Merge branch 'fix_ci_runs' into https_rr

.github/workflows/docker-3.2.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Setup QEMU
         id: qemu
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.3.0
 
       - name: Setup Buildx
         id: buildx
@@ -48,7 +48,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v6.7.0
+        uses: docker/build-push-action@v6.12.0
         with:
           push: ${{ github.event_name != 'pull_request' }}
           context: .

CHANGELOG.md

@@ -12,6 +12,7 @@
 * Improved compatibility with Open/LibreSSL versions not supporting TLS 1.0-1.1 anymore
 * Renamed PFS/perfect forward secrecy --> FS/forward secrecy
 * Cipher list straightening
+* Support RFC 9150 cipher suites
 * Improved mass testing
 * Better align colors of ciphers with standard cipherlists
 * Save a few cycles for ROBOT
@@ -23,13 +24,16 @@
 * Test for STARTTLS injection vulnerabilities (SMTP, POP3, IMAP)
 * STARTTLS: XMPP server support, plus new set of OpenSSL-bad binaries
 * Several code improvements to STARTTLS, also better detection when no STARTTLS is offered
+* Renegotiation checks more reliable against different servers
 * STARTTLS on active directory service support
 * Security fixes: DNS and other input from servers
 * Don't penalize missing trust in rating when CA not in Java store
 * Added support for certificates with EdDSA signatures and public keys
 * Extract CA list shows supported certification authorities sent by the server
+* Wildcard certificates: detection and warning
 * TLS 1.2 and TLS 1.3 sig algs added
 * Check for ffdhe groups
+* Check for three KEMs in draft-kwiatkowski-tls-ecdhe-mlkem/draft-tls-westerbaan-xyber768d00
 * Show server supported signature algorithms
 * --add-ca can also now be a directory with \*.pem files
 * Warning of 398 day limit for certificates issued after 2020/9/1
@@ -41,12 +45,14 @@
 * DNS via proxy improvements
 * Client simulation runs in wide mode which is even better readable
 * Added --reqheader to support custom headers in HTTP requests
+* Search for more HTTP security headers on the server
 * Test for support for RFC 8879 certificate compression
 * Deprecating --fast and --ssl-native (warning but still av)
 * Compatible to GNU grep 3.8
 * Don't use external pwd command anymore
 * Doesn't hang anymore when there's no local resolver
-* Added --mtls feature to support client authentication 
+* Added --mtls feature to support client authentication
+* If a TLS 1.3 host is tested and e.g. /usr/bin/openssl supports it, it'll automagically will switch to it
 
 
 ### Features implemented / improvements in 3.0
@@ -136,7 +142,7 @@
 * Trust chain check against certificate stores from Apple (OS), Linux (OS),
   Microsoft (OS), Mozilla (Firefox Browser), works for openssl >=1.0.1
 * IPv6 (status: 80% working, details see
-  https://github.com/drwetter/testssl.sh/issues/11
+  https://github.com/testssl/testssl.sh/issues/11
 * works now on servers requiring a x509 certificate for authentication
 * extensive CN <--> hostname check
 * SSL Session ID check
@@ -182,7 +188,7 @@
   * quite some LibreSSL fixes, still not recommended to use though (see https://testssl.sh/)
   * lots of fixes, code improvements, even more robust
 
-Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
+Full log @ https://github.com/testssl/testssl.sh/commits/2.6/testssl.sh
 
 ### New in 2.4
   * "only one cmd line option at a time" is completely gone
@@ -197,7 +203,7 @@ Full log @ https://github.com/drwetter/testssl.sh/commits/2.6/testssl.sh
   * lots of cosmetic and maintainability code cleanups
   * bugfixing
 
-Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh
+Full changelog: https://github.com/testssl/testssl.sh/commits/2.4/testssl.sh
 
