1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
|
Full contribution, see git log.
* Dirk Wetter (creator, maintainer and main contributor)
- Everything what's not mentioned below and is included in testssl.sh's git log
minus what I probably forgot to mention
(too much other things to do at the moment and to list it would be too time consuming)
* David Cooper (main contributor)
- Major extensions to socket support for all protocols
- extended parsing of TLS ServerHello messages
- TLS 1.3 support (final and pre-final) with needed en/decryption
- add several TLS extensions
- Detection + output of multiple certificates
- several cleanups of server certificate related stuff
- testssl.sh -e/-E: testing with a mixture of openssl + sockets
- add more ciphers
- coloring of ciphers
- extensive CN+SAN <--> hostname check
- separate check for curves
- RFC 7919, key shares extension
- keyUsage extension in certificate
- experimental "eTLS" detection
- parallel mass testing!
- RFC <--> OpenSSL cipher name space switches for the command line
- better error msg suppression (not fully installed openssl)
- GREASE support
- Bleichenbacher / ROBOT vulnerability test
- several protocol preferences improvements
- pwnedkeys.com support
- CT support
- Extract CA list CertificateRequest message is encountered
- RFC 8879, certificate compression
- 128 cipher limit, padding
- compatibility for LibreSSL and different OpenSSL versions
- Check for ffdhe and ML-KEM groups
- TLS 1.2 and TLS 1.3 sig algs added
- Show server supported signature algorithms
- Show supported certification authorities sent by the server when client auth is requested and whether certificate-based client authentication is not requested, optional, or required.
- Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
- Provide compatibility to every LibreSSL/OpenSSL versions, including OpenSSL 3.5.0
- Lots of fixes and improvements
##### Further credits (in alphabetical order)
* a666
- Bugfix
* Christoph Badura
- NetBSD fixes
* Jim Blankendaal
- maximum certificate lifespan of 398 days
- ssl renegotiation amount variable
- custom http request headers
* Frank Breedijk
- Detection of insecure redirects
- JSON and CSV output
- CA pinning
- Client simulations
- CI integration, some test cases for it
* Steven Danneman
- Postgres and MySQL STARTTLS support
- MongoDB support
* Christian Dresen
- Dockerfile
* enxio
- support for TN3270/telnet STARTTLS
* csett86
- some MacOSX and Java client handshake data
* Mark Felder
- lots of cleanups
- Shellcheck static analysis
* Laine Gholson
- avahi/mDNS support
- HTTP2/ALPN
- bugfixes
- former ARM binary support
* Jauder Ho
- GH Action to build new container images upon push
- dependabot actions
* Maciej Grela
- colorless handling
* Jac2NL
- initial support for skipping offensive vulnerability tests
* Scott Johnson
- Bugfix F5
* Hubert Kario
- helped with avoiding accidental TCP fragmentation
* Brennan Kinney
- refactored multistage Dockerfiles: performance gain+address bugs/inconsistencies
* Magnus Larsen
- SSL Labs Rating
* Jacco de Leeuw
- skip checks which might trigger an IDS ($OFFENSIVE / --ids-friendly)
* Manuel
- HTTP basic auth
* Markus Manzke
- Fix for HSTS + subdomains
- LibreSSL patch
* Jean Marsault
- client auth: ideas, code snippets
* Thomas Martens
- adding colorblind option
- no-rfc mapping
* Peter Mosmans
- started way better cmd line parsing
- cleanups, fixes
- openssl sources support with the "missing" features
* John Newbigin
- Proxy support (sockets and openssl)
* Oleksandr Nosenko
- non-flat JSON support (--json-pretty)
- in file output (CSV, JSON flat, JSON non-flat) support of a minimum severity level
* Brett Randall
- Improved (experimental) Extended Validation (EV) certificate identification.
* Jonathan Roach
- TLS_FALLBACK_SCSV checks
* Jonathon Rossi
- fix for bash3 (Darwin)
- and other Darwin fixes
* Дилян Палаузов
- bug fix for 3des report
- reported a tricky STARTTLS bug
* Thomas Patzke:
- Support of supplying timeout value for openssl connect
* Olivier Paroz
- conversion xxd --> hexdump stuff
* Jeroen Wiert Pluimers
- Darwin binaries support
* Joao Poupino
- Minimize false positive detection for Renegotiation checks against Node.js etc.
* Rechi
- initial MX stuff
- fixes
* Gonçalo Ribeiro
- --connect-timeout
* Dmitri S
- inspiration & help for Darwin port
* Jonas Schäfer
- XMPP server patch
* Maurizio Siddu
- added --mTLS feature
* Marcin Szychowski
- Quick'n'dirty client certificate support
* Viktor Szépe
- color function maker
* Julien Vehent
- supplied 1st Darwin binary
* Thomas Ward
- add initial IDN support
* @typingArtist
- improved BEAST detection
* @f-s
- ARM binary support
* @nvsofts (NV)
- LibreSSL patch for GOST
* @w4ntun
- fixed DNS via proxy
Probably more I forgot to mention which did give me feedback, bug reports and helped one way or another.
##### Last but not least:
* OpenSSL team for providing openssl.
* Ivan Ristic/Qualys for the liberal license which made it possible to make partly use of the client data
* My family for supporting me doing this work
|
