readiness score shown
  • • Full JSON report written to benchmark_report.json by default

Usage: certscanner -hardware-benchmark — exits after the benchmark with no network connections made.

Opt-In Encrypted Tracking Database

FLAG CHANGE SECURITY

Change Tracking is Now Opt-In with AES-256-GCM Encryption

The persistent asset tracking database has been redesigned with two major changes: it is now opt-in (enabled via -enable-tracking) and all stored values are now AES-256-GCM encrypted and gzip compressed before being written to disk. The previous -disable-database flag has been removed.

Encryption Details
  • • AES-256-GCM with random 12-byte nonce per value
  • • Gzip compression applied before encryption
  • • Key derived from OS-protected config.key — survives binary rebuilds
  • • Domain-separated derivation: SHA-256(masterPwd + domain-tag)
File & Schema Changes
  • • File permissions set to 0600 (owner read/write only)
  • • Schema version bumped to 4.0 — existing databases are automatically rebuilt
  • • Tracking is disabled by default — no database file is created unless -enable-tracking is passed

Migration: Any existing .bolt database files from prior versions will be detected as schema 3.0 and automatically deleted and rebuilt on first use. No data is migrated — change-tracking history does not carry over.

Expanded PQC Algorithm Coverage

PQC ENHANCED

Passive HRR Detection, BIKE/FrodoKEM Coverage, 35+ KEX Groups

PQC-only servers (BIKE-L3, BIKE-L5, FrodoKEM, pure ML-KEM-1024) previously returned an empty cipher column because they reject classical key shares with TLS alert 40, preventing a normal handshake. The scanner now uses passive TLS ServerHello inspection to detect the negotiated cipher suite even when the handshake cannot complete.

35+ KEX Groups
ML-KEM, BIKE, FrodoKEM, Classic McEliece + all ECDH/DHE groups
721 OQS Ports
All Open Quantum Safe test server ports detectable via HRR fallback
Passive ServerHello Parse
Cipher extracted from plaintext TLS record bytes when decryption fails

Impact: The CIPHER column no longer shows "—" for PQC-only endpoints. Servers negotiating BIKE, FrodoKEM, or MLKEM-only modes now correctly report their cipher suite in both quick scan and full enumeration output.

Dependency & Runtime Updates

CVE-2025-61726 RESOLVED

Go Runtime Upgraded to 1.25.9

The scanner runtime has been upgraded to Go 1.25.9, resolving CVE-2025-61726: a memory exhaustion vulnerability in net/url query parameter parsing that could be triggered by a malformed URL query string, causing unbounded memory growth.

Action Required: All deployments should upgrade to 2.0.3.131 to receive the patched Go runtime. Environments scanning externally-controlled hosts (remote mode) are most exposed to this CVE.

OPENSSL REMOVED

OpenSSL Removed as a Runtime Dependency

OpenSSL is no longer bundled or invoked by the scanner. All TLS scanning, certificate parsing, PKCS#12 handling, and cryptographic operations are now performed natively — no external binary or shared library is required. PQC primitives (ML-KEM, ML-DSA, BIKE, FrodoKEM) use NIST-aligned implementations maintained by US-based security organizations.

All 19 CVEs previously covered by the OpenSSL dependency (across the 3.5.5 and 3.5.6 patch trains) are no longer applicable — the vulnerable code paths do not exist in the native equivalents. The PKCS#12 parser, CMS processing, digest functions, and TLS handshake paths that carried those CVEs are replaced entirely.

No action required for the CVE remediation: Upgrading to 2.0.3.131 removes the OpenSSL attack surface entirely. The binary is smaller, no native library files are distributed, and the scanner is no longer affected by future OpenSSL CVEs.

Known Issues

  • RHEL Direct Posting: RHEL endpoints configured for direct posting may not appear in the Cost Analysis dashboard. This issue affects dashboard visibility only and does not impact result collection.
  • Large Remote Scanner Result Sets: Remote Scanner processing of result sets exceeding approximately 30,000 findings may require more than the default 16 MB of memory. Increase available memory when processing exceptionally large scan outputs.

