Marcus Meissner
dd0777158f
- Update to version 3.0.7 * Fix "ID resumption test failed" bug under Darwin * Fix "locale error message when en_US.UTF-8 isn't available" bug * Fix "Darwin / LibreSSL startup problem" which leads to a question upfront * Make upfront handshake tests more compatible by adding </dev/null * Take 'HTTP Age' HTTP header into account when determine HTTP time * Fix JSON header (structured JSON output) name * Robustness: Update reset_hostdepended_vars() for mass tests * Simplify determination of git stuff * Fix "newline to spaces" in JSON and CSV findings * Fix "Bad file descriptor with --connect-timeout option" * SSLv2 fixes, OpenSSL fixes 3.X * Improve cipher_pref_check() for detecting prioritization of ChaCha ciphers * Simplify + speed up pre-check * Addressing lame DNS responses on WSL * Fix big serial # issue in certs * Fix invalid JSON when certificate issuer containing non-ASCII chars OBS-URL: https://build.opensuse.org/request/show/994910 OBS-URL: https://build.opensuse.org/package/show/network:utilities/testssl.sh?expand=0&rev=15
275 lines
11 KiB
Plaintext
275 lines
11 KiB
Plaintext
-------------------------------------------------------------------
|
|
Sat Aug 13 21:43:23 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>
|
|
|
|
- Update to version 3.0.7
|
|
* Fix "ID resumption test failed" bug under Darwin
|
|
* Fix "locale error message when en_US.UTF-8 isn't available" bug
|
|
* Fix "Darwin / LibreSSL startup problem" which leads to a question upfront
|
|
* Make upfront handshake tests more compatible by adding </dev/null
|
|
* Take 'HTTP Age' HTTP header into account when determine HTTP time
|
|
* Fix JSON header (structured JSON output) name
|
|
* Robustness: Update reset_hostdepended_vars() for mass tests
|
|
* Simplify determination of git stuff
|
|
* Fix "newline to spaces" in JSON and CSV findings
|
|
* Fix "Bad file descriptor with --connect-timeout option"
|
|
* SSLv2 fixes, OpenSSL fixes 3.X
|
|
* Improve cipher_pref_check() for detecting prioritization of ChaCha ciphers
|
|
* Simplify + speed up pre-check
|
|
* Addressing lame DNS responses on WSL
|
|
* Fix big serial # issue in certs
|
|
* Fix invalid JSON when certificate issuer containing non-ASCII chars
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Oct 3 14:02:29 UTC 2021 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 3.0.6
|
|
* Bugfix: Remove DST x3 Root CA which lead to trust issues for
|
|
servers using a Letsencrypt certificate (Miguel Jacq)
|
|
* Bugfix: Newer openssl.cnf break detection of openssl binary
|
|
* Documenation update to reflect renaming standard ciphers to
|
|
cipher categories
|
|
* Ignore usage of ~/.digrc where possible
|
|
* Fixing host information in JSON output when using STARTTLS
|
|
XMPP
|
|
* TLS 1.3 improvements wrt server certificates
|
|
* Bugfix: Order of -U --ids-friendly doesn't matter anymore
|
|
* Disable ANSI codes when TERM=screen
|
|
* Improved SSL/TLS port detection in nmap greppable files
|
|
using as input to testssl.sh
|
|
* Bugfix when nmap files had .txt extension
|
|
* Display certficate time in UTC
|
|
* Use _uname -n`` instead of hostname --> POSIX
|
|
* Few output fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 10 20:33:48 UTC 2021 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 3.0.5
|
|
* Fix off by one error in HSTS (now: 180 instead of 179 days)
|
|
* Fix minor output inconsistency in JSON output (Chad)
|
|
* Improve compatibility for OpenSSL 3.0 (David Cooper)
|
|
* Fix localization issue for ciphers where e.g. in Swedish W is
|
|
being treated as a variant of V so that the W in
|
|
TLS_ECDHE_RSA_WITH* didn't match the bash pattern
|
|
* Fixes in file openssl-iana.mapping.html (Elfranne)
|
|
* Fix quoting for CVE+JSON output in run_heartbleed()
|
|
* Fix trailing dot issue in hostnames
|
|
* Fix improper proper halving of the dates for Let's Encrypt
|
|
certificates
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 26 14:45:01 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>
|
|
|
|
- Update to version 3.0.4
|
|
* This version is a quick fix for a regression of detecting SSLv2
|
|
ciphers in a basic function.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 19 09:50:48 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>
|
|
|
|
- Update to version 3.0.3
|
|
* Update certificate stores
|
|
* manpage fix (Karl)
|
|
* minor speedups for some vulnerability tests
|
|
* bash 5.1 fix
|
|
* Secure Client-Initiated Renegotiation false positive fix
|
|
* BREACH is now medium
|
|
* invalid JSON fix and other JSON improvements (David)
|
|
* Adding native Android 7 handshake instead of Chrome which has
|
|
TLS 1.3 (Christoph)
|
|
* Header flag X-XSS-Protection is now labled as INFO
|
|
* No cyan colors in HHHTP header flags anymore, colons added
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 24 08:04:11 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>
|
|
|
|
- Update to version 3.0.2
|
|
* Remove potential licensing conflicts
|
|
* Fix situations when TLS 1.3 is used for Ticketbleed check
|
|
* Improved compatibility with LibreSSL 3.0
|
|
* Add brotil compression to BREACH
|
|
* Faster and more robust XMPP STARTTLS handshakes
|
|
* More robust STARTTLS handshakes
|
|
* Fix outputs, sometimes misleading
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 15 09:23:34 UTC 2020 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 3.0.1
|
|
* Fix hang in BEAST check when there are ciphers starting with
|
|
SSL_* but which are no SSLv2 cipher
|
|
* Fix bug in setting DISPLAY_CIPHERNAMES when
|
|
$CIPHERS_BY_STRENGTH_FILE is not a/v.
