commit 3c74f1e12ee8e38ba6a71fbdacc1980bb443d08f34a9686cfda7c492d15540f5 Author: Dirk Mueller Date: Wed Oct 23 08:47:31 2024 +0000 - update to 2.1.5: * Various build improvements OBS-URL: https://build.opensuse.org/package/show/security/sslscan?expand=0&rev=46 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/fedora-sslscan-patents.patch b/fedora-sslscan-patents.patch new file mode 100644 index 0000000..84678e3 --- /dev/null +++ b/fedora-sslscan-patents.patch @@ -0,0 +1,21 @@ +diff --git a/sslscan.c b/sslscan.c +index a7b0233..2698f90 100644 +--- a/sslscan.c ++++ b/sslscan.c +@@ -2891,6 +2891,8 @@ int showCertificate(struct sslCheckOptions *options) + printf(" DSA Public Key: NULL\n"); + } + break; ++ /* Comment out patented technology not enabled in Fedora */ ++ /* + case EVP_PKEY_EC: + if (EVP_PKEY_get1_EC_KEY(publicKey)!=NULL) + { +@@ -2908,6 +2910,7 @@ int showCertificate(struct sslCheckOptions *options) + printf(" EC Public Key: NULL\n"); + } + break; ++ */ + default: + printf(" Public Key: Unknown\n"); + printf_xml(" \n"); diff --git a/sslscan-2.1.4.tar.gz b/sslscan-2.1.4.tar.gz new file mode 100644 index 0000000..9fad228 --- /dev/null +++ b/sslscan-2.1.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3e2a5b1f53d1f132b4d999ff450d2cc40e9efb648cea89b74f5944b768a10e63 +size 114318 diff --git a/sslscan-2.1.5.tar.gz b/sslscan-2.1.5.tar.gz new file mode 100644 index 0000000..b1088c8 --- /dev/null +++ b/sslscan-2.1.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b36616b1d59f3276af6ff9495ab8178ec6812393582fb3c094c56cc873efe956 +size 114247 diff --git a/sslscan.changes b/sslscan.changes new file mode 100644 index 0000000..fe86ad6 --- /dev/null +++ b/sslscan.changes @@ -0,0 +1,396 @@ +------------------------------------------------------------------- +Wed Oct 23 08:47:22 UTC 2024 - Dirk Müller + +- update to 2.1.5: + * Various build improvements + +------------------------------------------------------------------- +Thu Jul 25 09:38:59 UTC 2024 - Dirk Müller + +- update to 2.1.4: + * Display the full cert chain --show-certificates + +------------------------------------------------------------------- +Mon Feb 26 13:40:59 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Sat Jan 27 13:27:05 UTC 2024 - Dirk Müller + +- update to 2.1.3: + * Enable quiet shutdown for scanning + * Fix Docked build on non-x64 architectures + +------------------------------------------------------------------- +Sat Nov 25 16:47:33 UTC 2023 - Dirk Müller + +- update to 2.1.2: + * Fix certificate and cipher enumeration when unsafe + renegotiation is required + +------------------------------------------------------------------- +Fri Nov 10 15:21:49 UTC 2023 - Dirk Müller + +- update to 2.1.1: + * Work around several dodgy TLS implementations + +------------------------------------------------------------------- +Thu Sep 14 12:41:24 UTC 2023 - Andrea Manzini + +- update to 2.1.0: + * Build against OpenSSL 3.0 instead of 1.1.0 (credit jtesta) + +------------------------------------------------------------------- +Sun Apr 16 17:56:03 UTC 2023 - Dirk Müller + +- update to 2.0.16: + * Fix incorret detection of TLSv1.3 on Server 2019 + * Fix incorrect XML certificate output + +------------------------------------------------------------------- +Tue Aug 2 11:31:57 UTC 2022 - Dirk Müller + +- update to 2.0.15: + * Obtain certificate info even if we can't connect properly + * Strip out https:// from lines in a target file + * Fix TLSv1.3 detection against Server 2022 (credit jtesta) + +------------------------------------------------------------------- +Sun Mar 27 19:36:15 UTC 2022 - Dirk Müller + +- update to 2.0.12: + * Add XML element (credit lucacapacci) + +------------------------------------------------------------------- +Tue Jan 4 18:30:00 UTC 2022 - Dirk Müller + +- update to 2.0.11: + * Add --iana-names option to use IANA/RFC cipher names + * Improve signature