testssl.sh/testssl.sh.changes

-------------------------------------------------------------------
Wed Jul 24 06:52:48 UTC 2024 - Martin Hauke <mardnh@gmx.de>

- Update to version 3.0.9
  * Fix bash 5 issue when encountering a short server key extension
  * Fix HTML issue when using bash 5
  * CAA DNS records are now not being queried when nodns is set
  * MongoDB identification fix
  * Sanity check when user has broken umask to avoid runtime errors
  * Fix for newer grep versions
  * Address weird globbing in bash 3.0
  * Fix regexp in STARTTLS detection
  * Secure renegotiation fix: SNI
  * Ensure control chars from HTTP header don't end up in html,csv
    or json
  * Add sha1WithRSA to sha1WithRSAEncryption for certificates
  * Fix potential infinite loop in run_pfs()

-------------------------------------------------------------------
Mon Feb 26 12:52:24 UTC 2024 - pgajdos@suse.com

- Use %autosetup macro. Allows to eliminate the usage of deprecated
  %patchN

-------------------------------------------------------------------
Wed Sep 28 20:54:50 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>

- Update to version 3.0.8
  * Fix grep 3.8 warnings on fgrep and unneeded escapes of hyphen, slash, space (Geert)
  * Fix alignment for cipher output (David)
  * News binaries (Darwin from Barry), carry now the appendix -bad and fixes a security problem.
  * Backport from higher OpenSSL version to support xmpp-server
  * Fix CT (David)
  * Fix decryption of TLS 1.3 response (David)
  * Upgrade Dockerfile to Alpine to 3.15
  * Fix pretty JSON formatting when warning is issued (David)
  * Update of certificate stores
  * Major update of client simulation (9 new simulations , >4 removed in default run)
  * Fix CRIME output on servers only supporting TLS 1.3 (Tomasz)
  * Fix censys link
  * Fix ome handshake problems w $OPENSSL ciphers, extend determine_optimal_sockets_params() to more
  * ciphers, fix PROTOS_OFFERED (David)
  * Relax STARTTLS FTP requirement so that it doesn't require TLS after AUTH
  * Fix run_server_preference() with no default protocol (David)
  * Fix getting CRL / NO_SESSION_ID under some circumstances (David)
  * Improve/fix OpenSSL 3.0 compatibility (David)
  * Fix formatting to documentation
  * Add FFDHE groups to supported_groups (David)
  * Include RSA-PSS in ClientHello (David)
- Requires: bind-utils for required tools dig, host and nslookup

-------------------------------------------------------------------
Sat Aug 13 21:43:23 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>

- Update to version 3.0.7
  * Fix "ID resumption test failed" bug under Darwin
  * Fix "locale error message when en_US.UTF-8 isn't available" bug
  * Fix "Darwin / LibreSSL startup problem" which leads to a question upfront
  * Make upfront handshake tests more compatible by adding </dev/null
  * Take 'HTTP Age' HTTP header into account when determine HTTP time
  * Fix JSON header (structured JSON output) name
  * Robustness: Update reset_hostdepended_vars() for mass tests
  * Simplify determination of git stuff
  * Fix "newline to spaces" in JSON and CSV findings
  * Fix "Bad file descriptor with --connect-timeout option"
  * SSLv2 fixes, OpenSSL fixes 3.X
  * Improve cipher_pref_check() for detecting prioritization of ChaCha ciphers
  * Simplify + speed up pre-check
  * Addressing lame DNS responses on WSL
  * Fix big serial # issue in certs
  * Fix invalid JSON when certificate issuer containing non-ASCII chars

-------------------------------------------------------------------
Sun Oct  3 14:02:29 UTC 2021 - Martin Hauke <mardnh@gmx.de>

- Update to version 3.0.6
  * Bugfix: Remove DST x3 Root CA which lead to trust issues for
    servers using a Letsencrypt certificate (Miguel Jacq)
  * Bugfix: Newer openssl.cnf break detection of openssl binary
  * Documenation update to reflect renaming standard ciphers to
    cipher categories
  * Ignore usage of ~/.digrc where possible
  * Fixing host information in JSON output when using STARTTLS
    XMPP
  * TLS 1.3 improvements wrt server certificates
  * Bugfix: Order of -U --ids-friendly doesn't matter anymore
  * Disable ANSI codes when TERM=screen
  * Improved SSL/TLS port detection in nmap greppable files
    using as input to testssl.sh
  * Bugfix when nmap files had .txt extension
  * Display certficate time in UTC
  * Use _uname -n`` instead of hostname --> POSIX
  * Few output fixes

-------------------------------------------------------------------
Mon May 10 20:33:48 UTC 2021 - Martin Hauke <mardnh@gmx.de>

