Skip to content

Commit

Permalink
Merge pull request #2298 from drwetter/changelog_3.2
Browse files Browse the repository at this point in the history
Start listing changes and contributions for 3.2
  • Loading branch information
drwetter authored Oct 10, 2023
2 parents 4e574d6 + 2b2e363 commit 30e0c84
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 10 deletions.
32 changes: 23 additions & 9 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,36 +3,50 @@

### Features implemented / improvements in 3.2

* Rating (SSL Labs, not complete)
* Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default)
* Remove "negotiated cipher / protocol"
* Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also
* Improved compatibility with OpenSSL 3.0
* Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
* Renamed PFS/perfect forward secrecy --> FS/forward secrecy
* Cipher list straightening
* Improved mass testing
* Align better colors of ciphers with standard cipherlists
* Added several ciphers to colored ciphers
* Better align colors of ciphers with standard cipherlists
* Save a few cycles for ROBOT
* Several ciphers more colorized
* Percent output char problem fixed
* Several display/output fixes
* BREACH check: list all compression methods and add brotli
* Test for old winshock vulnerability
* Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
* Security fix: DNS input
* Don't use external pwd anymore
* STARTTLS: XMPP server support
* Code improvements to STARTTLS
* Detect better when no STARTTLS is offered
* Rating (SSL Labs, not complete)
* STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries
* Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
* STARTTLS on active directory service support
* Security fixes: DNS and other input from servers
* Don't penalize missing trust in rating when CA not in Java store
* Added support for certificates with EdDSA signatures and public keys
* Extract CA list shows supported certification authorities sent by the server
* TLS 1.2 and TLS 1.3 sig algs added
* Check for ffdhe groups
* Show server supported signature algorithms
* --add-ca can also now be a directory with \*.pem files
* Warning of 398 day limit for certificates issued after 2020/9/1
* Added environment variable for amount of attempts for ssl renegotiation check
* Added --user-agent argument to support using a custom User Agent
* Added --overwrite argument to support overwriting output files without warning
* Headerflag X-XSS-Protection is now labeled as INFO
* Strict parser for HSTS
* DNS via proxy improvements
* Client simulation runs in wide mode which is even better readable
* Added --reqheader to support custom headers in HTTP requests
* Test for support for RFC 8879 certificate compression
* Deprecating --fast and --ssl-native (warning but still av)
* Compatible to GNU grep 3.8
* Don't use external pwd command anymore
* Doesn't hang anymore when there's no local resolver
* Dockerfiles refactored to be multistaged: performance gain+address bugs/inconsistencies


### Features implemented / improvements in 3.0

Expand Down
11 changes: 10 additions & 1 deletion CREDITS.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Full contribution, see git log.
* David Cooper (main contributor)
- Major extensions to socket support for all protocols
- extended parsing of TLS ServerHello messages
- TLS 1.3 support (final and pre-final)
- TLS 1.3 support (final and pre-final) with needed en/decryption
- add several TLS extensions
- Detection + output of multiple certificates
- several cleanups of server certificate related stuff
Expand All @@ -29,7 +29,16 @@ Full contribution, see git log.
- several protocol preferences improvements
- pwnedkeys.com support
- CT support
- Extract CA list CertificateRequest message is encountered
- RFC 8879, certificate compression
- 128 cipher limit, padding
- compatibility for LibreSSL and different OpenSSL versions
- Check for ffdhe groups
- TLS 1.2 and TLS 1.3 sig algs added
- Show server supported signature algorithms
- Show supported certification authorities sent by the server when client auth is requested
- Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
- Provide compatibility to every LibreSSL/OpenSSL versions
- Lots of fixes and improvements

##### Further credits (in alphabetical order)
Expand Down

0 comments on commit 30e0c84

Please sign in to comment.