Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-06-23 15:38:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Amend changes and attributions

Browse Source
This commit is contained in:
Dirk 2025-04-22 16:47:54 +02:00
parent 6746fa54b8
commit 4d10873727
2 changed files with 33 additions and 10 deletions

27
CHANGELOG.md

@ -3,13 +3,16 @@
### Features implemented / improvements in 3.2 ### Features implemented / improvements in 3.2
* Rating (SSL Labs, not complete) * Rating (SSL Labs)
* Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default) * Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default)
* Remove "negotiated cipher / protocol" * Remove "negotiated cipher / protocol"
* Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol * Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also * Faster startup, other performance improvements
* Improved compatibility with OpenSSL 3.0 and higher versions * Switched to multi-stage docker image with opensuse base to avoid musl libc issues, benefit: also performance gain
* Added GHCR.io docker image builds
* Improved compatibility with OpenSSL 3.0 and higher versions like OpenSSL 3.5
* Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore * Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
* Reduced the set of openssl-bad binaries via github to Linux and FreeBSD, no kerberos binaries anymore, no Linux 32 Bit
* Renamed PFS/perfect forward secrecy --> FS/forward secrecy * Renamed PFS/perfect forward secrecy --> FS/forward secrecy
* Cipher list straightening * Cipher list straightening
* Support RFC 9150 cipher suites * Support RFC 9150 cipher suites
@ -17,6 +20,7 @@
* Better align colors of ciphers with standard cipherlists * Better align colors of ciphers with standard cipherlists
* Save a few cycles for ROBOT * Save a few cycles for ROBOT
* Several ciphers more colorized * Several ciphers more colorized
* Added support for way more ciphers like all AEAD ciphers known so far
* Percent output char problem fixed * Percent output char problem fixed
* Several display/output fixes * Several display/output fixes
* BREACH check: list all compression methods and add brotli * BREACH check: list all compression methods and add brotli
@ -24,7 +28,9 @@
* Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP) * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
* STARTTLS: XMPP server support, plus a new set of OpenSSL-bad binaries * STARTTLS: XMPP server support, plus a new set of OpenSSL-bad binaries
* STARTTLS sieve support, plus again a new set of OpenSSL-bad binaries * STARTTLS sieve support, plus again a new set of OpenSSL-bad binaries
* STARTTLS LDAP support, AD + STARTTLS logic is there but experimental
* Several code improvements to STARTTLS, also better detection when no STARTTLS is offered * Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
* STARTTLS telnet (TN3270/telnet) support
* Detect throtteling via STARTTLS smtp * Detect throtteling via STARTTLS smtp
* Renegotiation checks more reliable against different servers * Renegotiation checks more reliable against different servers
* STARTTLS on active directory service support * STARTTLS on active directory service support
@ -33,11 +39,16 @@
* Added support for certificates with EdDSA signatures and public keys * Added support for certificates with EdDSA signatures and public keys
* Extract CA list shows supported certification authorities sent by the server * Extract CA list shows supported certification authorities sent by the server
* Wildcard certificates: detection and warning * Wildcard certificates: detection and warning
* Test for support for RFC 8879 certificate compression
* Show intermediate cert validity / bad OCSP
* If a TLS 1.3 host is tested and e.g. /usr/bin/openssl supports it, it'll automagically switch to it
* TLS 1.2 and TLS 1.3 sig algs added * TLS 1.2 and TLS 1.3 sig algs added
* TLS 1.3: decrypting server response
* Check for ffdhe groups * Check for ffdhe groups
* Check for six KEMs in draft-connolly-tls-mlkem-key-agreement/draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00 * Check for six KEMs in draft-connolly-tls-mlkem-key-agreement/draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00
* Check for ML-DSA signatures (draft-tls-westerbaan-mldsa) * Check for ML-DSA signatures (draft-tls-westerbaan-mldsa)
* Show server supported signature algorithms * Show server supported signature algorithms
* Support for EdDSA (Ed25519/Ed448): sigalgo extension, check whether server offers EdDSA certificates, recognize EdDSA signatures
* --add-ca can also now be a directory with \*.pem files * --add-ca can also now be a directory with \*.pem files
* Warning of 398 day limit for certificates issued after 2020/9/1 * Warning of 398 day limit for certificates issued after 2020/9/1
* Added environment variable for amount of attempts for ssl renegotiation check * Added environment variable for amount of attempts for ssl renegotiation check
@ -46,16 +57,18 @@
* Headerflag X-XSS-Protection is now labeled as INFO * Headerflag X-XSS-Protection is now labeled as INFO
* Search for more HTTP security headers on the server * Search for more HTTP security headers on the server
* Strict parser for HSTS * Strict parser for HSTS
* DNS via proxy improvements * DNS via proxy improvements, also IPv6 support for proxy
* Client simulation runs in wide mode which is even better readable * Client simulation runs in wide mode which is even better readable
* Added --reqheader to support custom headers in HTTP requests * Added --reqheader to support custom headers in HTTP requests
* Test for support for RFC 8879 certificate compression
* Deprecating --fast and --ssl-native (warning only but still av) * Deprecating --fast and --ssl-native (warning only but still av)
* Compatible to GNU grep 3.8 * Compatible to GNU grep >=3.8, bash 5.x
* Don't use external pwd command anymore * Don't use external pwd command anymore
* Doesn't hang anymore when there's no local resolver * Doesn't hang anymore when there's no local resolver
* Display whether server requests/requires a Client Certificate
* Added --mtls feature to support client authentication * Added --mtls feature to support client authentication
* If a TLS 1.3 host is tested and e.g. /usr/bin/openssl supports it, it'll automagically will switch to it * CI run against a target with known configuration as a change canary
* Updated client handshakes as new browsers and OpenSSL 3.5.x show KEMs
* Start using client handshakes include ja3/ja4 so that similar handshakes will be recognized
### Features implemented / improvements in 3.0 ### Features implemented / improvements in 3.0

