Merge branch '3.2' into bump_version

Author: drwetter

.github/workflows/docker-3.2.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Setup QEMU
         id: qemu
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.3.0
 
       - name: Setup Buildx
         id: buildx
@@ -48,7 +48,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v6.7.0
+        uses: docker/build-push-action@v6.12.0
         with:
           push: ${{ github.event_name != 'pull_request' }}
           context: .

.github/workflows/test.yml .github/workflows/unit_tests.yml.github/workflows/test.yml renamed to .github/workflows/unit_tests.yml

@@ -137,7 +137,7 @@
 * Trust chain check against certificate stores from Apple (OS), Linux (OS),
   Microsoft (OS), Mozilla (Firefox Browser), works for openssl >=1.0.1
 * IPv6 (status: 80% working, details see
-  https://github.com/drwetter/testssl.sh/issues/11
+  https://github.com/testssl/testssl.sh/issues/11
 * works now on servers requiring a x509 certificate for authentication
 * extensive CN <--> hostname check
 * SSL Session ID check
@@ -183,7 +183,7 @@
   * quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
   * lots of fixes, code improvements, even more robust
 
-Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
+Full log @ https://github.com/testssl/testssl.sh/commits/2.6/testssl.sh
 
 ### New in 2.4
   * "only one cmd line option at a time" is completely gone
@@ -198,7 +198,7 @@ Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
   * lots of cosmetic and maintainability code cleanups
   * bugfixing
 
-Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh
+Full changelog: https://github.com/testssl/testssl.sh/commits/2.4/testssl.sh
 
 ### 2.2. new features:
   * Works fully under FreeBSD (openssl >=1.0)
@@ -214,7 +214,7 @@ Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh
   * RFC <---> OpenSSL name space mapping of ciphers everywhere
   * includes a lot of fixes
 
-Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
+Full changelog @  https://github.com/testssl/testssl.sh/commits/2.2/testssl.sh
 
 ### 2.0 major release, new features:
   * SNI

CHANGELOG.md

@@ -1,21 +1,25 @@
 
-### Contributions / participation
+### Contributing / participating
 
-is always welcome, here @ github or via e-mail.
+Contributing / participating is always welcome!
 
-Note please the following
+Please note the following:
 
-* Please read at least the [coding convention](https://github.com/drwetter/testssl.sh/Coding_Convention.md).
-* One PR per feature or bug fix or improvement. Please do not mix issues.
-* Document your PR, both in the PR and/or commit message and in the code.
+* Please read the [coding convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md).
+* If you have something new and/or bigger which you like to contribute, better open an issue first before you get frustrated.
+* Please one pull request per feature or bug fix or improvement. Please do not mix issues.
+* Documentation pays off in the long run. So please your document your code and the pull request and/or commit message.
 * Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings.
-* Travis runs automatically when anything is committed/PR'd. You should check any complains from Travis. Beforehand you can check with `prove -v`.
-* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
-* If it's a new feature it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
+* GitHub actions are running automatically when anything is committed. You should see any complains. Beforehand you can check with `prove -v` from the "root dir" of this project.
+* If it's a new feature, please consider writing a unit test for it. You can use e.g. `t/10_baseline_ipv4_http.t` or `t/61_diff_testsslsh.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
+* If it's a new feature, it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
 
-For questions just open an issue or feel free to send me an e-mail.
+If you're interested in contributing and wonder how you can help, you can search for different tags in the issues (somewhat increasing degree of difficulty):
+* [documentation](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:documentation)
+* [good first issue](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
+* [help wanted](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22help%20wanted%22)
+* [for grabs](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
+
+For questions just open an issue.  Thanks for reading this!
 
-#### Patches via e-mail
 
-Of course it is fine when you want to send in patches to use e-mail. For the address please grep for SWCONTACT in testssl.sh .
-Let me know how you like them to be attributed.

CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # syntax=docker.io/docker/dockerfile:1
 
-ARG LEAP_VERSION=15.5
+ARG LEAP_VERSION=15.6
 ARG INSTALL_ROOT=/rootfs
 
 FROM opensuse/leap:${LEAP_VERSION} as builder
@@ -18,7 +18,7 @@ RUN source /etc/os-release \
   && zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh \
   && rpm -e util-linux --nodeps \
   && zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
-       bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl \
+       bash procps grep gawk sed coreutils busybox ldns libidn2-0 socat openssl curl \
   && zypper up -y \
   && zypper "${ZYPPER_OPTIONS[@]}" clean --all
 ## Cleanup (reclaim approx 13 MiB):
@@ -35,6 +35,7 @@ ARG INSTALL_ROOT
 COPY --link --from=builder ${INSTALL_ROOT} /
 # Link busybox to tar, see #2403. Create user + (home with SGID set):
 RUN  ln -s /usr/bin/busybox /usr/bin/tar \
+  && ln -s /usr/bin/busybox /usr/bin/hexdump \
   && echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd \
   && echo 'testssl:x:1000:' >> /etc/group \
   && echo 'testssl:!::0:::::' >> /etc/shadow \

Dockerfile

@@ -5,8 +5,8 @@ FROM alpine:3.20
 WORKDIR /home/testssl
 
 ARG BUILD_VERSION
-ARG ARCHIVE_URL=https://github.com/drwetter/testssl.sh/archive/
-ARG URL=https://github.com/drwetter/testssl.sh.git
+ARG ARCHIVE_URL=https://github.com/testssl/testssl.sh/archive/
+ARG URL=https://github.com/testssl/testssl.sh.git
 
 RUN test -n "${BUILD_VERSION}" \
     && apk update \

Dockerfile.git

@@ -1,11 +1,11 @@
 
 ## Intro
 
-<!-- [![Travis CI Status](https://img.shields.io/travis/drwetter/testssl.sh)](https://travis-ci.org/drwetter/testssl.sh)  -->
-[![Build Status](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml/badge.svg)](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml)
-[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-[![License](https://img.shields.io/github/license/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/LICENSE)
-[![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md)
+[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml)
+[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE)
+[![Docker](https://img.shields.io/docker/pulls/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md)
+
 
 `testssl.sh` is a free command line tool which checks a server's service on
 any port for the support of TLS/SSL ciphers, protocols as well as some
@@ -45,16 +45,16 @@ due to bash-socket-based checks. As a result you can also use e.g. LibreSSL or O
 (silent) check for binaries is done when you start testssl.sh . System V needs probably
 to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
 
-Update notification here or @ [mastodon](https://infosec.exchange/@testssl) (old: [twitter](https://twitter.com/drwetter))
+Update notification here or @ [mastodon](https://infosec.exchange/@testssl or [bluesky](https://bsky.app/profile/testssl.bsky.social). Please note the [twitter](https://twitter.com/drwetter) account is not being used anymore.
 
 ### Installation
 
 You can download testssl.sh branch 3.2 just by cloning this git repository:
 
-    git clone --depth 1 https://github.com/drwetter/testssl.sh.git
+    git clone --depth 1 https://github.com/testssl/testssl.sh.git
 
-3.2 is now the latest branch which evolved from 3.1dev. It's in the release candidate phase.
-For the former stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/v3.0.8) or [tar.gz](https://codeload.github.com/drwetter/testssl.sh/tar.gz/v3.0.8) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
+3.2 is now the latest branch which evolved from 3.1dev. It's in the release candidate phase and considered as stable.
+For the former stable version named oldstable please help yourself by downloading the [ZIP](https://codeload.github.com/testssl/testssl.sh/zip/v3.0.9) or [tar.gz](https://codeload.github.com/testssl/testssl.sh/tar.gz/v3.0.9) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
 
