From 48b29194b928a901c1533df2b49399b9f42c9962 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 9 Apr 2026 11:43:02 +0200 Subject: [PATCH 1/2] Add draft-yang-tls-hybrid-sm2-mlkem --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a72ad4f..1e725f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ * QUIC protocol check * TLS 1.3 early data (0-RTT) +* Support for RFC 8998 and draft-yang-tls-hybrid-sm2-mlkem (TLS_SM4_GCM_SM3, TLS_SM4_CCM_SM3 ciphers, kx groups curveSM2, curveSM2MLKEM768; SM2 pub keys + signatures) * Adds a check for mandatory extended master secret TLS extension * Bump SSLlabs rating guide to 2009r * Check for Opossum vulnerability From e370aabb33340cd21edfdbcdadb7c87f7d022097 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Thu, 9 Apr 2026 11:52:50 +0200 Subject: [PATCH 2/2] Update CREDITS.md --- CREDITS.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CREDITS.md b/CREDITS.md index 1667f5d..b901810 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -11,6 +11,7 @@ Full contribution, see git log. - extended parsing of TLS ServerHello messages - TLS 1.3 support (final and pre-final) with needed en/decryption - add several TLS extensions + - Several ciphers and curves added - Detection + output of multiple certificates - several cleanups of server certificate related stuff - testssl.sh -e/-E: testing with a mixture of openssl + sockets @@ -33,12 +34,13 @@ Full contribution, see git log. - RFC 8879, certificate compression - 128 cipher limit, padding - compatibility for LibreSSL and different OpenSSL versions + - PQC support: ML_KEMs, ML-DSA, curveSM2MLKEM768 - Check for ffdhe and ML-KEM groups - TLS 1.2 and TLS 1.3 sig algs added - Show server supported signature algorithms - Show supported certification authorities sent by the server when client auth is requested and whether certificate-based client authentication is not requested, optional, or required. - Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol - - Provide compatibility to every LibreSSL/OpenSSL versions, including OpenSSL 3.5.0 + - Provide compatibility to every LibreSSL/OpenSSL versions, including OpenSSL 4.0 - Lots of fixes and improvements ##### Further credits (in alphabetical order)