Merge pull request #1456 from drwetter/changes_etc

Update attributions and changes for release
This commit is contained in:
Dirk Wetter 2020-01-23 18:05:50 +01:00 committed by GitHub
commit a11a060acb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 77 additions and 24 deletions

View File

@ -1,7 +1,7 @@
## Change Log
### Features implemented in 3.0
### Features implemented / improvements in 3.0
* Full support of TLS 1.3, shows also drafts supported
* Extended protocol downgrade checks
@ -12,12 +12,11 @@
* DNS over Proxy and other proxy improvements
* Decoding of unencrypted BIG IP cookies
* Initial client certificate support
* Warning of 825 day limit for certificates issued after 2018/3/1
* Socket timeouts (``--connect-timeout``)
* IDN/IDN2 servername support
* pwnedkeys.com support
* Initial client certificate support
* IDN/IDN2 servername/URI + emoji support, supposed libidn/idn2 is installed and DNS resolver is recent) support
* Initial support for certificate compression
* Better JSON output: renamed IDs and findings shorter/better parsable
* Better JSON output: renamed IDs and findings shorter/better parsable, also includes certficate
* JSON output now valid also for non-responding servers
* Testing now per default 370 ciphers
* Further improving the robustness of TLS sockets (sending and parsing)
@ -26,34 +25,39 @@
* LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2)
* PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3)
* Check for session resumption (Ticket, ID)
* TLS Robustness check (GREASE)
* TLS Robustness check GREASE and more
* Server preference distinguishes between TLS 1.3 and lower protocols
* Mark TLS 1.0 and TLS 1.1 as deprecated
* Does a few startup checks which make later tests easier and faster (``determine_optimal_\*()``)
* Expect-CT Header Detection
* `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL
* `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/
* Fully OpenBSD and LibreSSL support
* Missing SAN warning
* Added support for private CAs
* Way better handling of connectivity problems
* Way better handling of connectivity problems (counting those, if threshold exceeded -> bye)
* Fixed TCP fragmentation
* Added `--ids-friendly` switch
* Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors.
* Better error msg suppression (not fully installed OpenSSL)
* Better parsing of HTTP headers & better output of longer HTTP headers
* Display more HTTP security headers
* HTTP Basic Auth support for HTTP header
* experimental "eTLS" detection
* Dockerfile and repo @ docker hub with that file (see above)
* Java Root CA store added
* Better support for XMPP via STARTTLS & faster
* Certificate check for to-name in stream of XMPP
* Support for NNTP via STARTTLS, fixes for MySQL and PostgresQL
* Support for NNTP and LMTP via STARTTLS, fixes for MySQL and PostgresQL
* Support for SNI and STARTTLS
* More robustness for any STARTTLS protocol (fall back to plaintext while in TLS)
* Major update of client simulations with self-collected data
* IDN/IDN2 and emoji URI support (supposed libidn/idn2 is installed and DNS resolver is recent)
* More robustness for any STARTTLS protocol (fall back to plaintext while in TLS caused problems)
* Renegotiation checks improved, also no false potive for Node.js anymore
* Major update of client simulations with self-collected up-to-date data
* Update of CA certificate stores
* Lots of bug fixes
* More travis/CI checks -- still place for improvements
* Man page reviewed
### Features implemented in 2.9.5
### Features implemented / improvements in 2.9.5
* Way better coverage of ciphers as most checks are done via bash sockets where ever possible
* Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness)

View File

@ -1,24 +1,40 @@
Full contribution, see git log.
* Dirk Wetter (creator, maintainer and main contributor)
- Everything what's not mentioned below and is included in testssl.sh's git log
minus what I probably forgot to mention
(too much other things to do at the moment and to list it would be a tough job)
* David Cooper (main contributor)
- Major extensions to socket support for all protocols
- extended parsing of TLS ServerHello messages
- TLS 1.3 support (final and pre-final)
- add several TLS extensions
- Detection + output of multiple certificates
- several cleanups of server certificate related stuff
- extended parsing of TLS ServerHello messages
- testssl.sh -e/-E: testing with a mixture of openssl + sockets
- more ciphers
- finding more TLS extensions via sockets
- add more ciphers
- coloring of ciphers
- extensive CN+SAN <--> hostname check
- separate check for curves
- RFC 7919, key shares extension
- keyUsage extension in certificate
- experimental "eTLS" detection
- parallel mass testing!
- RFC <--> OpenSSL cipher name space switches for the command line
- numerous fixes
- better error msg suppression (not fully installed openssl
- GREASE support
- Bleichenbacher vulnerability test
- TLS 1.3 support
- Bleichenbacher / ROBOT vulnerability test
- several protocol preferences improvements
- pwnedkeys.com support
- CT support
- Lots of fixes and improvements
##### Credits also to
##### Further credits (in alphabetical order)
* a666
- Bugfix
* Christoph Badura
- NetBSD fixes
@ -32,7 +48,13 @@
* Steven Danneman
- Postgres and MySQL STARTTLS support
* MongoDB support
- MongoDB support
* Christian Dresen
- Dockerfile
* csett86
- some MacOSX and Java client handshake data
* Mark Felder
- lots of cleanups
@ -47,6 +69,21 @@
* Maciej Grela
- colorless handling
* Jac2NL
- initial support for skipping offensive vulnerability tests
* Scott Johnson
- Bugfix F5
* Hubert Kario
- helped with avoiding accidental TCP fragmentation
* Jacco de Leeuw
- skip checks which might trigger an IDS ($OFFENSIVE / --ids-friendly)
* Manuel
- HTTP basic auth
* Markus Manzke
- Fix for HSTS + subdomains
- LibreSSL patch
@ -90,19 +127,31 @@
* Jeroen Wiert Pluimers
- Darwin binaries support
* Joao Poupino
- Minimize false positive detection for Renegotiation checks against Node.js etc.
* Rechi
- initial MX stuff
- fixes
* Gonçalo Ribeiro
- --connect-timeout
* Dmitri S
- inspiration & help for Darwin port
* Marcin Szychowski
- Quick'n'dirty client certificate support
* Viktor Szépe
- color function maker
* Julien Vehent
- supplied 1st Darwin binary
* Thomas Ward
- add initial IDN support
* @typingArtist
- improved BEAST detection
@ -112,14 +161,14 @@
* @nvsofts (NV)
- LibreSSL patch for GOST
Others I forgot to mention which did give me feedback, bug reports and helped one way or another.
Probably more I forgot to mention which did give me feedback, bug reports and helped one way or another.
##### Last but not least:
* OpenSSL team for providing openssl.
* Ivan Ristic/Qualys for the liberal license which made it possible to use the client data
* Ivan Ristic/Qualys for the liberal license which made it possible to make partly use of the client data
* My family for supporting me doing this work