- update to 2.1.5:

* Various build improvements

OBS-URL: https://build.opensuse.org/package/show/security/sslscan?expand=0&rev=46

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

fedora-sslscan-patents.patch

@@ -0,0 +1,21 @@
+diff --git a/sslscan.c b/sslscan.c
+index a7b0233..2698f90 100644
+--- a/sslscan.c
++++ b/sslscan.c
+@@ -2891,6 +2891,8 @@ int showCertificate(struct sslCheckOptions *options)
+                                                     printf("    DSA Public Key: NULL\n");
+                                                 }
+                                                 break;
++                                            /* Comment out patented technology not enabled in Fedora */
++                                            /*
+                                             case EVP_PKEY_EC:
+                                                 if (EVP_PKEY_get1_EC_KEY(publicKey)!=NULL)
+                                                 {
+@@ -2908,6 +2910,7 @@ int showCertificate(struct sslCheckOptions *options)
+                                                     printf("    EC Public Key: NULL\n");
+                                                 }
+                                                 break;
++                                            */
+                                             default:
+                                                 printf("    Public Key: Unknown\n");
+                                                 printf_xml("   <pk error=\"true\" type=\"unknown\" />\n");

sslscan-2.1.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3e2a5b1f53d1f132b4d999ff450d2cc40e9efb648cea89b74f5944b768a10e63
+size 114318

sslscan-2.1.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b36616b1d59f3276af6ff9495ab8178ec6812393582fb3c094c56cc873efe956
+size 114247