16
CREDITS.md

@ -4,7 +4,7 @@ Full contribution, see git log.
* Dirk Wetter (creator, maintainer and main contributor) * Dirk Wetter (creator, maintainer and main contributor)
- Everything what's not mentioned below and is included in testssl.sh's git log - Everything what's not mentioned below and is included in testssl.sh's git log
minus what I probably forgot to mention minus what I probably forgot to mention
(too much other things to do at the moment and to list it would be a tough job) (too much other things to do at the moment and to list it would be too time consuming)
* David Cooper (main contributor) * David Cooper (main contributor)
- Major extensions to socket support for all protocols - Major extensions to socket support for all protocols
@ -36,9 +36,9 @@ Full contribution, see git log.
- Check for ffdhe and ML-KEM groups - Check for ffdhe and ML-KEM groups
- TLS 1.2 and TLS 1.3 sig algs added - TLS 1.2 and TLS 1.3 sig algs added
- Show server supported signature algorithms - Show server supported signature algorithms
- Show supported certification authorities sent by the server when client auth is requested - Show supported certification authorities sent by the server when client auth is requested and whether certificate-based client authentication is not requested, optional, or required.
- Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol - Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
- Provide compatibility to every LibreSSL/OpenSSL versions - Provide compatibility to every LibreSSL/OpenSSL versions, including OpenSSL 3.5.0
- Lots of fixes and improvements - Lots of fixes and improvements
##### Further credits (in alphabetical order) ##### Further credits (in alphabetical order)
@ -68,6 +68,9 @@ Full contribution, see git log.
* Christian Dresen * Christian Dresen
- Dockerfile - Dockerfile
* enxio
- support for TN3270/telnet STARTTLS
* csett86 * csett86
- some MacOSX and Java client handshake data - some MacOSX and Java client handshake data
@ -81,6 +84,10 @@ Full contribution, see git log.
- bugfixes - bugfixes
- former ARM binary support - former ARM binary support
* Jauder Ho
- GH Action to build new container images upon push
- dependabot actions
* Maciej Grela * Maciej Grela
- colorless handling - colorless handling
@ -128,6 +135,9 @@ Full contribution, see git log.
- non-flat JSON support (--json-pretty) - non-flat JSON support (--json-pretty)
- in file output (CSV, JSON flat, JSON non-flat) support of a minimum severity level - in file output (CSV, JSON flat, JSON non-flat) support of a minimum severity level
* Brett Randall
- Improved (experimental) Extended Validation (EV) certificate identification.
* Jonathan Roach * Jonathan Roach
- TLS_FALLBACK_SCSV checks - TLS_FALLBACK_SCSV checks