|
|
* Fix basic auth LF problem
|
|
* Fix printing percent chars
|
|
* Fix minor HTML generation bug
|
|
* Fix security bug: sanitizing DNS input
|
|
* make --ids-friendly work again
|
|
* Update sneaky user agent
|
|
* Update links in code comments
|
|
* Cosmetic code updates
|
|
* Fix output bug when >1 PTR records returned
|
|
* More output fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 3 20:05:45 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
|
|
|
|
- fix bash path for Leap 15.x
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 23 20:42:34 UTC 2020 - Martin Hauke <mardnh@gmx.de>
|
|
|
|
- Update to version 3.0
|
|
* Full support of TLS 1.3, shows also drafts supported
|
|
* Extended protocol downgrade checks
|
|
* ROBOT check
|
|
* Better TLS extension support
|
|
* Better OpenSSL 1.1.1 and higher versions support as well as
|
|
LibreSSL >3
|
|
* DNS over Proxy and other proxy improvements
|
|
* Decoding of unencrypted BIG IP cookies
|
|
* Initial client certificate support
|
|
* Warning of 825 day limit for certificates issued after
|
|
2018/3/1
|
|
* Socket timeouts (--connect-timeout)
|
|
* IDN/IDN2 servername/URI + emoji support, supposed
|
|
libidn/idn2 is installed and DNS resolver is recent)support
|
|
* Initial support for certificate compression
|
|
* Better JSON output: renamed IDs and findings shorter/better
|
|
parsable, also includes certficate
|
|
* JSON output now valid also for non-responding servers
|
|
* Testing now per default 370 ciphers
|
|
* Further improving the robustness of TLS sockets (sending
|
|
and parsing)
|
|
* Support of supplying timeout value for openssl connect
|
|
-- useful for batch/mass scanning
|
|
* File input for serial or parallel mass testing can be also in
|
|
nmap grep(p)able (-oG) format
|
|
* LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2)
|
|
* PFS: Display of elliptical curves supported, DH and FFDHE
|
|
groups (TLS 1.2 + TLS 1.3)
|
|
* Check for session resumption (Ticket, ID)
|
|
* TLS Robustness check GREASE and more
|
|
* Server preference distinguishes between TLS 1.3 and lower
|
|
protocols
|
|
* Mark TLS 1.0 and TLS 1.1 as deprecated
|
|
* Does a few startup checks which make later tests easier and
|
|
faster (determine_optimal_\*())
|
|
* Expect-CT header detection
|
|
* --phone-out does certificate revocation checks via OCSP
|
|
(LDAP+HTTP) and with CRL
|
|
* --phone-out checks whether the private key has been
|
|
compromised via https://pwnedkeys.com/
|
|
* Missing SAN warning
|
|
* Added support for private CAs
|
|
* Way better handling of connectivity problems (counting those,
|
|
if threshold exceeded -> bye)
|
|
* Fixed TCP fragmentation
|
|
* Added --ids-friendly switch
|
|
* Exit codes better: 0 for running without error, 1+n for small
|
|
errors, >240 for major errors.
