Merge pull request #2566 from testssl/bump_version

Bump version to 3.2rc4
2025-01-30 12:21:17 +01:00 · 2025-01-24 15:47:11 +01:00 · 2025-01-24 15:47:11 +01:00 · 5c1232b9dc
commit 5c1232b9dc
parent 5eeab6484f 76cdf3166a
9 changed files with 15 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -12,6 +12,7 @@
 * Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
 * Renamed PFS/perfect forward secrecy --> FS/forward secrecy
 * Cipher list straightening
+* Support RFC 9150 cipher suites
 * Improved mass testing
 * Better align colors of ciphers with standard cipherlists
 * Save a few cycles for ROBOT
@ -23,13 +24,16 @@
 * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
 * STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries
 * Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
+* Renegotiation checks more reliable against different servers
 * STARTTLS on active directory service support
 * Security fixes: DNS and other input from servers
 * Don't penalize missing trust in rating when CA not in Java store
 * Added support for certificates with EdDSA signatures and public keys
 * Extract CA list shows supported certification authorities sent by the server
+* Wildcard certificates: detection and warning
 * TLS 1.2 and TLS 1.3 sig algs added
 * Check for ffdhe groups
+* Check for three KEMs in draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00
 * Show server supported signature algorithms
 * --add-ca can also now be a directory with \*.pem files
 * Warning of 398 day limit for certificates issued after 2020/9/1
@ -41,6 +45,7 @@
 * DNS via proxy improvements
 * Client simulation runs in wide mode which is even better readable
 * Added --reqheader to support custom headers in HTTP requests
+* Search for more HTTP security headers on the server
 * Test for support for RFC 8879 certificate compression
 * Deprecating --fast and --ssl-native (warning but still av)
 * Compatible to GNU grep 3.8
--- a/bin/Readme.md
+++ b/bin/Readme.md
@ -10,7 +10,7 @@ for some new / advanced cipher suites and/or features which are not in the
 official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.

 The (stripped) binaries this directory are all compiled from my openssl snapshot
-(https://github.com/drwetter/openssl-1.0.2.bad) which adds a few bits to Peter
+(https://github.com/testssl/openssl-1.0.2.bad) which adds a few bits to Peter
 Mosman's openssl fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter!
 The few bits are IPv6 support (except IPV6 proxy) and some STARTTLS backports.

@ -71,11 +71,11 @@ Compilation instructions
 If you want to compile OpenSSL yourself, here are the instructions:

 1.)
-    git git clone https://github.com/drwetter/openssl-1.0.2-bad
+    git git clone https://github.com/testssl/openssl-1.0.2-bad
    cd openssl


-2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh)
+2.) configure the damned thing. Options I used (see https://github.com/testssl/testssl.sh/blob/master/utils/make-openssl.sh)

 **for 64Bit including Kerberos ciphers:**

--- a/doc/testssl.1
+++ b/doc/testssl.1
@ -607,4 +607,4 @@ All native Windows platforms emulating Linux are known to be slow\.
 .SH "BUGS"
 Probably\. Current known ones and interface for filing new ones: https://testssl\.sh/bugs/ \.
 .SH "SEE ALSO"
-\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites https://testssl\.sh/ and https://github\.com/drwetter/testssl\.sh/ \.
+\fBciphers\fR(1), \fBopenssl\fR(1), \fBs_client\fR(1), \fBx509\fR(1), \fBverify\fR(1), \fBocsp\fR(1), \fBcrl\fR(1), \fBbash\fR(1) and the websites https://testssl\.sh/ and https://github\.com/testssl/testssl\.sh/ \.
--- a/doc/testssl.1.html
+++ b/doc/testssl.1.html
@ -681,7 +681,7 @@ from. That helps us to get bugfixes, other feedback and more contributions.</p>

