diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a5d3ab..c20aa5c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,36 +3,50 @@ ### Features implemented / improvements in 3.2 +* Rating (SSL Labs, not complete) * Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default) +* Remove "negotiated cipher / protocol" +* Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol +* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also * Improved compatibility with OpenSSL 3.0 +* Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore * Renamed PFS/perfect forward secrecy --> FS/forward secrecy +* Cipher list straightening * Improved mass testing -* Align better colors of ciphers with standard cipherlists -* Added several ciphers to colored ciphers +* Better align colors of ciphers with standard cipherlists +* Save a few cycles for ROBOT +* Several ciphers more colorized * Percent output char problem fixed * Several display/output fixes * BREACH check: list all compression methods and add brotli * Test for old winshock vulnerability * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP) -* Security fix: DNS input -* Don't use external pwd anymore -* STARTTLS: XMPP server support -* Code improvements to STARTTLS -* Detect better when no STARTTLS is offered -* Rating (SSL Labs, not complete) +* STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries +* Several code improvements to STARTTLS, also better detection when no STARTTLS is offered +* STARTTLS on active directory service support +* Security fixes: DNS and other input from servers * Don't penalize missing trust in rating when CA not in Java store * Added support for certificates with EdDSA signatures and public keys +* Extract CA list shows supported certification authorities sent by the server +* TLS 1.2 and TLS 1.3 sig algs added +* Check for ffdhe groups +* Show server supported signature algorithms * --add-ca can also now be a directory with \*.pem files * Warning of 398 day limit for certificates issued after 2020/9/1 * Added environment variable for amount of attempts for ssl renegotiation check * Added --user-agent argument to support using a custom User Agent * Added --overwrite argument to support overwriting output files without warning * Headerflag X-XSS-Protection is now labeled as INFO +* Strict parser for HSTS +* DNS via proxy improvements * Client simulation runs in wide mode which is even better readable * Added --reqheader to support custom headers in HTTP requests * Test for support for RFC 8879 certificate compression +* Deprecating --fast and --ssl-native (warning but still av) +* Compatible to GNU grep 3.8 +* Don't use external pwd command anymore * Doesn't hang anymore when there's no local resolver -* Dockerfiles refactored to be multistaged: performance gain+address bugs/inconsistencies + ### Features implemented / improvements in 3.0 diff --git a/CREDITS.md b/CREDITS.md index 56c3a4b..9522a76 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -9,7 +9,7 @@ Full contribution, see git log. * David Cooper (main contributor) - Major extensions to socket support for all protocols - extended parsing of TLS ServerHello messages - - TLS 1.3 support (final and pre-final) + - TLS 1.3 support (final and pre-final) with needed en/decryption - add several TLS extensions - Detection + output of multiple certificates - several cleanups of server certificate related stuff @@ -29,7 +29,16 @@ Full contribution, see git log. - several protocol preferences improvements - pwnedkeys.com support - CT support + - Extract CA list CertificateRequest message is encountered - RFC 8879, certificate compression + - 128 cipher limit, padding + - compatibility for LibreSSL and different OpenSSL versions + - Check for ffdhe groups + - TLS 1.2 and TLS 1.3 sig algs added + - Show server supported signature algorithms + - Show supported certification authorities sent by the server when client auth is requested + - Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol + - Provide compatibility to every LibreSSL/OpenSSL versions - Lots of fixes and improvements ##### Further credits (in alphabetical order)