Merge pull request #2745 from testssl/amend_changelog_and_credits

Amend changes and attributions

Author: drwetter

CHANGELOG.md

@@ -3,28 +3,34 @@
 
 ### Features implemented / improvements in 3.2
 
-* Rating (SSL Labs, not complete)
+* Rating (SSL Labs)
 * Extend Server (cipher) preference: always now in wide mode instead of running all ciphers in the end (per default)
 * Remove "negotiated cipher / protocol"
 * Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
-* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, performance gain also
-* Improved compatibility with OpenSSL 3.0 and higher versions
+* Faster startup, other performance improvements
+* Switched to multi-stage docker image with opensuse base to avoid musl libc issues, benefit: also performance gain
+* Added GHCR.io docker image builds
+* Improved compatibility with OpenSSL 3.0 and higher versions like OpenSSL 3.5
 * Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
+* Reduced the set of openssl-bad binaries via github to Linux and FreeBSD, no kerberos binaries anymore, no Linux 32 Bit
 * Renamed PFS/perfect forward secrecy --> FS/forward secrecy
 * Cipher list straightening
 * Support RFC 9150 cipher suites
 * Improved mass testing
 * Better align colors of ciphers with standard cipherlists
 * Save a few cycles for ROBOT
 * Several ciphers more colorized
+* Added support for way more ciphers like all AEAD ciphers known so far
 * Percent output char problem fixed
 * Several display/output fixes
 * BREACH check: list all compression methods and add brotli
 * Test for old winshock vulnerability
 * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
 * STARTTLS: XMPP server support, plus a new set of OpenSSL-bad binaries
 * STARTTLS sieve support, plus again a new set of OpenSSL-bad binaries
+* STARTTLS LDAP support, AD + STARTTLS logic is there but experimental
 * Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
+* STARTTLS telnet (TN3270/telnet) support
 * Detect throtteling via STARTTLS smtp
 * Renegotiation checks more reliable against different servers
 * STARTTLS on active directory service support
@@ -33,11 +39,16 @@
 * Added support for certificates with EdDSA signatures and public keys
 * Extract CA list shows supported certification authorities sent by the server
 * Wildcard certificates: detection and warning
+* Test for support for RFC 8879 certificate compression
+* Show intermediate cert validity / bad OCSP
+* If a TLS 1.3 host is tested and e.g. /usr/bin/openssl supports it, it'll automagically switch to it
 * TLS 1.2 and TLS 1.3 sig algs added
+* TLS 1.3: decrypting server response
 * Check for ffdhe groups
 * Check for six KEMs in draft-connolly-tls-mlkem-key-agreement/draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00
 * Check for ML-DSA signatures (draft-tls-westerbaan-mldsa)
 * Show server supported signature algorithms
+* Support for EdDSA (Ed25519/Ed448): sigalgo extension, check whether server offers EdDSA certificates, recognize EdDSA signatures
 * --add-ca can also now be a directory with \*.pem files
 * Warning of 398 day limit for certificates issued after 2020/9/1
 * Added environment variable for amount of attempts for ssl renegotiation check
@@ -46,16 +57,18 @@
 * Headerflag X-XSS-Protection is now labeled as INFO
 * Search for more HTTP security headers on the server
 * Strict parser for HSTS
-* DNS via proxy improvements
+* DNS via proxy improvements, also IPv6 support for proxy
 * Client simulation runs in wide mode which is even better readable
 * Added --reqheader to support custom headers in HTTP requests
-* Test for support for RFC 8879 certificate compression
 * Deprecating --fast and --ssl-native (warning only but still av)
-* Compatible to GNU grep 3.8
+* Compatible to GNU grep >=3.8, bash 5.x
 * Don't use external pwd command anymore
 * Doesn't hang anymore when there's no local resolver
+* Display whether server requests/requires a Client Certificate
 * Added --mtls feature to support client authentication
-* If a TLS 1.3 host is tested and e.g. /usr/bin/openssl supports it, it'll automagically will switch to it
+* CI run against a target with known configuration as a change canary
+* Updated client handshakes as new browsers and OpenSSL 3.5.x show KEMs
+* Start using client handshakes include ja3/ja4 so that similar handshakes will be recognized
 
 
 ### Features implemented / improvements in 3.0

CREDITS.md

@@ -4,7 +4,7 @@ Full contribution, see git log.
 * Dirk Wetter (creator, maintainer and main contributor)
   - Everything what's not mentioned below and is included in testssl.sh's git log
     minus what I probably forgot to mention
-  (too much other things to do at the moment and to list it would be a tough job)
+  (too much other things to do at the moment and to list it would be too time consuming)
 
 * David Cooper (main contributor)
   - Major extensions to socket support for all protocols
@@ -36,9 +36,9 @@ Full contribution, see git log.
   - Check for ffdhe and ML-KEM groups
   - TLS 1.2 and TLS 1.3 sig algs added
   - Show server supported signature algorithms
-  - Show supported certification authorities sent by the server when client auth is requested
+  - Show supported certification authorities sent by the server when client auth is requested and whether certificate-based client authentication is not requested, optional, or required.
   - Provide a better verdict wrt to server order: Now per protocol and ciphers are weighted for each protocol
- -  Provide compatibility to every LibreSSL/OpenSSL versions
+ -  Provide compatibility to every LibreSSL/OpenSSL versions, including OpenSSL 3.5.0
   - Lots of fixes and improvements
 
 ##### Further credits (in alphabetical order)
@@ -68,6 +68,9 @@ Full contribution, see git log.
 * Christian Dresen
    - Dockerfile
 
+* enxio
+   - support for TN3270/telnet STARTTLS
+
 * csett86
    - some MacOSX and Java client handshake data
 
@@ -81,6 +84,10 @@ Full contribution, see git log.
   - bugfixes
   - former ARM binary support
 
+* Jauder Ho
+  - GH Action to build new container images upon push
+  - dependabot actions
+
 * Maciej Grela
   - colorless handling
 
@@ -128,6 +135,9 @@ Full contribution, see git log.
   - non-flat JSON support (--json-pretty)
   - in file output (CSV, JSON flat, JSON non-flat) support of a minimum severity level
 
+* Brett Randall
+  - Improved (experimental) Extended Validation (EV) certificate identification.
+
 * Jonathan Roach
   - TLS_FALLBACK_SCSV checks