From b5427e3006d0bdb39e3c25e681a90736241710d2 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sun, 8 Sep 2024 16:32:19 +0200 Subject: [PATCH 1/4] Bump version to 3.2rc4 --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 4068440..cf02a8f 100755 --- a/testssl.sh +++ b/testssl.sh @@ -122,7 +122,7 @@ trap "child_error" USR1 ########### Internal definitions # -declare -r VERSION="3.2rc3" +declare -r VERSION="3.2rc4" declare -r SWCONTACT="dirk aet testssl dot sh" [[ "$VERSION" =~ dev|rc|beta ]] && \ SWURL="https://testssl.sh/dev/" || From 0042b6313efdeda7af9740a0994c2e9f70599dda Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Fri, 24 Jan 2025 11:15:55 +0100 Subject: [PATCH 2/4] s/drwetter/testssl For the remaining occurences. Except dockerhub which needs to be solved. --- bin/Readme.md | 6 +++--- doc/testssl.1 | 2 +- doc/testssl.1.html | 2 +- doc/testssl.1.md | 2 +- etc/tls_data.txt | 2 +- t/11_baseline_ipv6_http.t.DISABLED | 2 +- utils/make-openssl.sh | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/bin/Readme.md b/bin/Readme.md index 83d7094..2998804 100644 --- a/bin/Readme.md +++ b/bin/Readme.md @@ -10,7 +10,7 @@ for some new / advanced cipher suites and/or features which are not in the official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers. The (stripped) binaries this directory are all compiled from my openssl snapshot -(https://github.com/drwetter/openssl-1.0.2.bad) which adds a few bits to Peter +(https://github.com/testssl/openssl-1.0.2.bad) which adds a few bits to Peter Mosman's openssl fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter! The few bits are IPv6 support (except IPV6 proxy) and some STARTTLS backports. @@ -71,11 +71,11 @@ Compilation instructions If you want to compile OpenSSL yourself, here are the instructions: 1.) - git git clone https://github.com/drwetter/openssl-1.0.2-bad + git git clone https://github.com/testssl/openssl-1.0.2-bad cd openssl -2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh) +2.) configure the damned thing. Options I used (see https://github.com/testssl/testssl.sh/blob/master/utils/make-openssl.sh) **for 64Bit including Kerberos ciphers:** diff --git a/doc/testssl.1 b/doc/testssl.1 index e57bc0e..810d54a 100644 --- a/doc/testssl.1 +++ b/doc/testssl.1 @@ -607,4 +607,4 @@ All native Windows platforms emulating Linux are known to be slow\. .SH "BUGS" Probably\. Current known ones and interface for filing new ones: https://testssl\.sh/bugs/ \. .SH "SEE ALSO" -\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites https://testssl\.sh/ and https://github\.com/drwetter/testssl\.sh/ \. +\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites https://testssl\.sh/ and https://github\.com/testssl/testssl\.sh/ \. diff --git a/doc/testssl.1.html b/doc/testssl.1.html index dbcbba5..0336c4b 100644 --- a/doc/testssl.1.html +++ b/doc/testssl.1.html @@ -681,7 +681,7 @@ from. That helps us to get bugfixes, other feedback and more contributions.

SEE ALSO

-

ciphers(1), openssl(1), s_client(1), x509(1), verify(1), ocsp(1), crl(1), bash(1) and the websites https://testssl.sh/ and https://github.com/drwetter/testssl.sh/ .

+

ciphers(1), openssl(1), s_client(1), x509(1), verify(1), ocsp(1), crl(1), bash(1) and the websites https://testssl.sh/ and https://github.com/testssl/testssl.sh/ .

