Merge branch '3.2' into changelog_3.2

Author: drwetter

.dockerignore

@@ -1,2 +1,11 @@
+# Exclude everything from the Docker build context:
+*
+
+# Except for this content:
+!bin/
+!etc/
+!testssl.sh
+
+# But additionally exclude this nested content:
 bin/openssl.Darwin.*
 bin/openssl.FreeBSD.*

.gitattributes

@@ -0,0 +1,11 @@
+*.sh    eol=lf
+*.bash  eol=lf
+*.md    eol=lf
+*.html  eol=lf
+*.txt   eol=lf
+*.txt   eol=lf
+*.1     eol=lf
+*.t     eol=lf
+*.yml   eol=lf
+Dockerfile*  eol=lf
+*.csvfile    eol=lf

.github/ISSUE_TEMPLATE/feature_request.md

@@ -11,7 +11,7 @@ Feel free to remove this line but please stick to the template. Not filling out
 -->
 
 **Which version are you referring to**
-3.0.x or 3.1dev? We might close this right away otherwise.
+3.0.x or 3.2?
 
 
 **Please check this repo whether this is a known feature request**

.github/ISSUE_TEMPLATE/other-issues---question.md

@@ -8,4 +8,4 @@ assignees: ''
 ---
 
 **Which version are you referring to**
-3.0.x or 3.1dev? (please check also how old your version is compare to the ones here)
+3.0.x or 3.2? (please check also how old your version is compare to the ones here)

.github/workflows/codespell.yml

@@ -9,8 +9,8 @@ jobs:
     name: Check for spelling errors
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: codespell-project/actions-codespell@master
         with:
-          skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt
-          ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle
+          skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf
+          ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,anull

.github/workflows/docker-3.1dev.yml .github/workflows/docker-3.2.yml.github/workflows/docker-3.1dev.yml renamed to .github/workflows/docker-3.2.yml

@@ -1,37 +1,37 @@
-name: docker-3.1dev
+name: docker-3.2
 
 on:
   push:
     branches:
-      - 3.1dev
+      - 3.2
   workflow_dispatch:
   schedule:
     - cron: "0 8 * * 1"
 
 env:
-  BUILD_VERSION: "3.1dev"
+  BUILD_VERSION: "3.2"
   DOCKER_CLI_EXPERIMENTAL: enabled
 
 jobs:
 
   deploy:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
       - name: Source checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup QEMU
         id: qemu
-        uses: docker/setup-qemu-action@v2.1.0
+        uses: docker/setup-qemu-action@v3.0.0
 
       - name: Setup Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Set Docker metadata
         id: docker_meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ github.repository }}
           labels: |
@@ -41,14 +41,14 @@ jobs:
 
       - name: GitHub login
         if: ${{ github.event_name != 'pull_request' }}
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v3.3.0
+        uses: docker/build-push-action@v5.0.0
         with:
           push: ${{ github.event_name != 'pull_request' }}
           context: .

.github/workflows/test.yml

@@ -1,17 +1,6 @@
 name: testssl.sh CI
 
 on:
-  push:
-    paths-ignore:
-      - 'utils/**'
-      - 'doc/**'
-      - 'bin/**'
-      - '**.md'
-      - '**.pem'
-      - '**.pdf'
-      - '**.html'
-      - 'LICENSE'
-      - 'Dockerfile'
   pull_request:
     paths-ignore:
       - 'utils/**'
@@ -32,11 +21,11 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: ['ubuntu-20.04']
+        os: ['ubuntu-22.04']
         perl: ['5.26']
     name: Perl ${{ matrix.perl }} on ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Set up perl
         uses: shogo82148/actions-setup-perl@v1
         with:

.gitignore

@@ -9,6 +9,7 @@ tmp.html
 *.log
 *.xml
 *.iml
+*.script
 *.swp
 *.swo
 *~

CHANGELOG.md

@@ -1,24 +1,27 @@
 
 ## Change Log
 
-### Features implemented / improvements in 3.2rcX
+### Features implemented / improvements in 3.2
 
 * Rating (SSL Labs, not complete)
 * Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default)
+* Remove "negotiated cipher / protocol"
+* Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
+* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also
 * Improved compatibility with OpenSSL 3.0
-* Improved compatibility with Open/LibreSSL versions not suppoting TLS 1.0-1.1 anymore
+* Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
 * Renamed PFS/perfect forward secrecy --> FS/forward secrecy
 * Cipher list straightening
 * Improved mass testing
-* switched to multi-stage image with opensuse base to avoid musl libc issues
-* Btter align colors of ciphers with standard cipherlists
+* Better align colors of ciphers with standard cipherlists
+* Save a few cycles for ROBOT
 * Several ciphers more colorized
 * Percent output char problem fixed
 * Several display/output fixes
 * BREACH check: list all compression methods and add brotli
 * Test for old winshock vulnerability
 * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
-* STARTTLS: XMPP server support
+* STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries
 * Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
 * STARTTLS on active directory service support
 * Security fixes: DNS and other input from servers
@@ -39,14 +42,10 @@
 * Client simulation runs in wide mode which is even better readable
 * Added --reqheader to support custom headers in HTTP requests
 * Test for support for RFC 8879 certificate compression
-* New set of OpenSSL-bad binaries with STARTTLS xmpp-server
-* Save a few cycles for ROBOT
-* Provide a better verdict wrt to server order: Now per protocol and ciphers are
-  weighted for each protocol
-* Remove "negotiated cipher / protocol"
 * Deprecating --fast and --ssl-native (warning but still av)
 * Compatible to GNU grep 3.8
 * Don't use external pwd command anymore
+* Doesn't hang anymore when there's no local resolver
 
 
 ### Features implemented / improvements in 3.0

CREDITS.md

@@ -9,7 +9,7 @@ Full contribution, see git log.
 * David Cooper (main contributor)
   - Major extensions to socket support for all protocols
   - extended parsing of TLS ServerHello messages
-  - TLS 1.3 support (final and pre-final) with needed encrption/decryptions
+  - TLS 1.3 support (final and pre-final) with needed en/decryption
   - add several TLS extensions
   - Detection + output of multiple certificates
   - several cleanups of server certificate related stuff
@@ -94,7 +94,7 @@ Full contribution, see git log.
   - helped with avoiding accidental TCP fragmentation
 
 * Brennan Kinney
-  - refactor dockerfile: Change base Alpine (3.17) => openSUSE Leap (15.4)
+  - refactored multistage Dockerfiles: performance gain+address bugs/inconsistencies
 
 * Magnus Larsen
   - SSL Labs Rating
@@ -185,6 +185,9 @@ Full contribution, see git log.
 * @nvsofts (NV)
   - LibreSSL patch for GOST
 
+* @w4ntun
+  - fixed DNS via proxy
+
 Probably more I forgot to mention which did give me feedback, bug reports and helped one way or another.