Same as #2528, only for the 3.0 branch.
- Mozilla: 2024-7-02
- Debian 12, ca-certificates from 20230311
- JDK 21.04
- Apple via https://github.com/apple-oss-distributions/security_certificates (according to git log latest change Fri Dec 15 00:44:35 2023)
- Microsoft via CertUtil (date of this PR)
Modified Readme to reflect that the Apple CA certificates are better to retrieve from GH and clarified minor things.
This also fixes#2525 (for 3.0), where >=2 certificates were missing.
see #2169, #2168
Added:
* Safari for macOS
* Java 17 LTS
* OpenSSL 3.0.3
* Android 11 and 12
* Go client (1.17)
* Firefox 100, Chrome and Edge 101 using Win10
* Thunderbird 91.9
* AppleMail
* LibreSSL from MacOS
* disabled Java 12 and Safari on OS X 10.12
* disabled Android < 6.0
* documention update how to add a client simulation
* add curves-mapping.txt file
* also ca_hashes.txt
* Used Java SDK 15 instead of JRE 8
* Used Windows 10 20H2
* Java Keystore has added 5 certificates (90 --> 95)
Updated Readme and make instructions more reproducible
Fixes#1772
Other than before teh Java store was extracted directly from a keystore
from a Java JRE from https://jdk.java.net/.
The Debian keystore used previously used the certificates from the Debian
machine itself (installation script in ``/etc/ca-certificates/update.d/``.
Check with ``keytool -list -rfc -keystore /etc/ssl/certs/java/cacerts | grep -i 'alias'``
As a consequence this store contains less certificates:
etc/Java.pem:90
etc/Linux.pem:128
and needs some testing whether it really should be still included.
While we are thankful that Ivan Ristic permitted to use the client
data from SSLlabs, it became of bit outdated now (see #1158). Also
as sslhaf [1] was used, the data comes from HTTP traffic only.
This is a start to address it. It provides data from Android 9
(connecting to the play store, so that it is sure we don't capture
a ClientHello from an application having an own TLS stack.
Also it provides documentation how to grab data yourself, and
provide it back to testssl.sh.
Aim is at least for testssl.sh 3.0 to add Android 8 and OpenSSL 1.1.1 (@drwetter).
My hope others can assist with Safari on OSX 11 and 12. Java 10 and 11,
and a recent Opera and Edge version. (Firefox and Chrome are out of
date too)
Mail clients to follow later.
[1] https://github.com/ssllabs/sslhaf
This is an update of the root certificate stores. Date from each store
is from yesterday.
Description update.
Also the Java certificate store was added. Previously Java was omitted
as it appeared not to be complete. I tested successfully this store.