sslscan.changes

@@ -0,0 +1,396 @@
+-------------------------------------------------------------------
+Wed Oct 23 08:47:22 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.1.5:
+  * Various build improvements
+
+-------------------------------------------------------------------
+Thu Jul 25 09:38:59 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.1.4:
+  * Display the full cert chain --show-certificates
+
+-------------------------------------------------------------------
+Mon Feb 26 13:40:59 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Use %patch -P N instead of deprecated %patchN.
+
+-------------------------------------------------------------------
+Sat Jan 27 13:27:05 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.1.3:
+  * Enable quiet shutdown for scanning
+  * Fix Docked build on non-x64 architectures
+
+-------------------------------------------------------------------
+Sat Nov 25 16:47:33 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.1.2:
+  * Fix certificate and cipher enumeration when unsafe
+    renegotiation is required
+
+-------------------------------------------------------------------
+Fri Nov 10 15:21:49 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.1.1:
+  * Work around several dodgy TLS implementations
+
+-------------------------------------------------------------------
+Thu Sep 14 12:41:24 UTC 2023 - Andrea Manzini <andrea.manzini@suse.com>
+
+- update to 2.1.0:
+  *  Build against OpenSSL 3.0 instead of 1.1.0 (credit jtesta)
+
+-------------------------------------------------------------------
+Sun Apr 16 17:56:03 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.0.16:
+  * Fix incorret detection of TLSv1.3 on Server 2019
+  * Fix incorrect XML certificate output
+
+-------------------------------------------------------------------
+Tue Aug  2 11:31:57 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.0.15:
+  * Obtain certificate info even if we can't connect properly
+  * Strip out https:// from lines in a target file
+  * Fix TLSv1.3 detection against Server 2022 (credit jtesta)
+
+-------------------------------------------------------------------
+Sun Mar 27 19:36:15 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.0.12:
+  * Add <not-yet-valid> XML element (credit lucacapacci)
+
+-------------------------------------------------------------------
+Tue Jan  4 18:30:00 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.0.11:
+  * Add --iana-names option to use IANA/RFC cipher names
+  * Improve signature algorithm detection
+
+-------------------------------------------------------------------
+Tue May 11 21:50:32 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- update to 2.0.10:
+  * Add the --connect-timeout option (credit alkalim)
+  * Fix a typo in output
+  * Warn on TLSv1.1, as it's now deprecated by RFC 8996
+  * Fix a bug with LDAP STARTTLS
+  * Fix certificate detection on some broken servers
+  * Fix missing SCSV Fallback in XML output
+  * Don't show server signature algorithms by default
+  * Use --show-sigs to display them
+
+-------------------------------------------------------------------
+Fri Dec 18 10:01:53 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Upgrade to version 2.0.6
+
+  * Add <error> element to XML output
+
+  * Fix the extraneous padding of HTTP responses in XML
+  * Update the HTTP request to HTTP/1.1
+  * More robust checking the HTTP response is valid
+  * Display "No response" when no HTTP response is returned
+
+  * Remove the broken HTTP request scanning option (--http)
+
+  * Fix --targets not working properly
+
+  * Flag certificates in red if CN is the same as issuer
+
+-------------------------------------------------------------------
+Mon Sep 28 10:16:55 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Upgrade to version 2.0.1
+
+  * Correctly set SNI name when using --targets. Fixes gh#rbsec/sslscan#215
+
+-------------------------------------------------------------------
+Thu Jul 23 12:25:27 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
+
+- Upgrade to version 2.0.0
+  Version 2 of sslscan includes a major rewrite of the backend scanning code,
+  which means that it is no longer reliant on the version of OpenSSL for many
+  checks. This means that it is possible to support legacy protocols (SSLv2 and
+  SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL
+  that it has been compiled against. It is still recommended to build statically
+  where possible, but dynamically built version should be significantly more
+  useful.
+
+  Note that there are also some breaking changes to the XML output, which are
+  documented in the readme file.
+
+  This rewrite been made possible largely by the work of jtesta, who has been
+  responsible for most of the backend rewrite.
+
+- Cleaned up spec file
+
+-------------------------------------------------------------------
+Wed Jul 22 14:11:33 UTC 2020 - Wolfgang Frisch <wolfgang.frisch@suse.com>
+
+- Upgrade to version 2.0.0-beta6
+  * Various bugfixes
+  * Added -4 and -6 options to force IPv4 and IPv6.
+  * Added strength attribute to XML to reflect colouring in stdout
+  * Checks for server signature algorithms.
+  * Checks for server key exchange groups.
+  * Support for SSLv2 and SSLv3 protocol detection regardless of OpenSSL
+  * Support for TLSv1.3
+  * Support for additional cipher suites.
+  * Print curve name and key strength for ECC certs
+  * Fix a bug with servers that return incorrect cipher IDs.
+  * Add a new "<certificates>" element to the XML output.
+  * Remove the "Signature Algorithm:" text and spacing from the XML.
+  * Report servers that accept any signature algorithm in the XML
+- Rebased fedora-sslscan-patents.patch
+- OpenSSL dependency bumped to >= 1.1
+
+-------------------------------------------------------------------
+Fri Feb  2 12:34:34 UTC 2018 - jweberhofer@weberhofer.at
+
+- Simplified requirements
+
+-------------------------------------------------------------------
+Thu Feb  1 16:46:03 UTC 2018 - jweberhofer@weberhofer.at
+
+- Use openssl<1.1 for suse_version >= 1500
+
+-------------------------------------------------------------------
+Mon Dec 25 06:30:34 UTC 2017 - jweberhofer@weberhofer.at
+
+- Fix building on factory (use openssl 1.0.0)
+
+- Upgrade to version 1.11.10
+  * Support for ChaCha ciphers
+  * Add support for STARTTLS on mysql (--starttls-mysql)
+  * Display SNI information in XML output
+  * Mark SHA-1 certificates as weak
+
+-------------------------------------------------------------------
+Mon Dec 18 06:03:17 UTC 2017 - jweberhofer@weberhofer.at
+
+- Fixed building on SLES systems
+
+-------------------------------------------------------------------
+Mon Nov 28 23:49:30 UTC 2016 - jweberhofer@weberhofer.at
+
+- Upgrade to version 1.11.8
+  * Support alternate SNI hostnames (--sni=)
+  * Allow building with no support for TLS SCSV Fallback
+
+- Removed SSL_MODE_SEND_FALLBACK_SCSV (integrated upstream)
+
+-------------------------------------------------------------------
+Mon Oct 31 13:51:36 UTC 2016 - manfred.h@gmx.net
+
+- SSL_MODE_SEND_FALLBACK_SCSV.patch: Add patch to treat SSL_MODE_SEND_FALLBACK_SCSV conditionally.
+
+-------------------------------------------------------------------
+Thu Oct 27 09:12:12 UTC 2016 - jweberhofer@weberhofer.at
+
+- Highlighted features:
+  * Support for
+    - STARTTLS: POP3, IMAP, FTP, XMPP
+    - PostgreSQL
+    - IPv6 addresses
+    - TLSv1.1 and TLSv1.2
+    - XMPP server-to-server connections
