Clean up changelog, fix gixy, update TLS content

Changelog.md

@@ -1,10 +1,9 @@
 # Change Log
 
-## 1.11.0 (in progress)
+## 1.11.0
 
 _Compared to the latest 1.10 release._
 
-
 ### TLS updates for NCSC 2025 guidelines
 
 All tests were updated to match the
@@ -34,10 +33,18 @@ Most significant changes:
 
 ### Significant internal changes
 
-- ...
-### Possibly required changes to deployments
+- Upgraded to Django 5, Python 3.13, and Debian Trixie base image.
+- Switched TLS implementation to sslyze/nassl based reimplementation.
+- Switched to pyproject/uv.lock for project dependencies, replacing requirements files.
+- Added post-quantum hybrid ECDHE-MLKEM for TLS 1.3 in our web server.
+- Outgoing traffic now uses the configured public IPv4/IPv6 addresses.
+- Routinator can now be configured with an allowlist for shared instances.
+
+### Bug fixes
 
-...
+- Fixed [simhash exception when both address families fail](https://github.com/internetstandards/Internet.nl/issues/1893).
+- Fixed JSON serialization of sets in batch results.
+- Fixed [report generation locking](https://github.com/internetstandards/Internet.nl/issues/1749) for results views.
 
 ### API changes
 

docker/webserver.Dockerfile

@@ -1,6 +1,9 @@
 FROM nginx:1.29.1-alpine3.22
 
-RUN apk add --no-cache \
+RUN apk upgrade --no-cache \
+  # upgrade libexpat to match python3's pyexpat native module
+  libexpat \
+  && apk add --no-cache \
   # for random quic host key
   openssl \
   # for htpasswd

translations/en/manual_hof.po

@@ -17,7 +17,7 @@ msgstr ""
 "\n"
 "These hosters are allowed to use the 'Internet.nl compliant badge' that is shown on this page in their own communications.\n"
 "\n"
-"The scores of the listed hosters' own domains are automatically [checked and published](https://dashboard.internet.nl/#/published/103/). \n"
+"The scores of the listed hosters' own domains are automatically [checked and published](https://dashboard.internet.nl/published/103/). \n"
 "\n"
 "---"
 

translations/en/news.po

@@ -4,6 +4,7 @@ msgstr ""
 
 msgid "article .index"
 msgstr ""
+"release-1.11\n"
 "punktum-dk-contribution\n"
 "release-1.10\n"
 "release-1.9\n"
@@ -30,7 +31,7 @@ msgstr ""
 
