diff --git a/CHANGELOG.md b/CHANGELOG.md index e1243a7..b5ca05b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,12 +12,11 @@ * DNS over Proxy and other proxy improvements * Decoding of unencrypted BIG IP cookies * Initial client certificate support +* Warning of 825 day limit for certificates issued after 2018/3/1 * Socket timeouts (``--connect-timeout``) -* IDN/IDN2 servername support -* pwnedkeys.com support -* Initial client certificate support +* IDN/IDN2 servername/URI + emoji support, supposed libidn/idn2 is installed and DNS resolver is recent) support * Initial support for certificate compression -* Better JSON output: renamed IDs and findings shorter/better parsable +* Better JSON output: renamed IDs and findings shorter/better parsable, also includes certficate * JSON output now valid also for non-responding servers * Testing now per default 370 ciphers * Further improving the robustness of TLS sockets (sending and parsing) @@ -26,31 +25,34 @@ * LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2) * PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3) * Check for session resumption (Ticket, ID) -* TLS Robustness check (GREASE) +* TLS Robustness check GREASE and more * Server preference distinguishes between TLS 1.3 and lower protocols * Mark TLS 1.0 and TLS 1.1 as deprecated * Does a few startup checks which make later tests easier and faster (``determine_optimal_\*()``) * Expect-CT Header Detection * `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL * `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/ -* Fully OpenBSD and LibreSSL support * Missing SAN warning * Added support for private CAs -* Way better handling of connectivity problems +* Way better handling of connectivity problems (counting those, if threshold exceeded -> bye) * Fixed TCP fragmentation * Added `--ids-friendly` switch * Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors. * Better error msg suppression (not fully installed OpenSSL) * Better parsing of HTTP headers & better output of longer HTTP headers +* HTTP Basic Auth support for HTTP header +* "eTLS" detection * Dockerfile and repo @ docker hub with that file (see above) * Java Root CA store added * Better support for XMPP via STARTTLS & faster * Certificate check for to-name in stream of XMPP -* Support for NNTP via STARTTLS, fixes for MySQL and PostgresQL +* Support for NNTP and LMTP via STARTTLS, fixes for MySQL and PostgresQL * Support for SNI and STARTTLS * More robustness for any STARTTLS protocol (fall back to plaintext while in TLS) -* Major update of client simulations with self-collected data -* IDN/IDN2 and emoji URI support (supposed libidn/idn2 is installed and DNS resolver is recent) +* Major update of client simulations with self-collected up-to-date data +* Update of CA certificate stores +* Lots of bug fixes +* More travis/CI checks -- still place for improvements * Man page reviewed ### Features implemented in 2.9.5 diff --git a/CREDITS.md b/CREDITS.md index 2be09fc..cf459db 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -1,24 +1,39 @@ +Full contribution, see git log. + + +* Dirk Wetter (founder, maintainer and main contributor) + - Everything what's not mentioned below and is included in testssl.sh's git log + minus what I probably forgot to mention + (too much other things to do at the moment and to list it would be a tough job) + * David Cooper (main contributor) + - Major extensions to socket support for all protocols + - extended parsing of TLS ServerHello messages + - TLS 1.3 support (final and pre-final) + - add several TLS extensions - Detection + output of multiple certificates - several cleanups of server certificate related stuff - - extended parsing of TLS ServerHello messages - testssl.sh -e/-E: testing with a mixture of openssl + sockets - - more ciphers - - finding more TLS extensions via sockets + - add more ciphers + - coloring of ciphers - extensive CN+SAN <--> hostname check - separate check for curves - RFC 7919, key shares extension + - keyUsage extension in certificate + - experimental "eTLS" detection - parallel mass testing! - RFC <--> OpenSSL cipher name space switches for the command line - - numerous fixes - better error msg suppression (not fully installed openssl - GREASE support - - Bleichenbacher vulnerability test - - TLS 1.3 support + - Bleichenbacher / ROBOT vulnerability test + - several protocol preferences improvements + - pwnedkeys.com support + - CT support + - Lots of fixes and improvements -##### Credits also to +##### Further credits (in alphabetical order) * Christoph Badura - NetBSD fixes @@ -32,7 +47,10 @@ * Steven Danneman - Postgres and MySQL STARTTLS support - * MongoDB support + - MongoDB support + +* Christian Dresen + - Dockerfile * Mark Felder - lots of cleanups @@ -47,6 +65,15 @@ * Maciej Grela - colorless handling +* Hubert Kario + - helped with avoiding accidental TCP fragmentation + +* Jacco de Leeuw + - skip checks which might trigger an IDS ($OFFENSIVE / --ids-friendly) + +* Manuel + - HTTP basic auth + * Markus Manzke - Fix for HSTS + subdomains - LibreSSL patch @@ -94,9 +121,15 @@ - initial MX stuff - fixes +* Gonçalo Ribeiro + - --connect-timeout + * Dmitri S - inspiration & help for Darwin port +* Marcin Szychowski + - Quick'n'dirty client certificate support + * Viktor Szépe - color function maker @@ -112,14 +145,14 @@ * @nvsofts (NV) - LibreSSL patch for GOST -Others I forgot to mention which did give me feedback, bug reports and helped one way or another. +Probably more I forgot to mention which did give me feedback, bug reports and helped one way or another. ##### Last but not least: * OpenSSL team for providing openssl. -* Ivan Ristic/Qualys for the liberal license which made it possible to use the client data +* Ivan Ristic/Qualys for the liberal license which made it possible to make partly use of the client data * My family for supporting me doing this work