+  * Added check for
+    - OpenSSL Heartbleed
+    - POODLE
+  * Highlight the following issues
+    - weak RSA and DHE keys in output
+    - SSLv2, SSLv3, RC4 ciphers
+    - anonymous ADH and AECDH ciphers
+    - weak (n <= 40 bit) and medium (40 < n <= 56 bit)
+  * Certificates
+    - Display certificate signing algorithm highlighting weak algorithms.
+    - Display certificate key strength highlighting weak keys.
+    - Flag expired certificates
+  * Most secure protocols are scanned first
+  * Display cipher details by default
+
+- rebased fedora-sslscan-patents.patch
+- removed obsolete patches
+
+- Upgraded to version 1.11.7
+   * Check for TLS Fallback SCSV
+   * Allow xml to be output on stdout (--xml=-)
+
+- Version 1.11.6
+   * Re-eanble support for weak (<1024) DH keys in OpenSSL
+
+- Version 1.11.5
+   * Fix bug in heartbleed check (credit nuxi)
+   * Makefile improvements and fixes for OSX and FreeBSD
+   * Optimize OpenSSL clone
+   * Implement --show-times to display handshake times in milliseconds
+
+- Version 1.11.4
+   * Fix compression detection (credit nuxi)
+   * Added support for PostgreSQL (credit nuxi)
+
+- Version 1.11.3
+   * Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL
+
+- Version 1.11.2
+   * Makefile improvements
+   * Update OpenSSL from Git when statically building
+   * Use enable-ssl2 and enable-weak-ciphers when building statically
+
+- Version 1.11.1
+   * Show cipher IDs with --show-cipher-ids (credit maurice2k)
+   * Warn when building agsinst system OpenSSL rather than statically
+   * Allow building statically on OSX (experimental)
+
+- Version 1.11.0
+   * Rewrote ciphersuite scanning engine to be much faster
+   * Ciphers are now output in order of server preference
+   * Most secure protocols are scanned first (TLSv1.2 -> SSLv2)
+   * All protocols are tried when trying to obtain the certificate
+   * Obselete --failed and --no-preferred-ciphers options removed
+   * Flag TLSv1.0 ciphers in output
+   * Flag 56 bit ciphers as red, not yellow
+   * Fix building on OpenBSD (credit Stuart Henderson)
+   * Fix incorrect output when server prefers NULL ciphers
+
+- Version 1.10.6
+   * Fix --sleep only working for whole seconds (credit dmke)
+   * Fix compiling against OpenSSL 0.9.8 (credit aclemons)
+   * Flag expired certificates (credit jacktrice)
+
+- Version 1.10.5
+   * Added IRC STARTTLS support (--starttls-irc, credit jkent)
+   * Highlight weak RSA keys in output
+   * Added option to show OCSP status (--ocsp, credit kelbyludwig)
+   * Fix a segfault with certificate parsing
+
+- Version 1.10.4
+   * Display cipher details by default (hide with --no-cipher-details)
+   * Fix scanning multiple targets if one fails (credit shellster)
+   * Fix bug with --no-color and --failed (credit yasulib)
+   * Minor bugfixes to output
+
+- Version 1.10.3
+   * Flag weak DHE keys in --cipher-details
+   * Report DHE key bits in XML
+   * Change ECDHE key bits to "ecdhebits" rather than "dhebits" in XML
+
+- Version 1.10.2
+   * Wrap TLS extensions in CDATA blocks in XML output.
+   * Fix incorrect TLS versions in heartbleed checks
+
+- Version 1.10.1
+   * Fix XML output to use "TLSv1.0" in preferred ciphers, not "TLSv1"
+   * Added --cipher-details option to display EC curves and EDH keys
+ Note that this feature requires OpenSSL >= 1.0.2
+   * Update static build options to compile against OpenSSL 1.0.2
+
+- Version 1.10.0
+   * Experimental build support (credit jtesta).
+   * Support XMPP server-to-server connections (--xmpp-server).
+
+- Version 1.9.11
+   * Makefile updates to assist packaging in Kali.
+   * Fix missing static build number when compiling from tarball.
+
+- Version 1.9.10
+   * Display certificate CN, Altnames and Issuer in default output.
+   * Flag certificates where CN == issuer, or CN = *
+   * Highlight GCM ciphersuites as good
+
+- Version 1.9.9
+   * Added --show-client-cas option to determine trusted CAs
+ for client authentication
+   * Added --no-preferred option to disable any output except specified
+
+- Version 1.9.8
+   * Added --sleep option to pause between request
+   * Only check for heartbleed against specified TLS version
+   * Added --sleep option to pause between request
+   * Fix issues compiling against OpenSSL 0.9.8
+   * Highlight CBC ciphersuites on SSLv3 (POODLE)
+   * Experimental build support on OSX (credit MikeSchroll)
+
+- Version 1.9.7
+   * Added option for static compilation with OpenSSL (credit dmke)
+   * Added "sslmethod" attribute to Heartbleed XML output (credit dmke)
+   * Split headers into sslscan.h (credit dmke)
+
+- Version 1.9.6
+   * Highlight NULL ciphers in output.
+   * Highlight SSLv3 ciphers.
+   * Added --rdp option to support RDP servers (credit skettler).
+   * Added --timeout option to set socket timeout (default 3s).
+
+- Version 1.9.5
+   * Renamed --get-certificate option to --show-certficate.
+   * Display certificate signing algorithm highlighting weak algorithms.
+   * Display certificate key strength highlighting weak keys.
+   * Bumped XML version to 1.9.5 due to minor changes.
+
+- Version 1.9.4
+   * Check for SSLv2 and SSLv3 ciphers over STARTTLS.
+
+- Version 1.9.3
+   * Fixed broken STARTTLS SMTP check.
+
+- Version 1.9.2
+   * Added check for OpenSSL Heartbleed (CVE-2014-0160).
+
+- Version 1.9.1
+   * Added --tlsall option to only scan TLS ciphersuites.
+   * Scan all TLS versions by default for STARTTLS services.
+   * Added support for IPv6 addresses using square bracket notation [:1].
+   * Highlight anonymous (ADH and AECDH) ciphers in output.
+   * Added option to disable colour in output (--no-colour).
+   * Removed undocumented -p output option.
+   * Removed old references to titania.co.uk domain.
+
+- Version 1.9
+   * Highlight SSLv2 ciphers
+   * Highlight weak (n <= 40 bit) and medium (40 < n <= 56 bit) ciphers
+   * Highlight RC4 ciphers
+   * Highlight anonymous (ADH) ciphers
+   * Hide certificate information by default
+   * Hide rejected ciphers by default (display with --failed).
+   * Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan).
+   * Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan).
+   * Supports IPv6 hostnames (can be forced with --ipv6).
+   * Check for TLS compression (CRIME, disable with --no-compression)
+
+- Version 1.8.4
+   * Add demo targets in Makefile
+   * Refactoring of code by Adam Langley
+   * Add SNI patch from Tim Brown
+   * Bug fixes from craSH and Cygwin build improvements
+
+- Version 1.8.3
+
+   * Improve new protocol setup support for STARTTLS: POP3, IMAP, FTP, and
+     XMPP This modeled after the support found in OpenSSL's s_client
+   * Add verbose option to print more info
+   * Add default ports when a STARTTLS setup flag is called without any port at all
+-------------------------------------------------------------------
+Sun Apr 27 17:35:29 UTC 2014 - lars@linux-schulserver.de
+
+- enable parallel build
+
+-------------------------------------------------------------------
+Tue Sep 11 14:16:02 UTC 2012 - frank.lichtenheld@sophos.com
+
+- add TLSv1.1 and TLSv1.2 support for OpenSSL >= 1.0.1
+
+-------------------------------------------------------------------
+Fri Aug 10 21:09:50 UTC 2012 - frank.lichtenheld@sophos.com
+
+- import patch from fedora to allow building on fedora
+
+-------------------------------------------------------------------
+Thu Aug  9 20:01:09 UTC 2012 - frank.lichtenheld@sophos.com
+
+- initial packaging
+* patches taken from Debian packaging
+