- Update to version 3.0.5
  * Fix off by one error in HSTS (now: 180 instead of 179 days)
  * Fix minor output inconsistency in JSON output (Chad)
  * Improve compatibility for OpenSSL 3.0 (David Cooper)
  * Fix localization issue for ciphers where e.g. in Swedish W is
    being treated as a variant of V so that the W in
    TLS_ECDHE_RSA_WITH* didn't match the bash pattern
  * Fixes in file openssl-iana.mapping.html (Elfranne)
  * Fix quoting for CVE+JSON output in run_heartbleed()
  * Fix trailing dot issue in hostnames
  * Fix improper proper halving of the dates for Let's Encrypt
    certificates

-------------------------------------------------------------------
Thu Nov 26 14:45:01 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>

- Update to version 3.0.4
  * This version is a quick fix for a regression of detecting SSLv2
    ciphers in a basic function.

-------------------------------------------------------------------
Thu Nov 19 09:50:48 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>

- Update to version 3.0.3
  * Update certificate stores
  * manpage fix (Karl)
  * minor speedups for some vulnerability tests
  * bash 5.1 fix
  * Secure Client-Initiated Renegotiation false positive fix
  * BREACH is now medium
  * invalid JSON fix and other JSON improvements (David)
  * Adding native Android 7 handshake instead of Chrome which has
    TLS 1.3 (Christoph)
  * Header flag X-XSS-Protection is now labled as INFO
  * No cyan colors in HHHTP header flags anymore, colons added

-------------------------------------------------------------------
Fri Jul 24 08:04:11 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>

- Update to version 3.0.2
  * Remove potential licensing conflicts
  * Fix situations when TLS 1.3 is used for Ticketbleed check
  * Improved compatibility with LibreSSL 3.0
  * Add brotil compression to BREACH
  * Faster and more robust XMPP STARTTLS handshakes
  * More robust STARTTLS handshakes
  * Fix outputs, sometimes misleading

-------------------------------------------------------------------
Wed Apr 15 09:23:34 UTC 2020 - Martin Hauke <mardnh@gmx.de>

- Update to version 3.0.1
  * Fix hang in BEAST check when there are ciphers starting with
    SSL_* but which are no SSLv2 cipher
  * Fix bug in setting DISPLAY_CIPHERNAMES when
    $CIPHERS_BY_STRENGTH_FILE is not a/v.
  * Fix basic auth LF problem
  * Fix printing percent chars
  * Fix minor HTML generation bug
  * Fix security bug: sanitizing DNS input
  * make --ids-friendly work again
  * Update sneaky user agent
  * Update links in code comments
  * Cosmetic code updates
  * Fix output bug when >1 PTR records returned
  * More output fixes

-------------------------------------------------------------------
Fri Apr  3 20:05:45 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>

- fix bash path for Leap 15.x

-------------------------------------------------------------------
Thu Jan 23 20:42:34 UTC 2020 - Martin Hauke <mardnh@gmx.de>

- Update to version 3.0
  * Full support of TLS 1.3, shows also drafts supported
  * Extended protocol downgrade checks
  * ROBOT check
  * Better TLS extension support
  * Better OpenSSL 1.1.1 and higher versions support as well as
    LibreSSL >3
  * DNS over Proxy and other proxy improvements
  * Decoding of unencrypted BIG IP cookies
  * Initial client certificate support
  * Warning of 825 day limit for certificates issued after
    2018/3/1
  * Socket timeouts (--connect-timeout)
  * IDN/IDN2 servername/URI + emoji support, supposed
    libidn/idn2 is installed and DNS resolver is recent)support
  * Initial support for certificate compression
  * Better JSON output: renamed IDs and findings shorter/better
    parsable, also includes certficate
  * JSON output now valid also for non-responding servers
  * Testing now per default 370 ciphers
  * Further improving the robustness of TLS sockets (sending
    and parsing)
  * Support of supplying timeout value for openssl connect
    -- useful for batch/mass scanning
  * File input for serial or parallel mass testing can be also in
    nmap grep(p)able (-oG) format
  * LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2)
  * PFS: Display of elliptical curves supported, DH and FFDHE
    groups (TLS 1.2 + TLS 1.3)
  * Check for session resumption (Ticket, ID)
  * TLS Robustness check GREASE and more
  * Server preference distinguishes between TLS 1.3 and lower
    protocols
  * Mark TLS 1.0 and TLS 1.1 as deprecated
  * Does a few startup checks which make later tests easier and
    faster (determine_optimal_\*())
  * Expect-CT header detection
  * --phone-out does certificate revocation checks via OCSP
    (LDAP+HTTP) and with CRL
  * --phone-out checks whether the private key has been
    compromised via https://pwnedkeys.com/
  * Missing SAN warning
  * Added support for private CAs
  * Way better handling of connectivity problems (counting those,
    if threshold exceeded -> bye)
  * Fixed TCP fragmentation
  * Added --ids-friendly switch
  * Exit codes better: 0 for running without error, 1+n for small
    errors, >240 for major errors.
  * Better error msg suppression (not fully installed OpenSSL)
  * Better parsing of HTTP headers & better output of longer HTTP
    headers
  * Display more HTTP security headers
  * HTTP Basic Auth support for HTTP header
  * experimental "eTLS" detection
  * Dockerfile and repo @ docker hub with that file (see above)
  * Java Root CA store added
  * Better support for XMPP via STARTTLS & faster
  * Certificate check for to-name in stream of XMPP
  * Support for NNTP and LMTP via STARTTLS, fixes for MySQL and
    PostgresQL
  * Support for SNI and STARTTLS
  * More robustness for any STARTTLS protocol (fall back to
    plaintext while in TLS caused problems)
  * Renegotiation checks improved, also no false potive for Node.js
    anymore
  * Major update of client simulations with self-collected
    up-to-date data
  * Update of CA certificate stores
  * Lots of bug fixes
  * More travis/CI checks -- still place for improvements
  * Bigger man page review
- specfile cleanup
- Add testssl.sh.rpmlintrc