algorithm detection + +------------------------------------------------------------------- +Tue May 11 21:50:32 UTC 2021 - Dirk Müller + +- update to 2.0.10: + * Add the --connect-timeout option (credit alkalim) + * Fix a typo in output + * Warn on TLSv1.1, as it's now deprecated by RFC 8996 + * Fix a bug with LDAP STARTTLS + * Fix certificate detection on some broken servers + * Fix missing SCSV Fallback in XML output + * Don't show server signature algorithms by default + * Use --show-sigs to display them + +------------------------------------------------------------------- +Fri Dec 18 10:01:53 UTC 2020 - Johannes Weberhofer + +- Upgrade to version 2.0.6 + + * Add element to XML output + + * Fix the extraneous padding of HTTP responses in XML + * Update the HTTP request to HTTP/1.1 + * More robust checking the HTTP response is valid + * Display "No response" when no HTTP response is returned + + * Remove the broken HTTP request scanning option (--http) + + * Fix --targets not working properly + + * Flag certificates in red if CN is the same as issuer + +------------------------------------------------------------------- +Mon Sep 28 10:16:55 UTC 2020 - Johannes Weberhofer + +- Upgrade to version 2.0.1 + + * Correctly set SNI name when using --targets. Fixes gh#rbsec/sslscan#215 + +------------------------------------------------------------------- +Thu Jul 23 12:25:27 UTC 2020 - Johannes Weberhofer + +- Upgrade to version 2.0.0 + Version 2 of sslscan includes a major rewrite of the backend scanning code, + which means that it is no longer reliant on the version of OpenSSL for many + checks. This means that it is possible to support legacy protocols (SSLv2 and + SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL + that it has been compiled against. It is still recommended to build statically + where possible, but dynamically built version should be significantly more + useful. + + Note that there are also some breaking changes to the XML output, which are + documented in the readme file. + + This rewrite been made possible largely by the work of jtesta, who has been + responsible for most of the backend rewrite. + +- Cleaned up spec file + +------------------------------------------------------------------- +Wed Jul 22 14:11:33 UTC 2020 - Wolfgang Frisch + +- Upgrade to version 2.0.0-beta6 + * Various bugfixes + * Added -4 and -6 options to force IPv4 and IPv6. + * Added strength attribute to XML to reflect colouring in stdout + * Checks for server signature algorithms. + * Checks for server key exchange groups. + * Support for SSLv2 and SSLv3 protocol detection regardless of OpenSSL + * Support for TLSv1.3 + * Support for additional cipher suites. + * Print curve name and key strength for ECC certs + * Fix a bug with servers that return incorrect cipher IDs. + * Add a new "" element to the XML output. + * Remove the "Signature Algorithm:" text and spacing from the XML. + * Report servers that accept any signature algorithm in the XML +- Rebased fedora-sslscan-patents.patch +- OpenSSL dependency bumped to >= 1.1 + +------------------------------------------------------------------- +Fri Feb 2 12:34:34 UTC 2018 - jweberhofer@weberhofer.at + +- Simplified requirements + +------------------------------------------------------------------- +Thu Feb 1 16:46:03 UTC 2018 - jweberhofer@weberhofer.at + +- Use openssl<1.1 for suse_version >= 1500 + +------------------------------------------------------------------- +Mon Dec 25 06:30:34 UTC 2017 - jweberhofer@weberhofer.at + +- Fix building on factory (use openssl 1.0.0) + +- Upgrade to version 1.11.10 + * Support for ChaCha ciphers + * Add support for STARTTLS on mysql (--starttls-mysql) + * Display SNI information in XML output + * Mark SHA-1 certificates as weak + +------------------------------------------------------------------- +Mon Dec 18 06:03:17 UTC 2017 - jweberhofer@weberhofer.at + +- Fixed