sslscan.spec

@@ -0,0 +1,58 @@
+#
+# spec file for package sslscan
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           sslscan
+Version:        2.1.5
+Release:        0
+Summary:        SSL cipher scanning tool
+License:        SUSE-GPL-3.0+-with-openssl-exception
+Group:          Productivity/Networking/Diagnostic
+URL:            https://github.com/rbsec/sslscan
+Source:         https://github.com/rbsec/sslscan/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+#Patches copied from Debian package
+Patch1:         fedora-sslscan-patents.patch
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(libssl) >= 3.0
+
+%description
+SSLScan determines what ciphers are supported on SSL-based services,
+such as HTTPS. Furthermore, SSLScan will determine the preferred
+ciphers of the SSL service.
+
+%prep
+%setup -q
+%if %{defined fedora}
+%patch -P 1 -p1
+%endif
+
+%build
+%make_build CFLAGS="%{optflags} -fPIE"
+
+%install
+install -d "%{buildroot}%{_bindir}"
+install -d "%{buildroot}%{_mandir}/man1"
+make install PREFIX="%{buildroot}%{_prefix}"
+
+%files
+%defattr(0644,root,root)
+%doc README.md
+%license LICENSE
+%attr(0755,root,root) %{_bindir}/sslscan
+%{_mandir}/man1/sslscan.1%{?ext_man}
+
+%changelog