-------------------------------------------------------------------
Wed Dec 11 21:11:28 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>

- Update to testssl.sh 2.9.96 (aka 3.0rc6)
  * Socket timeouts (--connect-timeout)
  * IDN/IDN2 servername support
  * pwnedkeys.com support
  * Initial support for certificate compression
  * Initial client certificate support
  * Better indentation for HTTP header outputs
  * Better parsing of HTTP headers
  * Penalize absence of TLS 1.2 anymore if server supports TLS 1.3 only
  * Several improvements related to protocol determination and downgrade responses
  * Some logic related using TLS 1.3 aware OpenSSL binaries more or less automagically
  * Internal improvements to server preference checks
  * Lots of internal and some speed improvements in "pre-flight checks" (comes before outputting any test)
  * Mark TLS 1.0 and TLS 1.1 as deprecated
  * Support newer OpenSSL/LibreSSL versions
  * Improved detection of wrong user input when file was supplied for --csv,--json and --html
  * Update client handshakes with newer client data and deprecate other clients
  * Regression in CAA RR fixed
  * Session resumption fixes
  * Session ticket fixes
  * Fixes for STARTTLS MySQL and PostgreSQL
  * Unit tests for (almost) every STARTTLS protocol supported
  * A lot of minor fixes

-------------------------------------------------------------------
Sat Apr 27 09:55:54 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>

- Update to testssl.sh 2.9.95 (aka 3.0rc5)
  * Modernized client handshakes
  * Further code sanitizing
  * Fixes in CSV files and JSON files creation and some ACE
    loadbalancer related improvements
  * Fix session tickets and resumption
  * OpenSSL 1.1.1 fixes
  * Darwin OpenSSL binary
  * Updated certificate store
  * Add SSLv2 to SWEET
- update testssl.sh-2.9.92-set-install-dir.patch to
  testssl.sh-2.9.95-set-install-dir.patch

-------------------------------------------------------------------
Tue Feb 19 10:43:36 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>

- Update to testssl.sh 2.9.94 (aka 3.0rc4)
  * Documentation fixes and additions
  * Add new openssl helper binaries
  * Bug fix: Scan continues if one of multiple IP addresses per
    hostname has a problem
  * "eTLS" detection ("visibility information")
  * Minimize initial warning "doesn't seem to be a TLS/SSL enabled
    server" by using sockets
  * Several improvement for SSLv2 only servers
  * Handle different cipher preference < TLS 1.3 vs. TLS 1.3
  * Clarify & improve Standard Cipher check (potentially breaking
    change)
  * Improve SWEET32 test
  * Finding certificates is faster and independent on openssl

-------------------------------------------------------------------
Sat Dec  1 15:58:11 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>

- Update to testssl.sh 2.9.93 (aka 3.0rc3)
  * add SSLv2 ciphers *total ciphers now being tested for: 370)
  * updated client simulation data
  * TLS 1.3 improvements
  * STARTTLS NNTP support
  * STARTTLS XMPP faster and more reliable
  * include DH groups (primes) in pfs section
  * Fix TCP fragmentation under remaining OS: FreeBSD / Mac OS X
  * further bugfixes and clarifications

-------------------------------------------------------------------
Wed Nov 28 09:52:06 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>

- initial package version 2.9.92 (aka 3.0rc2)