From 2ea57f0701b2c28a182c3a4d981149f864318343 Mon Sep 17 00:00:00 2001 From: Dirk Date: Fri, 17 Jan 2020 10:59:47 +0100 Subject: [PATCH 1/3] Update attributions and Changes for release If anything is missing or wrong please let us know or do a PR. (This is until from earlier time to ~2018. >2019 need to follow) --- CHANGELOG.md | 22 ++++++++++++---------- CREDITS.md | 53 ++++++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 55 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1243a7..b5ca05b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,12 +12,11 @@ * DNS over Proxy and other proxy improvements * Decoding of unencrypted BIG IP cookies * Initial client certificate support +* Warning of 825 day limit for certificates issued after 2018/3/1 * Socket timeouts (``--connect-timeout``) -* IDN/IDN2 servername support -* pwnedkeys.com support -* Initial client certificate support +* IDN/IDN2 servername/URI + emoji support, supposed libidn/idn2 is installed and DNS resolver is recent) support * Initial support for certificate compression -* Better JSON output: renamed IDs and findings shorter/better parsable +* Better JSON output: renamed IDs and findings shorter/better parsable, also includes certficate * JSON output now valid also for non-responding servers * Testing now per default 370 ciphers * Further improving the robustness of TLS sockets (sending and parsing) @@ -26,31 +25,34 @@ * LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2) * PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3) * Check for session resumption (Ticket, ID) -* TLS Robustness check (GREASE) +* TLS Robustness check GREASE and more * Server preference distinguishes between TLS 1.3 and lower protocols * Mark TLS 1.0 and TLS 1.1 as deprecated * Does a few startup checks which make later tests easier and faster (``determine_optimal_\*()``) * Expect-CT Header Detection * `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL * `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/ -* Fully OpenBSD and LibreSSL support * Missing SAN warning * Added support for private CAs -* Way better handling of connectivity problems +* Way better handling of connectivity problems (counting those, if threshold exceeded -> bye) * Fixed TCP fragmentation * Added `--ids-friendly` switch * Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors. * Better error msg suppression (not fully installed OpenSSL) * Better parsing of HTTP headers & better output of longer HTTP headers +* HTTP Basic Auth support for HTTP header +* "eTLS" detection * Dockerfile and repo @ docker hub with that file (see above) * Java Root CA store added * Better support for XMPP via STARTTLS & faster * Certificate check for to-name in stream of XMPP -* Support for NNTP via STARTTLS, fixes for MySQL and PostgresQL +* Support for NNTP and LMTP via STARTTLS, fixes for MySQL and PostgresQL * Support for SNI and STARTTLS * More robustness for any STARTTLS protocol (fall back to plaintext while in TLS) -* Major update of client simulations with self-collected data -* IDN/IDN2 and emoji URI support (supposed libidn/idn2 is installed and DNS resolver is recent) +* Major update of client simulations with self-collected up-to-date data +* Update of CA certificate stores +* Lots of bug fixes +* More travis/CI checks -- still place for improvements * Man page reviewed ### Features implemented in 2.9.5 diff --git a/CREDITS.md b/CREDITS.md index 2be09fc..cf459db 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -1,24 +1,39 @@ +Full contribution, see git log. + + +* Dirk Wetter (founder, maintainer and main contributor) + - Everything what's not mentioned below and is included in testssl.sh's git log + minus what I probably forgot to mention + (too much other things to do at the moment and to list it would be a tough job) + * David Cooper (main contributor) + - Major extensions to socket support for all protocols + - extended parsing of TLS ServerHello messages + - TLS 1.3 support (final and pre-final) + - add several TLS extensions - Detection + output of multiple certificates - several cleanups of server certificate related stuff - - extended parsing of TLS ServerHello messages - testssl.sh -e/-E: testing with a mixture of openssl + sockets - - more ciphers - - finding more TLS extensions via sockets + - add more ciphers + - coloring of ciphers - extensive CN+SAN <--> hostname check - separate check for curves - RFC 7919, key shares extension + - keyUsage extension in certificate + - experimental "eTLS" detection - parallel mass testing! - RFC <--> OpenSSL cipher name space switches for the command line - - numerous fixes - better error msg suppression (not fully installed openssl - GREASE support - - Bleichenbacher vulnerability test - - TLS 1.3 support + - Bleichenbacher / ROBOT vulnerability test + - several protocol preferences improvements + - pwnedkeys.com support + - CT support + - Lots of fixes and improvements -##### Credits also to +##### Further credits (in alphabetical order) * Christoph Badura - NetBSD fixes @@ -32,7 +47,10 @@ * Steven Danneman - Postgres and MySQL STARTTLS support - * MongoDB support + - MongoDB support + +* Christian Dresen + - Dockerfile * Mark Felder - lots of cleanups @@ -47,6 +65,15 @@ * Maciej Grela - colorless handling +* Hubert Kario + - helped with avoiding accidental TCP fragmentation + +* Jacco de Leeuw + - skip checks which might trigger an IDS ($OFFENSIVE / --ids-friendly) + +* Manuel + - HTTP basic auth + * Markus Manzke - Fix for HSTS + subdomains - LibreSSL patch @@ -94,9 +121,15 @@ - initial MX stuff - fixes +* Gonçalo Ribeiro + - --connect-timeout + * Dmitri S - inspiration & help for Darwin port +* Marcin Szychowski + - Quick'n'dirty client certificate support + * Viktor Szépe - color function maker @@ -112,14 +145,14 @@ * @nvsofts (NV) - LibreSSL patch for GOST -Others I forgot to mention which did give me feedback, bug reports and helped one way or another. +Probably more I forgot to mention which did give me feedback, bug reports and helped one way or another. ##### Last but not least: * OpenSSL team for providing openssl. -* Ivan Ristic/Qualys for the liberal license which made it possible to use the client data +* Ivan Ristic/Qualys for the liberal license which made it possible to make partly use of the client data * My family for supporting me doing this work From 3e8d1983b35662a45c6c5d887a6afd7a282bffe6 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 20 Jan 2020 12:49:49 +0100 Subject: [PATCH 2/3] reorder / rephrase some points --- CHANGELOG.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b5ca05b..289f81a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ ## Change Log -### Features implemented in 3.0 +### Features implemented / improvements in 3.0 * Full support of TLS 1.3, shows also drafts supported * Extended protocol downgrade checks @@ -40,22 +40,24 @@ * Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors. * Better error msg suppression (not fully installed OpenSSL) * Better parsing of HTTP headers & better output of longer HTTP headers +* Display more HTTP security headers * HTTP Basic Auth support for HTTP header -* "eTLS" detection +* experimental "eTLS" detection * Dockerfile and repo @ docker hub with that file (see above) * Java Root CA store added * Better support for XMPP via STARTTLS & faster * Certificate check for to-name in stream of XMPP * Support for NNTP and LMTP via STARTTLS, fixes for MySQL and PostgresQL * Support for SNI and STARTTLS -* More robustness for any STARTTLS protocol (fall back to plaintext while in TLS) +* More robustness for any STARTTLS protocol (fall back to plaintext while in TLS caused problems) +* Renegotiation checks improved, also no false potive for Node.js anymore * Major update of client simulations with self-collected up-to-date data * Update of CA certificate stores * Lots of bug fixes * More travis/CI checks -- still place for improvements * Man page reviewed -### Features implemented in 2.9.5 +### Features implemented / improvements in 2.9.5 * Way better coverage of ciphers as most checks are done via bash sockets where ever possible * Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness) From 431f4fbe5f3accae9c52d8f29aafcda52a0ecbff Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 20 Jan 2020 12:50:31 +0100 Subject: [PATCH 3/3] last walk through the changelog --- CREDITS.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/CREDITS.md b/CREDITS.md index cf459db..38ccced 100644 --- a/CREDITS.md +++ b/CREDITS.md @@ -1,14 +1,12 @@ Full contribution, see git log. - -* Dirk Wetter (founder, maintainer and main contributor) +* Dirk Wetter (creator, maintainer and main contributor) - Everything what's not mentioned below and is included in testssl.sh's git log minus what I probably forgot to mention (too much other things to do at the moment and to list it would be a tough job) * David Cooper (main contributor) - - Major extensions to socket support for all protocols - extended parsing of TLS ServerHello messages - TLS 1.3 support (final and pre-final) @@ -35,6 +33,9 @@ Full contribution, see git log. ##### Further credits (in alphabetical order) +* a666 + - Bugfix + * Christoph Badura - NetBSD fixes @@ -52,6 +53,9 @@ Full contribution, see git log. * Christian Dresen - Dockerfile +* csett86 + - some MacOSX and Java client handshake data + * Mark Felder - lots of cleanups - Shellcheck static analysis @@ -65,6 +69,12 @@ Full contribution, see git log. * Maciej Grela - colorless handling +* Jac2NL + - initial support for skipping offensive vulnerability tests + +* Scott Johnson + - Bugfix F5 + * Hubert Kario - helped with avoiding accidental TCP fragmentation @@ -117,6 +127,9 @@ Full contribution, see git log. * Jeroen Wiert Pluimers - Darwin binaries support +* Joao Poupino + - Minimize false positive detection for Renegotiation checks against Node.js etc. + * Rechi - initial MX stuff - fixes @@ -136,6 +149,9 @@ Full contribution, see git log. * Julien Vehent - supplied 1st Darwin binary +* Thomas Ward + - add initial IDN support + * @typingArtist - improved BEAST detection