 ### 2.2. new features:
   * Works fully under FreeBSD (openssl >=1.0)
@@ -213,7 +219,7 @@ Full changelog: https://github.com/drwetter/testssl.sh/commits/2.4/testssl.sh
   * RFC <---> OpenSSL name space mapping of ciphers everywhere
   * includes a lot of fixes
 
-Full changelog @  https://github.com/drwetter/testssl.sh/commits/2.2/testssl.sh
+Full changelog @  https://github.com/testssl/testssl.sh/commits/2.2/testssl.sh
 
 ### 2.0 major release, new features:
   * SNI

CONTRIBUTING.md

@@ -1,21 +1,25 @@
 
-### Contributions / participation
+### Contributing / participating
 
-is always welcome, here @ github or via e-mail.
+Contributing / participating is always welcome!
 
-Note please the following
+Please note the following:
 
-* Please read at least the [coding convention](https://github.com/drwetter/testssl.sh/Coding_Convention.md).
-* One PR per feature or bug fix or improvement. Please do not mix issues.
-* Document your PR, both in the PR and/or commit message and in the code.
+* Please read the [coding convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md).
+* If you have something new and/or bigger which you like to contribute, better open an issue first before you get frustrated.
+* Please one pull request per feature or bug fix or improvement. Please do not mix issues.
+* Documentation pays off in the long run. So please your document your code and the pull request and/or commit message.
 * Please test your changes thoroughly as reliability is important for this project. You may want to check different servers with different settings.
-* Travis runs automatically when anything is committed/PR'd. You should check any complains from Travis. Beforehand you can check with `prove -v`.
-* If it's a new feature please consider writing a unit test for it. You can use e.g. `t/20_baseline_ipv4_http.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
-* If it's a new feature it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
+* GitHub actions are running automatically when anything is committed. You should see any complains. Beforehand you can check with `prove -v` from the "root dir" of this project.
+* If it's a new feature, please consider writing a unit test for it. You can use e.g. `t/10_baseline_ipv4_http.t` or `t/61_diff_testsslsh.t` as a template. The general documentation for [Test::More](https://perldoc.perl.org/Test/More.html) is a good start.
+* If it's a new feature, it would need to be documented in the appropriate section in `help()` and in `~/doc/testssl.1.md`
 
-For questions just open an issue or feel free to send me an e-mail.
+If you're interested in contributing and wonder how you can help, you can search for different tags in the issues (somewhat increasing degree of difficulty):
+* [documentation](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:documentation)
+* [good first issue](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
+* [help wanted](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22help%20wanted%22)
+* [for grabs](https://github.com/testssl/testssl.sh/issues?q=is:issue%20state:open%20label:%22good%20first%20issue%22)
+
+For questions just open an issue.  Thanks for reading this!
 
-#### Patches via e-mail
 
-Of course it is fine when you want to send in patches to use e-mail. For the address please grep for SWCONTACT in testssl.sh .
-Let me know how you like them to be attributed.

Dockerfile

@@ -18,7 +18,7 @@ RUN source /etc/os-release \
   && zypper "${ZYPPER_OPTIONS[@]}" --gpg-auto-import-keys refresh \
   && rpm -e util-linux --nodeps \
   && zypper "${ZYPPER_OPTIONS[@]}" --non-interactive install --download-in-advance --no-recommends \
-       bash procps grep gawk sed coreutils busybox-util-linux busybox-vi ldns libidn2-0 socat openssl curl \
+       bash procps grep gawk sed coreutils busybox ldns libidn2-0 socat openssl curl \
   && zypper up -y \
   && zypper "${ZYPPER_OPTIONS[@]}" clean --all
 ## Cleanup (reclaim approx 13 MiB):
@@ -35,6 +35,7 @@ ARG INSTALL_ROOT
 COPY --link --from=builder ${INSTALL_ROOT} /
 # Link busybox to tar, see #2403. Create user + (home with SGID set):
 RUN  ln -s /usr/bin/busybox /usr/bin/tar \
+  && ln -s /usr/bin/busybox /usr/bin/hexdump \
   && echo 'testssl:x:1000:1000::/home/testssl:/bin/bash' >> /etc/passwd \
   && echo 'testssl:x:1000:' >> /etc/group \
   && echo 'testssl:!::0:::::' >> /etc/shadow \

