Merge pull request #1456 from drwetter/changes_etc

Update attributions and changes for release

CHANGELOG.md

@@ -1,7 +1,7 @@
 
 ## Change Log
 
-### Features implemented in 3.0
+### Features implemented / improvements in 3.0
 
 * Full support of TLS 1.3, shows also drafts supported
 * Extended protocol downgrade checks
@@ -12,12 +12,11 @@
 * DNS over Proxy and other proxy improvements
 * Decoding of unencrypted BIG IP cookies
 * Initial client certificate support
+* Warning of 825 day limit for certificates issued after 2018/3/1
 * Socket timeouts (``--connect-timeout``)
-* IDN/IDN2 servername support
+* IDN/IDN2 servername/URI + emoji support, supposed libidn/idn2 is installed and DNS resolver is recent) support
-* pwnedkeys.com support
-* Initial client certificate support
 * Initial support for certificate compression
-* Better JSON output: renamed IDs and findings shorter/better parsable
+* Better JSON output: renamed IDs and findings shorter/better parsable, also includes certficate
 * JSON output now valid also for non-responding servers
 * Testing now per default 370 ciphers
 * Further improving the robustness of TLS sockets (sending and parsing)
@@ -26,34 +25,39 @@
 * LOGJAM: now checking also for DH  and FFDHE groups (TLS 1.2)
 * PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3)
 * Check for session resumption (Ticket, ID)
-* TLS Robustness check (GREASE)
+* TLS Robustness check GREASE and more
 * Server preference distinguishes between TLS 1.3 and lower protocols
 * Mark TLS 1.0 and TLS 1.1 as deprecated
 * Does a few startup checks which make later tests easier and faster (``determine_optimal_\*()``)
 * Expect-CT Header Detection
 * `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL
 * `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/
-* Fully OpenBSD and LibreSSL support
 * Missing SAN warning
 * Added support for private CAs
-* Way better handling of connectivity problems
+* Way better handling of connectivity problems (counting those, if threshold exceeded -> bye)
 * Fixed TCP fragmentation
 * Added `--ids-friendly` switch
 * Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors.
 * Better error msg suppression (not fully installed OpenSSL)
 * Better parsing of HTTP headers & better output of longer HTTP headers
+* Display more HTTP security headers
+* HTTP Basic Auth support for HTTP header
+* experimental "eTLS" detection
 * Dockerfile and repo @ docker hub with that file (see above)
 * Java Root CA store added
 * Better support for XMPP via STARTTLS & faster
 * Certificate check for to-name in stream of XMPP
-* Support for NNTP via STARTTLS, fixes for MySQL and PostgresQL
+* Support for NNTP and LMTP via STARTTLS, fixes for MySQL and PostgresQL
 * Support for SNI and STARTTLS
-* More robustness for any STARTTLS protocol (fall back to plaintext while in TLS)
+* More robustness for any STARTTLS protocol (fall back to plaintext while in TLS caused problems)
-* Major update of client simulations with self-collected data
+* Renegotiation checks improved, also no false potive for Node.js anymore
-* IDN/IDN2 and emoji URI support (supposed libidn/idn2 is installed and DNS resolver is recent)
+* Major update of client simulations with self-collected up-to-date data
+* Update of CA certificate stores
+* Lots of bug fixes
+* More travis/CI checks -- still place for improvements
 * Man page reviewed
 
-### Features implemented in 2.9.5
+### Features implemented / improvements in 2.9.5
 
 * Way better coverage of ciphers as most checks are done via bash sockets where ever possible
 * Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness)

CREDITS.md

@@ -1,24 +1,40 @@
 
+Full contribution, see git log.
+
+* Dirk Wetter (creator, maintainer and main contributor)
+  - Everything what's not mentioned below and is included in testssl.sh's git log
+    minus what I probably forgot to mention
+  (too much other things to do at the moment and to list it would be a tough job)
+
 * David Cooper (main contributor)
-
+  - Major extensions to socket support for all protocols
+  - extended parsing of TLS ServerHello messages
+  - TLS 1.3 support (final and pre-final)
+  - add several TLS extensions
   - Detection + output of multiple certificates
   - several cleanups of server certificate related stuff
-  - extended parsing of TLS ServerHello messages
   - testssl.sh -e/-E: testing with a mixture of openssl + sockets
-  - more ciphers
+  - add more ciphers
-  - finding more TLS extensions via sockets
+  - coloring of ciphers
   - extensive CN+SAN <--> hostname check
   - separate check for curves
   - RFC 7919, key shares extension
+  - keyUsage extension in certificate
+  - experimental "eTLS" detection
   - parallel mass testing!
   - RFC <--> OpenSSL cipher name space switches for the command line
-  - numerous fixes
   - better error msg suppression (not fully installed openssl
   - GREASE support
-  - Bleichenbacher vulnerability test
+  - Bleichenbacher / ROBOT vulnerability test
-  - TLS 1.3 support
+  - several protocol preferences improvements
+  - pwnedkeys.com support
+  - CT support
+  - Lots of fixes and improvements
 
-##### Credits also to
+##### Further credits (in alphabetical order)
+
+* a666
+  - Bugfix
 
 * Christoph Badura
   - NetBSD fixes
@@ -32,7 +48,13 @@
 
  * Steven Danneman
    - Postgres and MySQL STARTTLS support
-   * MongoDB support
+   - MongoDB support
+
+* Christian Dresen
+   - Dockerfile
+
+* csett86
+   - some MacOSX and Java client handshake data
 
 * Mark Felder
   - lots of cleanups
@@ -47,6 +69,21 @@
 * Maciej Grela
   - colorless handling
 
+* Jac2NL
+  - initial support for skipping offensive vulnerability tests
+
+* Scott Johnson
+  - Bugfix F5
+
+* Hubert Kario
+  - helped with avoiding accidental TCP fragmentation
+
+* Jacco de Leeuw
+  - skip checks which might trigger an IDS ($OFFENSIVE / --ids-friendly)
+
+* Manuel
+  - HTTP basic auth
+
 * Markus Manzke
   - Fix for HSTS + subdomains
   - LibreSSL patch
@@ -90,19 +127,31 @@
 * Jeroen Wiert Pluimers
   - Darwin binaries support
 
+* Joao Poupino
+  - Minimize false positive detection for Renegotiation checks against Node.js etc.
+
 * Rechi
   - initial MX stuff
   - fixes
 
+* Gonçalo Ribeiro
+  - --connect-timeout
+
 * Dmitri S
   - inspiration & help for Darwin port
 
+* Marcin Szychowski
+  - Quick'n'dirty client certificate support
+
 * Viktor Szépe
   - color function maker
 
 * Julien Vehent
   - supplied 1st Darwin binary
 
+* Thomas Ward
+  - add initial IDN support
+
 * @typingArtist
   - improved BEAST detection
 
@@ -112,14 +161,14 @@
 * @nvsofts (NV)
   - LibreSSL patch for GOST
 
-Others I forgot to mention which did give me feedback, bug reports and helped one way or another.
+Probably more I forgot to mention which did give me feedback, bug reports and helped one way or another.
 
 
 ##### Last but not least:
 
 * OpenSSL team for providing openssl.
 
-* Ivan Ristic/Qualys for the liberal license which made it possible to use the client data
+* Ivan Ristic/Qualys for the liberal license which made it possible to make partly use of the client data
 
 * My family for supporting me doing this work