|
|
* Better error msg suppression (not fully installed OpenSSL)
|
|
* Better parsing of HTTP headers & better output of longer HTTP
|
|
headers
|
|
* Display more HTTP security headers
|
|
* HTTP Basic Auth support for HTTP header
|
|
* experimental "eTLS" detection
|
|
* Dockerfile and repo @ docker hub with that file (see above)
|
|
* Java Root CA store added
|
|
* Better support for XMPP via STARTTLS & faster
|
|
* Certificate check for to-name in stream of XMPP
|
|
* Support for NNTP and LMTP via STARTTLS, fixes for MySQL and
|
|
PostgresQL
|
|
* Support for SNI and STARTTLS
|
|
* More robustness for any STARTTLS protocol (fall back to
|
|
plaintext while in TLS caused problems)
|
|
* Renegotiation checks improved, also no false potive for Node.js
|
|
anymore
|
|
* Major update of client simulations with self-collected
|
|
up-to-date data
|
|
* Update of CA certificate stores
|
|
* Lots of bug fixes
|
|
* More travis/CI checks -- still place for improvements
|
|
* Bigger man page review
|
|
- specfile cleanup
|
|
- Add testssl.sh.rpmlintrc
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 11 21:11:28 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>
|
|
|
|
- Update to testssl.sh 2.9.96 (aka 3.0rc6)
|
|
* Socket timeouts (--connect-timeout)
|
|
* IDN/IDN2 servername support
|
|
* pwnedkeys.com support
|
|
* Initial support for certificate compression
|
|
* Initial client certificate support
|
|
* Better indentation for HTTP header outputs
|
|
* Better parsing of HTTP headers
|
|
* Penalize absence of TLS 1.2 anymore if server supports TLS 1.3 only
|
|
* Several improvements related to protocol determination and downgrade responses
|
|
* Some logic related using TLS 1.3 aware OpenSSL binaries more or less automagically
|
|
* Internal improvements to server preference checks
|
|
* Lots of internal and some speed improvements in "pre-flight checks" (comes before outputting any test)
|
|
* Mark TLS 1.0 and TLS 1.1 as deprecated
|
|
* Support newer OpenSSL/LibreSSL versions
|
|
* Improved detection of wrong user input when file was supplied for --csv,--json and --html
|
|
* Update client handshakes with newer client data and deprecate other clients
|
|
* Regression in CAA RR fixed
|
|
* Session resumption fixes
|
|
* Session ticket fixes
|
|
* Fixes for STARTTLS MySQL and PostgreSQL
|
|
* Unit tests for (almost) every STARTTLS protocol supported
|
|
* A lot of minor fixes
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Apr 27 09:55:54 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>
|
|
|
|
- Update to testssl.sh 2.9.95 (aka 3.0rc5)
|
|
* Modernized client handshakes
|
|
* Further code sanitizing
|
|
* Fixes in CSV files and JSON files creation and some ACE
|
|
loadbalancer related improvements
|
|
* Fix session tickets and resumption
|
|
* OpenSSL 1.1.1 fixes
|
|
* Darwin OpenSSL binary
|
|
* Updated certificate store
|
|
* Add SSLv2 to SWEET
|
|
- update testssl.sh-2.9.92-set-install-dir.patch to
|
|
testssl.sh-2.9.95-set-install-dir.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 19 10:43:36 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>
|
|
|
|
- Update to testssl.sh 2.9.94 (aka 3.0rc4)
|
|
* Documentation fixes and additions
|
|
* Add new openssl helper binaries
|
|
* Bug fix: Scan continues if one of multiple IP addresses per
|
|
hostname has a problem
|
|
* "eTLS" detection ("visibility information")
|
|
* Minimize initial warning "doesn't seem to be a TLS/SSL enabled
|
|
server" by using sockets
|
|
* Several improvement for SSLv2 only servers
|
|
* Handle different cipher preference < TLS 1.3 vs. TLS 1.3
|
|
* Clarify & improve Standard Cipher check (potentially breaking
|
|
change)
|
|
* Improve SWEET32 test
|
|
* Finding certificates is faster and independent on openssl
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Dec 1 15:58:11 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>
|
|
|
|
- Update to testssl.sh 2.9.93 (aka 3.0rc3)
|
|
* add SSLv2 ciphers *total ciphers now being tested for: 370)
|
|
* updated client simulation data
|
|
* TLS 1.3 improvements
|
|
* STARTTLS NNTP support
|
|
* STARTTLS XMPP faster and more reliable
|
|
* include DH groups (primes) in pfs section
|
|
* Fix TCP fragmentation under remaining OS: FreeBSD / Mac OS X
|
|
* further bugfixes and clarifications
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 28 09:52:06 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>
|
|
|
|
- initial package version 2.9.92 (aka 3.0rc2)
|