Dockerfile.git

@@ -5,8 +5,8 @@ FROM alpine:3.20
 WORKDIR /home/testssl
 
 ARG BUILD_VERSION
-ARG ARCHIVE_URL=https://github.com/drwetter/testssl.sh/archive/
-ARG URL=https://github.com/drwetter/testssl.sh.git
+ARG ARCHIVE_URL=https://github.com/testssl/testssl.sh/archive/
+ARG URL=https://github.com/testssl/testssl.sh.git
 
 RUN test -n "${BUILD_VERSION}" \
     && apk update \

Readme.md

@@ -1,11 +1,11 @@
 
 ## Intro
 
-<!-- [![Travis CI Status](https://img.shields.io/travis/drwetter/testssl.sh)](https://travis-ci.org/drwetter/testssl.sh)  -->
-[![Build Status](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml/badge.svg)](https://github.com/drwetter/testssl.sh/actions/workflows/test.yml)
-[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/drwetter/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-[![License](https://img.shields.io/github/license/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/LICENSE)
-[![Docker](https://img.shields.io/docker/pulls/drwetter/testssl.sh)](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md)
+[![CI tests](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml/badge.svg)](https://github.com/testssl/testssl.sh/actions/workflows/unit_tests.yml)
+[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/testssl/testssl.sh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![License](https://img.shields.io/github/license/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/LICENSE)
+[![Docker](https://img.shields.io/docker/pulls/testssl/testssl.sh)](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md)
+
 
 `testssl.sh` is a free command line tool which checks a server's service on
 any port for the support of TLS/SSL ciphers, protocols as well as some
@@ -45,16 +45,16 @@ due to bash-socket-based checks. As a result you can also use e.g. LibreSSL or O
 (silent) check for binaries is done when you start testssl.sh . System V needs probably
 to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
 
-Update notification here or @ [mastodon](https://infosec.exchange/@testssl) (old: [twitter](https://twitter.com/drwetter))
+Update notification here or @ [mastodon](https://infosec.exchange/@testssl or [bluesky](https://bsky.app/profile/testssl.bsky.social). Please note the [twitter](https://twitter.com/drwetter) account is not being used anymore.
 
 ### Installation
 
 You can download testssl.sh branch 3.2 just by cloning this git repository:
 
-    git clone --depth 1 https://github.com/drwetter/testssl.sh.git
+    git clone --depth 1 https://github.com/testssl/testssl.sh.git
 
-3.2 is now the latest branch which evolved from 3.1dev. It's in the release candidate phase.
-For the former stable version help yourself by downloading the [ZIP](https://codeload.github.com/drwetter/testssl.sh/zip/v3.0.8) or [tar.gz](https://codeload.github.com/drwetter/testssl.sh/tar.gz/v3.0.8) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
+3.2 is now the latest branch which evolved from 3.1dev. It's in the release candidate phase and considered as stable.
+For the former stable version named oldstable please help yourself by downloading the [ZIP](https://codeload.github.com/testssl/testssl.sh/zip/v3.0.9) or [tar.gz](https://codeload.github.com/testssl/testssl.sh/tar.gz/v3.0.9) archive. Just ``cd`` to the directory created (=INSTALLDIR) and run it off there.
 