Upgrade Notes

  • Default output mode changed: Local scans now default to application-centric output (app_report). Pipelines that parse the root-level results[] array from local JSON output will no longer find it by default. Use -cipherscanquick=false to restore the previous port-centric output, or update parsers to read from app_report.applications.
  • CSV format now requires cipherscanquick: Any automated pipeline generating CSV output must run in local mode with cipherscanquick enabled (the default). Remote mode or -cipherscanquick=false + CSV will produce a startup error.
  • FlatNDJSON field additions: Elasticsearch index templates should be refreshed. New fields added across quantum, filesystem, and memory datasets. Existing mappings will not conflict but will miss the new fields without a template update.
  • Kerberos fields in Elasticsearch: The kerberos object is added to the quantum_readiness index mapping. Apply the updated index template before scanning Windows hosts to avoid dynamic mapping conflicts.
  • CVE-2025-61726: Upgrade is recommended for all deployments operating in remote mode against externally-controlled targets.
  • No breaking changes to remote mode output: Remote scan JSON and NDJSON field names and structure are unchanged. Only local scan output structure has changed (app_report replaces results[] as primary output).
  • Flag rename: -disable-database-enable-tracking: The old flag is no longer recognized. Automation scripts that passed -disable-database to suppress the database require no change (tracking is off by default). Scripts that relied on the database for active/inactive reporting must add -enable-tracking to their command line.
  • Tracking database schema 4.0 — existing databases are rebuilt: The first run of 2.0.3.131 with -enable-tracking will detect the old schema (3.0) and delete and recreate the database. Change-tracking history from prior versions does not carry over. The new database uses AES-256-GCM encryption and owner-only (0600) file permissions.
  • OpenSSL no longer included in distribution: Deployments that relied on the bundled OpenSSL binary for any purpose outside the scanner itself should note its removal. The scanner binary and its Go modules are the complete distribution — no shared libraries or companion binaries are required.

Quantum Readiness Assessment Enhancements

New OS-level and network security indicators added to the tychon.quantum_readiness event, providing deeper posture visibility without launching any system executables.

NTLM LmCompatibilityLevel (Windows)

Reads HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel. Levels 0–3 expose RC4/DES authentication (vulnerable); levels 4–5 enforce NTLMv2-only (acceptable). Reported as quantum.hardware.ntlm_lm_compat_level, ntlm_protocol, and ntlm_pqc_vulnerable in NDJSON output.

Secure Boot Firmware Type (All Platforms)

Detects whether the system runs UEFI or Legacy BIOS firmware. Legacy BIOS systems cannot enable Secure Boot. Windows now uses real registry detection (HKLM\...\SecureBoot\State) instead of OS-type assumption. Reported as quantum.hardware.secure_boot_firmware.

WiFi Encryption (All Platforms)

Detects the active WiFi connection's security protocol (WPA3-SAE, WPA2-PSK, WPA, WEP, Open), cipher (AES-CCMP, TKIP, WEP40), key management method, and SSID. TKIP/WEP flagged as PQC-vulnerable. WPA3-SAE adds +1 to network_score.protocol_score (max now 6). No stored-profile iteration — one config file read maximum on all platforms.

STARTTLS Protocol Detection (All Platforms)

Probes localhost for SMTP (ports 25/587), IMAP (143), LDAP (389), and PostgreSQL (5432) using protocol-native upgrade handshakes — not raw TLS ClientHello. Cipher suite, TLS version, and PQC readiness emitted as tychon.non_tls_cipher events. Services without STARTTLS support flagged as quantum_risk=critical.

New NDJSON fields: quantum.hardware.ntlm_lm_compat_level · quantum.hardware.ntlm_protocol · quantum.hardware.ntlm_pqc_vulnerable · quantum.hardware.secure_boot_firmware · quantum.network.wifi_ssid · quantum.network.wifi_protocol · quantum.network.wifi_cipher · quantum.network.wifi_key_mgmt · quantum.network.wifi_pqc_vulnerable · quantum.network.wifi_quantum_risk

Documentation

Main Documentation
Complete usage guide and flag reference
Output Schema Reference
All JSON, NDJSON, and FlatNDJSON field definitions
Previous Release (2.0.2.8)
Windows observer field fixes, OpenSSL 3.5.4
Return to Main Documentation