 #### Docker
 
@@ -69,19 +69,19 @@ Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and r
 docker build . -t imagefoo && docker run --rm -t imagefoo example.com
 ```
 
-For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md).
+For more please consult [Dockerfile.md](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md).
 
 ### No Warranty
 
-Usage of the program is without any warranty. Use it at yor own risk. 
+Usage of the program is without any warranty. Use it at your own risk.
 
 Testssl.sh is intended to be used as a standalone CLI tool. While we tried to apply best practise security measures, we can't guarantee that the program is without any vulnerabilities. Running as a service may pose security risks and you're recommended to apply additional security measures.
 
 ### Status
 
-We're currently in the release candidate phase for version 3.2. Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
+We're currently in the release candidate phase for version 3.2. You should use it despite the label "RC". Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
 
-Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
+Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is finally released.
 
 Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
 
@@ -93,16 +93,19 @@ Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
 
 ### Contributing
 
-Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.2/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.2/Coding_Convention.md).
+Contributions are welcome! See [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.2/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md). A lot of contributors already helped to push the project where it currently is, see [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.2/CREDITS.md). We still you use your help now. A start would be look for issues which are labeled as [good first issue](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22), [for grabs](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22for+grabs%22) or [help wanted](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). The latter is more advanced.
+
+In general there's some maintenance burden, like maintaining handshakes and CA stores, writing unit tests, improving github actions. If you believe you can contribute, speak up.
+
 
 ### Bug reports
 
 Bug reports are important. It makes this project more robust.
 
 Please file bugs in the issue tracker @ GitHub. Do not forget to provide detailed information, see template for issue, and further details @
-https://github.com/drwetter/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-)
+https://github.com/testssl/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-)
 
-You can also debug yourself, see [here](https://github.com/drwetter/testssl.sh/wiki/Findings-and-HowTo-Fix-them).
+You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wiki/Findings-and-HowTo-Fix-them).
 
 ----
 
@@ -129,7 +132,7 @@ Please address questions not specifically to the code of testssl.sh to the respe
 
 #### Brew package
 
-* see [#233](https://github.com/drwetter/testssl.sh/issues/233) and
+* see [#233](https://github.com/testssl/testssl.sh/issues/233) and
   [https://github.com/Homebrew/homebrew](https://github.com/Homebrew/homebrew)
 
 #### Daemon for batch execution of testssl.sh command files

Readme.md

@@ -342,6 +342,8 @@
  0x02,0x00,0x80 - EXP-RC4-MD5                    SSL_CK_RC4_128_EXPORT40_WITH_MD5                   SSLv2      Kx=RSA(512)    Au=RSA     Enc=RC4(40)                    Mac=MD5      export    
       0x00,0x28 - EXP-KRB5-RC4-SHA               TLS_KRB5_EXPORT_WITH_RC4_40_SHA                    SSLv3      Kx=KRB5        Au=KRB5    Enc=RC4(40)                    Mac=SHA1     export    
       0x00,0x2B - EXP-KRB5-RC4-MD5               TLS_KRB5_EXPORT_WITH_RC4_40_MD5                    SSLv3      Kx=KRB5        Au=KRB5    Enc=RC4(40)                    Mac=MD5      export    
+      0xC0,0xB4 - TLS_SHA256_SHA256              TLS_SHA256_SHA256                                  TLSv1.3    Kx=any         Au=any     Enc=None                       Mac=SHA256             
+      0xC0,0xB5 - TLS_SHA384_SHA384              TLS_SHA384_SHA384                                  TLSv1.3    Kx=any         Au=any     Enc=None                       Mac=SHA384             
       0xC0,0x10 - ECDHE-RSA-NULL-SHA             TLS_ECDHE_RSA_WITH_NULL_SHA                        SSLv3      Kx=ECDH        Au=RSA     Enc=None                       Mac=SHA1               
       0xC0,0x06 - ECDHE-ECDSA-NULL-SHA           TLS_ECDHE_ECDSA_WITH_NULL_SHA                      SSLv3      Kx=ECDH        Au=ECDSA   Enc=None                       Mac=SHA1               
       0xC0,0x15 - AECDH-NULL-SHA                 TLS_ECDH_anon_WITH_NULL_SHA                        SSLv3      Kx=ECDH        Au=None    Enc=None                       Mac=SHA1               

etc/cipher-mapping.txt

@@ -45,3 +45,7 @@
       0x01,0x02 -   ffdhe4096   ffdhe4096
       0x01,0x03 -   ffdhe6144   ffdhe6144
       0x01,0x04 -   ffdhe8192   ffdhe8192
+      0x11,0xeb -   SecP256r1MLKEM768  SecP256r1MLKEM768
+      0x11,0xec -   X25519MLKEM768  X25519MLKEM768
+      0x11,0xed -   SecP384r1MLKEM1024  SecP384r1MLKEM1024
+      0x63,0x99 -   X25519Kyber768Draft00  X25519Kyber768Draft00