After looking into testssl.sh again, I noticed on the release page[0] it states
that 2.9.5 won't be supported once 3.0 lands, and encourages distributors to
pick up 3.0rc5. I did some packaging work[1] to import the new version, refresh
patches, and other minor things and it'd be cool if you could pull the changes.
This version is specifically interesting as it has support for TLS 1.3.
I really appreciate your work, but version 3.0 of testssl has a licensing issue
that needs to be resolved before packaging it for Debian: upstream decided to add
a clause to their GPL license stating that any public use of it must mention where they've
I *think* this is ok (didn't thought enough about it) but I feel like a discussion on debian-legal
would be better and I don't feel confident uploading this without it.
Did you notice that as well? What are you thoughts on it?
On a sidenote, if I remember correctly, testsssl suffers from the same issue as o-saft,
another ssl vuln detector, as it needs to have an old version of openssl to check for legacy
stuff, otherwise it won't support them.
Regards,