 msgid "article UA-day-2023 body"
 msgstr ""
-"UA regards new TLDs (for example, those with more than 2 or 3 characters such as .amsterdam), as well as domain names and email addresses with non-latin characters (such as `straße.de`, `example.ελ` or `überhaupt@example.nl`).\n"
+"UA regards new TLDs (for example, those with more than 2 or 3 characters such as .amsterdam), as well as domain names and email addresses with non-latin characters (such as `straße.de`, `example.ελ` or `überhaupt@example.org`).\n"
 "\n"
 "On March 28 the Dutch Internet Standards Platform is organising an open dialogue meeting on UA with participants from ICANN, SIDN, and the Dutch National Office for Identity Data (RvIG), among others. The goal is to gain a better understanding of the issues, as well as possible solutions and actions.\n"
 "\n"
@@ -306,7 +307,7 @@ msgstr ""
 "* The detection of the internet provider is more precise and timeouts occur less frequent.\n"
 "\n"
 "## Website test\n"
-"* The test checks whether a HSTS-policy is available. Through HSTS a web browser will 'know' after the first visit that a website can only be accessed through a secure connection (HTTPS, not HTTP). This can prevent so-called man-in-the-middle attacks, e.g. when using public Wi-Fi. In case of deviations, the message is no longer 'orange' but 'red'.\n"
+"* The test checks whether a HSTS-policy is available. Through HSTS a web browser will 'know' after the first visit that a website can only be accessed through a secure connection (HTTPS, not HTTP). This can prevent so-called Machine-in-the-Middle (MitM) attacks, e.g. when using public Wi-Fi. In case of deviations, the message is no longer 'orange' but 'red'.\n"
 "* The test now checks whether the website enforces HTTPS by using a server redirect (301 or 302) or by applying only HTTPS (and no HTTP). In case of deviations, the message is no longer 'orange' but 'red'.\n"
 "* In the case of some websites, the TLS results incorrectly showed that 'client-initiated renegotiation' was allowed. This has been solved.\n"
 "* In the test results of websites with a redirect from IPv6/IPv4 to IPv4-only, the HSTS-policy over IPv6 remained incorrectly undetected. This has been solved.\n"
@@ -451,7 +452,7 @@ msgstr ""
 "* Non-receiving domain: In case you do not want to receive mail on your domain that has A/AAAA records, we advise you to use [Null MX](https://www.rfc-editor.org/rfc/rfc7505). In case your domain does *not* have A/AAAA records and you do not want to receive mail on it, we advise you to configure no MX record at all (i.e. even *not* an Null MX record). \n"
 "\n"
 "## Minimum max-age for HSTS extended\n"
-"HTTP Strict Transport Security ([HSTS](https://www.rfc-editor.org/rfc/rfc6797)) forces a web browser to connect directly via HTTPS when revisiting your website. This helps preventing man-in-the-middle attacks. We have decided to extend the mimimum HSTS cache validity period from 6 months to 1 year (`max-age=31536000`). This is in conformance with the common good practice. \n"
+"HTTP Strict Transport Security ([HSTS](https://www.rfc-editor.org/rfc/rfc6797)) forces a web browser to connect directly via HTTPS when revisiting your website. This helps preventing Machine-in-the-Middle (MitM) attacks. We have decided to extend the mimimum HSTS cache validity period from 6 months to 1 year (`max-age=31536000`). This is in conformance with the common good practice. \n"
 "\n"
 "Further details on the above improvements can be found in the test explanations of the relevant subtests of the [website test](/test-site/) and the [email test](/test-mail/). \n"
 "\n"
@@ -526,10 +527,10 @@ msgstr ""
 "Below we describe the major changes.\n"
 "\n"
 "* The previous version of Internet.nl did test the **security of the HTTPS configuration over either IPv6 or IPv4**. Through manual testing we regularly see websites that have unintended different HTTPS configurations over IPv6 and IPv4. Therefore in the new release the HTTPS configuration is tested over both IPv6 and IPv4. **From now on** the result of this test item is part of the overall score in the website test.\n"
-"* The website tests checks whether a **HSTS policy** is published. Through HSTS a web browser gets informed after the first usage that a website only may be visited over HTTPS. This can prevent so-called man-in-the-middle attacks (for example when a public Wi-Fi hotspot is used). The result of this test item is displayed as an orange warning in case the HSTS policy is absent. As of **July 2016** the result will be part of the score in the website test.\n"
+"* The website tests checks whether a **HSTS policy** is published. Through HSTS a web browser gets informed after the first usage that a website only may be visited over HTTPS. This can prevent so-called Machine-in-the-Middle (MitM) attacks (for example when a public Wi-Fi hotspot is used). The result of this test item is displayed as an orange warning in case the HSTS policy is absent. As of **July 2016** the result will be part of the score in the website test.\n"
 "* The website test does test whether **HTTPS is enforced** for a website. There are two ways to enforce HTTPS that are described below.The result of this test item is displayed as an orange warning in case the HSTS policy is absent. As of **July 2016** the result will be part of the score in the website test.\n"
-"   1. By redirecting HTTP to HTTPS. This can be done by redirecting `http://example.nl` to `https://example.nl`. It is important that both domain names are identical because a web browser does only accept a HSTS policy for a certain domain when a HTTPS connection is used. If `http://example.nl` redirects to `https://www.example.nl` then a HSTS policy normally will not be used by the browser, unless a user explicitly enters `https://example.nl` or clicks on a hyperlink with this URL.\n"
-"   2. By only supporting HTTPS and no HTTP. Because a browser normally uses a HTTP-connection after a user enters a domain name, users should enter `https://example.nl` to reach the website or click on a hyperlink with this URL.\n"
+"   1. By redirecting HTTP to HTTPS. This can be done by redirecting `http://example.org` to `https://example.org`. It is important that both domain names are identical because a web browser does only accept a HSTS policy for a certain domain when a HTTPS connection is used. If `http://example.org` redirects to `https://www.example.org` then a HSTS policy normally will not be used by the browser, unless a user explicitly enters `https://example.org` or clicks on a hyperlink with this URL.\n"
+"   2. By only supporting HTTPS and no HTTP. Because a browser normally uses a HTTP-connection after a user enters a domain name, users should enter `https://example.org` to reach the website or click on a hyperlink with this URL.\n"
 "* The website test does check whether **HTTP compression** is used. Enabling HTTP compression does make many websites vulnerable for BREACH when no other mitigating measures are in place. Switching off HTTP compression could negatively impact performance. In case HTTP compression is detected an **orange warning** is displayed.\n"
 "* The website test of the previous version of Internet.nl already checked whether the **content of a website was similar over IPv6 and IPv4**. The test took into account legitimate differences for example caused by different add banners. The result of this test item **from now on** is part of the overall score in the website test. \n"
 "* If a user does enter a **non-existing domain name** a red error message is displayed.\n"
@@ -803,6 +804,100 @@ msgstr ""
 msgid "article release-1.10 title"
 msgstr "Internet.nl adds CAA test and announces TLS test changes"
 