  1. diff --git a/doc/testssl.1.md b/doc/testssl.1.md index 42ac9c6..edbc304 100644 --- a/doc/testssl.1.md +++ b/doc/testssl.1.md @@ -587,4 +587,4 @@ Probably. Current known ones and interface for filing new ones: https://testssl. ## SEE ALSO -`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites https://testssl.sh/ and https://github.com/drwetter/testssl.sh/ . +`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites https://testssl.sh/ and https://github.com/testssl/testssl.sh/ . diff --git a/etc/tls_data.txt b/etc/tls_data.txt index 42483d9..6b16b06 100644 --- a/etc/tls_data.txt +++ b/etc/tls_data.txt @@ -1,7 +1,7 @@ # data we need for socket based handshakes # see #807 and #806 (especially -# https://github.com/drwetter/testssl.sh/issues/806#issuecomment-318686374) +# https://github.com/testssl/testssl.sh/issues/806#issuecomment-318686374) # 7 ciphers defined for TLS 1.3 in RFCs 8446 and 9150 readonly TLS13_CIPHER=" diff --git a/t/11_baseline_ipv6_http.t.DISABLED b/t/11_baseline_ipv6_http.t.DISABLED index affa18a..028cbea 100755 --- a/t/11_baseline_ipv6_http.t.DISABLED +++ b/t/11_baseline_ipv6_http.t.DISABLED @@ -1,6 +1,6 @@ #!/usr/bin/env perl -# disabled as IPv6 is not supported by Travis, see https://github.com/drwetter/testssl.sh/issues/1177 +# disabled as IPv6 wasn't supported by Travis CI and isn't by GH action, see https://github.com/testssl/testssl.sh/issues/1177 # Just a functional test, whether there are any problems on the client side # Probably we could also inspect the JSON for any problems for diff --git a/utils/make-openssl.sh b/utils/make-openssl.sh index 931406a..f2a2bf3 100755 --- a/utils/make-openssl.sh +++ b/utils/make-openssl.sh @@ -69,7 +69,7 @@ testv6_patch() { else echo echo "no IPv6 patch (Fedora) detected!! -- Press ^C and dl & apply from" - echo "https://github.com/drwetter/testssl.sh/blob/master/bin/fedora-dirk-ipv6.diff" + echo "https://github.com/testssl/testssl.sh/blob/master/bin/fedora-dirk-ipv6.diff" echo "or press any key to ignore" echo read a From 163d744c1329ce5778313b3375aa143f35aeea9c Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Fri, 24 Jan 2025 11:32:41 +0100 Subject: [PATCH 3/4] Add recent and bigger changes From today back to 1f37a8406f1144d62b4f803719a008c278d63b9a --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2942f07..1e1b5c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ * Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore * Renamed PFS/perfect forward secrecy --> FS/forward secrecy * Cipher list straightening +* Support RFC 9150 cipher suites * Improved mass testing * Better align colors of ciphers with standard cipherlists * Save a few cycles for ROBOT @@ -23,13 +24,16 @@ * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP) * STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries * Several code improvements to STARTTLS, also better detection when no STARTTLS is offered +* Renegotiation checks more reliable against different servers * STARTTLS on active directory service support * Security fixes: DNS and other input from servers * Don't penalize missing trust in rating when CA not in Java store * Added support for certificates with EdDSA signatures and public keys * Extract CA list shows supported certification authorities sent by the server +* Wildcard detction of certificate and warning * TLS 1.2 and TLS 1.3 sig algs added * Check for ffdhe groups +* Check for three KEMs in draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00 * Show server supported signature algorithms * --add-ca can also now be a directory with \*.pem files * Warning of 398 day limit for certificates issued after 2020/9/1 @@ -41,6 +45,7 @@ * DNS via proxy improvements * Client simulation runs in wide mode which is even better readable * Added --reqheader to support custom headers in HTTP requests +* Search for more HTTP security headers on the server * Test for support for RFC 8879 certificate compression * Deprecating --fast and --ssl-native (warning but still av) * Compatible to GNU grep 3.8 From 76cdf3166a8b9f4d24e28b1369b3e759bf0d48bc Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 24 Jan 2025 14:53:52 +0100 Subject: [PATCH 4/4] fix typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e1b5c1..4084521 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,7 +30,7 @@ * Don't penalize missing trust in rating when CA not in Java store * Added support for certificates with EdDSA signatures and public keys * Extract CA list shows supported certification authorities sent by the server -* Wildcard detction of certificate and warning +* Wildcard certificates: detection and warning * TLS 1.2 and TLS 1.3 sig algs added * Check for ffdhe groups * Check for three KEMs in draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00