mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-10-30 21:35:26 +01:00
Amend changes and attributions
This commit is contained in:
Dirk
27
CHANGELOG.md
27
CHANGELOG.md
@@ -3,13 +3,16 @@
|
||||
|
||||
### Features implemented / improvements in 3.2
|
||||
|
||||
* Rating (SSL Labs, not complete)
|
||||
* Rating (SSL Labs)
|
||||
* Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default)
|
||||
* Remove "negotiated cipher / protocol"
|
||||
* Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
|
||||
* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also
|
||||
* Improved compatibility with OpenSSL 3.0 and higher versions
|
||||
* Faster startup, other performance improvements
|
||||
* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, benefit: also performance gain
|
||||
* Added GHCR.io docker image builds
|
||||
* Improved compatibility with OpenSSL 3.0 and higher versions like OpenSSL 3.5
|
||||
* Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
|
||||
* Reduced the set of openssl-bad binaries via github to Linux and FreeBSD, no kerberos binaries anymore, no Linux 32 Bit
|
||||
* Renamed PFS/perfect forward secrecy --> FS/forward secrecy
|
||||
* Cipher list straightening
|
||||
* Support RFC 9150 cipher suites
|
||||
@@ -17,6 +20,7 @@
|
||||
* Better align colors of ciphers with standard cipherlists
|
||||
* Save a few cycles for ROBOT
|
||||
* Several ciphers more colorized
|
||||
* Added support for way more ciphers like all AEAD ciphers known so far
|
||||
* Percent output char problem fixed
|
||||
* Several display/output fixes
|
||||
* BREACH check: list all compression methods and add brotli
|
||||
@@ -24,7 +28,9 @@
|
||||
* Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
|
||||
* STARTTLS: XMPP server support, plus a new set of OpenSSL-bad binaries
|
||||
* STARTTLS sieve support, plus again a new set of OpenSSL-bad binaries
|
||||
* STARTTLS LDAP support, AD + STARTTLS logic is there but experimental
|
||||
* Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
|
||||
* STARTTLS telnet (TN3270/telnet) support
|
||||
* Detect throtteling via STARTTLS smtp
|
||||
* Renegotiation checks more reliable against different servers
|
||||
* STARTTLS on active directory service support
|
||||
@@ -33,11 +39,16 @@
|
||||
* Added support for certificates with EdDSA signatures and public keys
|
||||
* Extract CA list shows supported certification authorities sent by the server
|
||||
* Wildcard certificates: detection and warning
|
||||
* Test for support for RFC 8879 certificate compression
|
||||
* Show intermediate cert validity / bad OCSP
|
||||
* If a TLS 1.3 host is tested and e.g. /usr/bin/openssl supports it, it'll automagically switch to it
|
||||
* TLS 1.2 and TLS 1.3 sig algs added
|
||||
* TLS 1.3: decrypting server response
|
||||
* Check for ffdhe groups
|
||||
* Check for six KEMs in draft-connolly-tls-mlkem-key-agreement/draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00
|
||||
* Check for ML-DSA signatures (draft-tls-westerbaan-mldsa)
|
||||
* Show server supported signature algorithms
|
||||
* Support for EdDSA (Ed25519/Ed448): sigalgo extension, check whether server offers EdDSA certificates, recognize EdDSA signatures
|
||||
* --add-ca can also now be a directory with \*.pem files
|
||||
* Warning of 398 day limit for certificates issued after 2020/9/1
|
||||
* Added environment variable for amount of attempts for ssl renegotiation check
|
||||
@@ -46,16 +57,18 @@
|
||||
* Headerflag X-XSS-Protection is now labeled as INFO
|
||||
* Search for more HTTP security headers on the server
|
||||
* Strict parser for HSTS
|
||||
* DNS via proxy improvements
|
||||
* DNS via proxy improvements, also IPv6 support for proxy
|
||||
* Client simulation runs in wide mode which is even better readable
|
||||
* Added --reqheader to support custom headers in HTTP requests
|
||||
* Test for support for RFC 8879 certificate compression
|
||||
* Deprecating --fast and --ssl-native (warning only but still av)
|
||||
* Compatible to GNU grep 3.8
|
||||
* Compatible to GNU grep >=3.8, bash 5.x
|
||||
* Don't use external pwd command anymore
|
||||
* Doesn't hang anymore when there's no local resolver
|
||||
* Display whether server requests/requires a Client Certificate
|
||||
* Added --mtls feature to support client authentication
|
||||
* If a TLS 1.3 host is tested and e.g. /usr/bin/openssl supports it, it'll automagically will switch to it
|
||||
* CI run against a target with known configuration as a change canary
|
||||
* Updated client handshakes as new browsers and OpenSSL 3.5.x show KEMs
|
||||
* Start using client handshakes include ja3/ja4 so that similar handshakes will be recognized
|
||||
|
||||
|
||||
### Features implemented / improvements in 3.0
|
||||
|
||||
16
CREDITS.md
16
CREDITS.md
@@ -4,7 +4,7 @@ Full contribution, see git log.
|
||||
* Dirk Wetter (creator, maintainer and main contributor)
|
||||
- Everything what's not mentioned below and is included in testssl.sh's git log
|
||||
minus what I probably forgot to mention
|
||||
(too much other things to do at the moment and to list it would be a tough job)
|
||||
(too much other things to do at the moment and to list it would be too time consuming)
|
||||
|
||||
* David Cooper (main contributor)
|
||||
- Major extensions to socket support for all protocols
|
||||
@@ -36,9 +36,9 @@ Full contribution, see git log.
|
||||
- Check for ffdhe and ML-KEM groups
|
||||
- TLS 1.2 and TLS 1.3 sig algs added
|
||||
- Show server supported signature algorithms
|
||||
- Show supported certification authorities sent by the server when client auth is requested
|
||||
- Show supported certification authorities sent by the server when client auth is requested and whether certificate-based client authentication is not requested, optional, or required.
|
||||
- Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
|
||||
- Provide compatibility to every LibreSSL/OpenSSL versions
|
||||
- Provide compatibility to every LibreSSL/OpenSSL versions, including OpenSSL 3.5.0
|
||||
- Lots of fixes and improvements
|
||||
|
||||
##### Further credits (in alphabetical order)
|
||||
@@ -68,6 +68,9 @@ Full contribution, see git log.
|
||||
* Christian Dresen
|
||||
- Dockerfile
|
||||
|
||||
* enxio
|
||||
- support for TN3270/telnet STARTTLS
|
||||
|
||||
* csett86
|
||||
- some MacOSX and Java client handshake data
|
||||
|
||||
@@ -81,6 +84,10 @@ Full contribution, see git log.
|
||||
- bugfixes
|
||||
- former ARM binary support
|
||||
|
||||
* Jauder Ho
|
||||
- GH Action to build new container images upon push
|
||||
- dependabot actions
|
||||
|
||||
* Maciej Grela
|
||||
- colorless handling
|
||||
|
||||
@@ -128,6 +135,9 @@ Full contribution, see git log.
|
||||
- non-flat JSON support (--json-pretty)
|
||||
- in file output (CSV, JSON flat, JSON non-flat) support of a minimum severity level
|
||||
|
||||
* Brett Randall
|
||||
- Improved (experimental) Extended Validation (EV) certificate identification.
|
||||
|
||||
* Jonathan Roach
|
||||
- TLS_FALLBACK_SCSV checks
|
||||
|
||||
|
||||
Reference in New Issue
Block a user