+msgid "article release-1.11 body"
+msgstr ""
+"## What is TLS?\n"
+"\n"
+"## Why is securely configured TLS important?\n"
+"\n"
+"## NCSC's latest TLS guidelines\n"
+"\n"
+"## Other improvements in this release\n"
+"\n"
+"## Roadmap next release\n"
+"\n"
+"## About Internet.nl\n"
+"The test tool [Internet.nl](https://internet.nl) is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the Internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The software code of Internet.nl is available under an open source license. \n"
+"\n"
+"---\n"
+"\n"
+"## Release notes 1.11\n"
+"\n"
+"### TLS updates for NCSC 2025 guidelines\n"
+"\n"
+"All tests were updated to match the\n"
+"[2025-05 version of the NCSC TLS guidelines](https://www.ncsc.nl/en/transport-layer-security-tls/security-guidelines-for-transport-layer-security-2025-05).\n"
+"Most significant changes:\n"
+"\n"
+"- The list of good/sufficient/phase out/insufficient TLS versions, TLS authentication, curves, hashes, \n"
+"  key exchange algorithms, FFDHE groups, RSA key lengths, and bulk encryption algorithms were updated\n"
+"  to match the new guidelines.\n"
+"- A test for Extended Master Secret (RFC7627) was added.\n"
+"- Client-initiated renegotiation is now acceptable, if limited to less than 10 renegotiations.\n"
+"- All checks on certificates apply to all certificates sent by the server,\n"
+"  except root certificates (according to our trust store). In previous versions,\n"
+"  the certificate selection was different per test.\n"
+"\n"
+"### Other TLS updates\n"
+"\n"
+"- Certificates that do not have OCSP enabled, which means stapling is not possible,\n"
+"  [are now detected as such](https://github.com/internetstandards/Internet.nl/issues/1641).\n"
+"  Several issues with OCSP stapling reliability were also resolved.\n"
+"- Issues were fixed where the cipher order failed to detect some bad scenarios,\n"
+"  including some where servers preferred RSA over ECDHE, or CBC over POLY1305.\n"
+"- CCM_8 ciphers are now detected when enabled on a server.\n"
+"- OLD ciphers are no longer detected.\n"
+"- The cipher order test no longer separates between \"the server cipher order preference is wrong\" \n"
+"  and \"the server has no preference\".\n"
+"\n"
+"### Significant internal changes\n"
+"\n"
+"- Upgraded to Django 5, Python 3.13, and Debian Trixie base image.\n"
+"- Switched TLS implementation to sslyze/nassl based reimplementation.\n"
+"- Switched to pyproject/uv.lock for project dependencies, replacing requirements files.\n"
+"- Added post-quantum hybrid ECDHE-MLKEM for TLS 1.3 in our web server.\n"
+"- Outgoing traffic now uses the configured public IPv4/IPv6 addresses.\n"
+"- Routinator can now be configured with an allowlist for shared instances.\n"
+"\n"
+"### Bug fixes\n"
+"\n"
+"- Fixed [simhash exception when both address families fail](https://github.com/internetstandards/Internet.nl/issues/1893).\n"
+"- Fixed JSON serialization of sets in batch results.\n"
+"- Fixed [report generation locking](https://github.com/internetstandards/Internet.nl/issues/1749) for results views.\n"
+"\n"
+"### API changes\n"
+"\n"
+"This release has API version 2.7.0.\n"
+"\n"
+"The changes noted above are reflected in the API as well, e.g. which ciphers\n"
+"are considered bad, as listed in the API output, along with score impacts.\n"
+"\n"
+"Additionally, the API structure changes are:\n"
+"- OCSP stapling has a new status `not_in_cert` (not_tested), for when a certificate does not have\n"
+"  OCSP enabled, therefore stapling is neither required nor possible.\n"
+"- The cipher order status no longer returns `not_prescribed` or `not_seclevel` for new tests.\n"
+"  The insufficient status is now `bad` (failed) for preferring phase out over good and/or sufficient,\n"
+"  regardless of the reason (server not enforcing any preference or server enforcing wrong preference).\n"
+"- `cert_signature_phase_out` was added to the TLS details, listing certificate signature algorithms\n"
+"  that are at phase-out level (warning). Analogous to the existing `cert_signature_bad`.\n"
+"- `extended_master_secret` was added to the TLS details, with values: `supported` (good),\n"
+"  `not_supported` (failed), `na_no_tls_1_2` (good), `unknown` (not_tested).\n"
+"- `client_reneg` in the TLS details was changed from a boolean to a string enum with values:\n"
+"  `not_allowed` (good), `allowed_with_low_limit` (info), `allowed_with_too_high_limit` (failed)."
+
+msgid "article release-1.11 date"
+msgstr "April 21, 2026"
+
+msgid "article release-1.11 lead"
+msgstr ""
+"As of today, you can use Internet.nl to check whether the secure connection "
+"for your website or email is compliant with the latest TLS guidelines from "
+"NCSC-NL. This means that websites and email servers that previously passed "
+"the test may now still have areas for improvement."
+
+msgid "article release-1.11 title"
+msgstr "Fully updated TLS test in new version of Internet.nl"
+
 msgid "article release-1.7 body"
 msgstr ""
 "## Improved CSP test\n"