diff --git a/CHANGELOG.md b/CHANGELOG.md index e1243a7..289f81a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ ## Change Log -### Features implemented in 3.0 +### Features implemented / improvements in 3.0 * Full support of TLS 1.3, shows also drafts supported * Extended protocol downgrade checks @@ -12,12 +12,11 @@ * DNS over Proxy and other proxy improvements * Decoding of unencrypted BIG IP cookies * Initial client certificate support +* Warning of 825 day limit for certificates issued after 2018/3/1 * Socket timeouts (``--connect-timeout``) -* IDN/IDN2 servername support -* pwnedkeys.com support -* Initial client certificate support +* IDN/IDN2 servername/URI + emoji support, supposed libidn/idn2 is installed and DNS resolver is recent) support * Initial support for certificate compression -* Better JSON output: renamed IDs and findings shorter/better parsable +* Better JSON output: renamed IDs and findings shorter/better parsable, also includes certficate * JSON output now valid also for non-responding servers * Testing now per default 370 ciphers * Further improving the robustness of TLS sockets (sending and parsing) @@ -26,34 +25,39 @@ * LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2) * PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3) * Check for session resumption (Ticket, ID) -* TLS Robustness check (GREASE) +* TLS Robustness check GREASE and more * Server preference distinguishes between TLS 1.3 and lower protocols * Mark TLS 1.0 and TLS 1.1 as deprecated * Does a few startup checks which make later tests easier and faster (``determine_optimal_\*()``) * Expect-CT Header Detection * `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL * `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/ -* Fully OpenBSD and LibreSSL support * Missing SAN warning * Added support for private CAs -* Way better handling of connectivity problems +* Way better handling of connectivity problems (counting those, if threshold exceeded -> bye) * Fixed TCP fragmentation * Added `--ids-friendly` switch * Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors. * Better error msg suppression (not fully installed OpenSSL) * Better parsing of HTTP headers & better output of longer HTTP headers +* Display more HTTP security headers +* HTTP Basic Auth support for HTTP header +* experimental "eTLS" detection * Dockerfile and repo @ docker hub with that file (see above) * Java Root CA store added * Better support for XMPP via STARTTLS & faster * Certificate check for to-name in stream of XMPP -* Support for NNTP via STARTTLS, fixes for MySQL and PostgresQL +* Support for NNTP and LMTP via STARTTLS, fixes for MySQL and PostgresQL * Support for SNI and STARTTLS -* More robustness for any STARTTLS protocol (fall back to plaintext while in TLS) -* Major update of client simulations with self-collected data -* IDN/IDN2 and emoji URI support (supposed libidn/idn2 is installed and DNS resolver is recent) +* More robustness for any STARTTLS protocol (fall back to plaintext while in TLS caused problems) +* Renegotiation checks improved, also no false potive for Node.js anymore +* Major update of client simulations with self-collected up-to-date data +* Update of CA certificate stores +* Lots of bug fixes +* More travis/CI checks -- still place for improvements * Man page reviewed -### Features implemented in 2.9.5 +### Features implemented / improvements in 2.9.5 * Way better coverage of ciphers as most checks are done via bash sockets where ever possible * Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness) diff --git a/CREDITS.md b/CREDITS.md index 2be09fc..38ccced 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -1,24 +1,40 @@ +Full contribution, see git log. + +* Dirk Wetter (creator, maintainer and main contributor) + - Everything what's not mentioned below and is included in testssl.sh's git log + minus what I probably forgot to mention + (too much other things to do at the moment and to list it would be a tough job) + * David Cooper (main contributor) - + - Major extensions to socket support for all protocols + - extended parsing of TLS ServerHello messages + - TLS 1.3 support (final and pre-final) + - add several TLS extensions - Detection + output of multiple certificates - several cleanups of server certificate related stuff - - extended parsing of TLS ServerHello messages - testssl.sh -e/-E: testing with a mixture of openssl + sockets - - more ciphers - - finding more TLS extensions via sockets + - add more ciphers + - coloring of ciphers - extensive CN+SAN <--> hostname check - separate check for curves - RFC 7919, key shares extension + - keyUsage extension in certificate + - experimental "eTLS" detection - parallel mass testing! - RFC <--> OpenSSL cipher name space switches for the command line - - numerous fixes - better error msg suppression (not fully installed openssl - GREASE support - - Bleichenbacher vulnerability test - - TLS 1.3 support + - Bleichenbacher / ROBOT vulnerability test + - several protocol preferences improvements + - pwnedkeys.com support + - CT support + - Lots of fixes and improvements -##### Credits also to +##### Further credits (in alphabetical order) + +* a666 + - Bugfix * Christoph Badura - NetBSD fixes @@ -32,7 +48,13 @@ * Steven Danneman - Postgres and MySQL STARTTLS support - * MongoDB support + - MongoDB support + +* Christian Dresen + - Dockerfile + +* csett86 + - some MacOSX and Java client handshake data * Mark Felder - lots of cleanups @@ -47,6 +69,21 @@ * Maciej Grela - colorless handling +* Jac2NL + - initial support for skipping offensive vulnerability tests + +* Scott Johnson + - Bugfix F5 + +* Hubert Kario + - helped with avoiding accidental TCP fragmentation + +* Jacco de Leeuw + - skip checks which might trigger an IDS ($OFFENSIVE / --ids-friendly) + +* Manuel + - HTTP basic auth + * Markus Manzke - Fix for HSTS + subdomains - LibreSSL patch @@ -90,19 +127,31 @@ * Jeroen Wiert Pluimers - Darwin binaries support +* Joao Poupino + - Minimize false positive detection for Renegotiation checks against Node.js etc. + * Rechi - initial MX stuff - fixes +* Gonçalo Ribeiro + - --connect-timeout + * Dmitri S - inspiration & help for Darwin port +* Marcin Szychowski + - Quick'n'dirty client certificate support + * Viktor Szépe - color function maker * Julien Vehent - supplied 1st Darwin binary +* Thomas Ward + - add initial IDN support + * @typingArtist - improved BEAST detection @@ -112,14 +161,14 @@ * @nvsofts (NV) - LibreSSL patch for GOST -Others I forgot to mention which did give me feedback, bug reports and helped one way or another. +Probably more I forgot to mention which did give me feedback, bug reports and helped one way or another. ##### Last but not least: * OpenSSL team for providing openssl. -* Ivan Ristic/Qualys for the liberal license which made it possible to use the client data +* Ivan Ristic/Qualys for the liberal license which made it possible to make partly use of the client data * My family for supporting me doing this work