 <h2 id="SEE-ALSO">SEE ALSO</h2>

-<p><span class="man-ref"><code>ciphers</code><span class="s">(1)</span></span>, <span class="man-ref"><code>openssl</code><span class="s">(1)</span></span>, <span class="man-ref"><code>s_client</code><span class="s">(1)</span></span>, <span class="man-ref"><code>x509</code><span class="s">(1)</span></span>, <span class="man-ref"><code>verify</code><span class="s">(1)</span></span>, <span class="man-ref"><code>ocsp</code><span class="s">(1)</span></span>, <span class="man-ref"><code>crl</code><span class="s">(1)</span></span>, <span class="man-ref"><code>bash</code><span class="s">(1)</span></span> and the websites https://testssl.sh/ and https://github.com/drwetter/testssl.sh/ .</p>
+<p><span class="man-ref"><code>ciphers</code><span class="s">(1)</span></span>, <span class="man-ref"><code>openssl</code><span class="s">(1)</span></span>, <span class="man-ref"><code>s_client</code><span class="s">(1)</span></span>, <span class="man-ref"><code>x509</code><span class="s">(1)</span></span>, <span class="man-ref"><code>verify</code><span class="s">(1)</span></span>, <span class="man-ref"><code>ocsp</code><span class="s">(1)</span></span>, <span class="man-ref"><code>crl</code><span class="s">(1)</span></span>, <span class="man-ref"><code>bash</code><span class="s">(1)</span></span> and the websites https://testssl.sh/ and https://github.com/testssl/testssl.sh/ .</p>

  <ol class='man-decor man-foot man foot'>
    <li class='tl'></li>
--- a/doc/testssl.1.md
+++ b/doc/testssl.1.md
@ -587,4 +587,4 @@ Probably. Current known ones and interface for filing new ones: https://testssl.

 ## SEE ALSO

-`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites https://testssl.sh/ and https://github.com/drwetter/testssl.sh/ .
+`ciphers`(1), `openssl`(1), `s_client`(1), `x509`(1), `verify`(1), `ocsp`(1), `crl`(1), `bash`(1) and the websites https://testssl.sh/ and https://github.com/testssl/testssl.sh/ .
--- a/etc/tls_data.txt
+++ b/etc/tls_data.txt
@ -1,7 +1,7 @@

 # data we need for socket based handshakes
 # see #807 and #806 (especially
-# https://github.com/drwetter/testssl.sh/issues/806#issuecomment-318686374)
+# https://github.com/testssl/testssl.sh/issues/806#issuecomment-318686374)

 # 7 ciphers defined for TLS 1.3 in RFCs 8446 and 9150
 readonly TLS13_CIPHER="
--- a/t/11_baseline_ipv6_http.t.DISABLED
+++ b/t/11_baseline_ipv6_http.t.DISABLED
@ -1,6 +1,6 @@
 #!/usr/bin/env perl

-# disabled as IPv6 is not supported by Travis, see https://github.com/drwetter/testssl.sh/issues/1177
+# disabled as IPv6 wasn't supported by Travis CI and isn't by GH action, see https://github.com/testssl/testssl.sh/issues/1177

 # Just a functional test, whether there are any problems on the client side
 # Probably we could also inspect the JSON for any problems for
--- a/testssl.sh
+++ b/testssl.sh
@ -122,7 +122,7 @@ trap "child_error" USR1

 ########### Internal definitions
 #
-declare -r VERSION="3.2rc3"
+declare -r VERSION="3.2rc4"
 declare -r SWCONTACT="dirk aet testssl dot sh"
 [[ "$VERSION" =~ dev|rc|beta ]] && \
     SWURL="https://testssl.sh/dev/" ||
--- a/utils/make-openssl.sh
+++ b/utils/make-openssl.sh
@ -69,7 +69,7 @@ testv6_patch() {
     else
          echo
          echo "no IPv6 patch (Fedora) detected!!  -- Press ^C and dl & apply from"
-          echo "https://github.com/drwetter/testssl.sh/blob/master/bin/fedora-dirk-ipv6.diff"
+          echo "https://github.com/testssl/testssl.sh/blob/master/bin/fedora-dirk-ipv6.diff"
          echo "or press any key to ignore"
          echo
          read a