 #### Docker
 
@@ -69,19 +69,19 @@ Or if you have cloned this repo you also can just ``cd`` to the INSTALLDIR and r
 docker build . -t imagefoo && docker run --rm -t imagefoo example.com
 ```
 
-For more please consult [Dockerfile.md](https://github.com/drwetter/testssl.sh/blob/3.2/Dockerfile.md).
+For more please consult [Dockerfile.md](https://github.com/testssl/testssl.sh/blob/3.2/Dockerfile.md).
 
 ### No Warranty
 
-Usage of the program is without any warranty. Use it at yor own risk. 
+Usage of the program is without any warranty. Use it at your own risk.
 
 Testssl.sh is intended to be used as a standalone CLI tool. While we tried to apply best practise security measures, we can't guarantee that the program is without any vulnerabilities. Running as a service may pose security risks and you're recommended to apply additional security measures.
 
 ### Status
 
-We're currently in the release candidate phase for version 3.2. Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
+We're currently in the release candidate phase for version 3.2. You should use it despite the label "RC". Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
 
-Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
+Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is finally released.
 
 Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
 
@@ -93,16 +93,19 @@ Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
 
 ### Contributing
 
-Contributions are welcome! See [CONTRIBUTING.md](https://github.com/drwetter/testssl.sh/blob/3.2/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/drwetter/testssl.sh/blob/3.2/Coding_Convention.md).
+Contributions are welcome! See [CONTRIBUTING.md](https://github.com/testssl/testssl.sh/blob/3.2/CONTRIBUTING.md) for details. Please also have a look at the [Coding Convention](https://github.com/testssl/testssl.sh/blob/3.2/Coding_Convention.md). A lot of contributors already helped to push the project where it currently is, see [CREDITS.md](https://github.com/testssl/testssl.sh/blob/3.2/CREDITS.md). We still you use your help now. A start would be look for issues which are labeled as [good first issue](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22), [for grabs](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22for+grabs%22) or [help wanted](https://github.com/testssl/testssl.sh/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22). The latter is more advanced.
+
+In general there's some maintenance burden, like maintaining handshakes and CA stores, writing unit tests, improving github actions. If you believe you can contribute, speak up.
+
 
 ### Bug reports
 
 Bug reports are important. It makes this project more robust.
 
 Please file bugs in the issue tracker @ GitHub. Do not forget to provide detailed information, see template for issue, and further details @
-https://github.com/drwetter/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-)
+https://github.com/testssl/testssl.sh/wiki/Bug-reporting. Nobody can read your thoughts -- yet. And only agencies your screen ;-)
 
-You can also debug yourself, see [here](https://github.com/drwetter/testssl.sh/wiki/Findings-and-HowTo-Fix-them).
+You can also debug yourself, see [here](https://github.com/testssl/testssl.sh/wiki/Findings-and-HowTo-Fix-them).
 
 ----
 
@@ -129,7 +132,7 @@ Please address questions not specifically to the code of testssl.sh to the respe
 
 #### Brew package
 
-* see [#233](https://github.com/drwetter/testssl.sh/issues/233) and
+* see [#233](https://github.com/testssl/testssl.sh/issues/233) and
   [https://github.com/Homebrew/homebrew](https://github.com/Homebrew/homebrew)
 
 #### Daemon for batch execution of testssl.sh command files

bin/Readme.md

@@ -10,7 +10,7 @@ for some new / advanced cipher suites and/or features which are not in the
 official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.
 
 The (stripped) binaries this directory are all compiled from my openssl snapshot
-(https://github.com/drwetter/openssl-1.0.2.bad) which adds a few bits to Peter
+(https://github.com/testssl/openssl-1.0.2.bad) which adds a few bits to Peter
 Mosman's openssl fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter!
 The few bits are IPv6 support (except IPV6 proxy) and some STARTTLS backports.
 
@@ -71,11 +71,11 @@ Compilation instructions
 If you want to compile OpenSSL yourself, here are the instructions:
 
 1.)
-    git git clone https://github.com/drwetter/openssl-1.0.2-bad
+    git git clone https://github.com/testssl/openssl-1.0.2-bad
     cd openssl
 
 
-2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh)
+2.) configure the damned thing. Options I used (see https://github.com/testssl/testssl.sh/blob/master/utils/make-openssl.sh)
 
 **for 64Bit including Kerberos ciphers:**