building on SLES systems + +------------------------------------------------------------------- +Mon Nov 28 23:49:30 UTC 2016 - jweberhofer@weberhofer.at + +- Upgrade to version 1.11.8 + * Support alternate SNI hostnames (--sni=) + * Allow building with no support for TLS SCSV Fallback + +- Removed SSL_MODE_SEND_FALLBACK_SCSV (integrated upstream) + +------------------------------------------------------------------- +Mon Oct 31 13:51:36 UTC 2016 - manfred.h@gmx.net + +- SSL_MODE_SEND_FALLBACK_SCSV.patch: Add patch to treat SSL_MODE_SEND_FALLBACK_SCSV conditionally. + +------------------------------------------------------------------- +Thu Oct 27 09:12:12 UTC 2016 - jweberhofer@weberhofer.at + +- Highlighted features: + * Support for + - STARTTLS: POP3, IMAP, FTP, XMPP + - PostgreSQL + - IPv6 addresses + - TLSv1.1 and TLSv1.2 + - XMPP server-to-server connections + * Added check for + - OpenSSL Heartbleed + - POODLE + * Highlight the following issues + - weak RSA and DHE keys in output + - SSLv2, SSLv3, RC4 ciphers + - anonymous ADH and AECDH ciphers + - weak (n <= 40 bit) and medium (40 < n <= 56 bit) + * Certificates + - Display certificate signing algorithm highlighting weak algorithms. + - Display certificate key strength highlighting weak keys. + - Flag expired certificates + * Most secure protocols are scanned first + * Display cipher details by default + +- rebased fedora-sslscan-patents.patch +- removed obsolete patches + +- Upgraded to version 1.11.7 + * Check for TLS Fallback SCSV + * Allow xml to be output on stdout (--xml=-) + +- Version 1.11.6 + * Re-eanble support for weak (<1024) DH keys in OpenSSL + +- Version 1.11.5 + * Fix bug in heartbleed check (credit nuxi) + * Makefile improvements and fixes for OSX and FreeBSD + * Optimize OpenSSL clone + * Implement --show-times to display handshake times in milliseconds + +- Version 1.11.4 + * Fix compression detection (credit nuxi) + * Added support for PostgreSQL (credit nuxi) + +- Version 1.11.3 + * Properly fix missing SSLv2 EXPORT ciphers by patching OpenSSL + +- Version 1.11.2 + * Makefile improvements + * Update OpenSSL from Git when statically building + * Use enable-ssl2 and enable-weak-ciphers when building statically + +- Version 1.11.1 + * Show cipher IDs with --show-cipher-ids (credit maurice2k) + * Warn when building agsinst system OpenSSL rather than statically + * Allow building statically on OSX (experimental) + +- Version 1.11.0 + * Rewrote ciphersuite scanning engine to be much faster + * Ciphers are now output in order of server preference + * Most secure protocols are scanned first (TLSv1.2 -> SSLv2) + * All protocols are tried when trying to obtain the certificate + * Obselete --failed and --no-preferred-ciphers options removed + * Flag TLSv1.0 ciphers in output + * Flag 56 bit ciphers as red, not yellow + * Fix building on OpenBSD (credit Stuart Henderson) + * Fix incorrect output when server prefers NULL ciphers + +- Version 1.10.6 + * Fix --sleep only working for whole seconds (credit dmke) + * Fix compiling against OpenSSL 0.9.8 (credit aclemons) + * Flag expired certificates (credit jacktrice) + +- Version 1.10.5 + * Added IRC STARTTLS support (--starttls-irc, credit jkent) + * Highlight weak RSA keys in output + * Added option to show OCSP status (--ocsp, credit kelbyludwig) + * Fix a segfault with certificate parsing + +- Version 1.10.4 + * Display cipher details by default (hide with --no-cipher-details) + * Fix scanning multiple targets if one fails (credit shellster) + * Fix bug with --no-color and --failed (credit yasulib) + * Minor bugfixes to output + +- Version 1.10.3 + * Flag weak DHE keys in --cipher-details + * Report DHE key bits in XML + * Change ECDHE key bits to "ecdhebits" rather than "dhebits" in XML + +- Version 1.10.2 + * Wrap TLS extensions in CDATA blocks in XML output. + * Fix incorrect TLS versions in heartbleed checks + +- Version 1.10.1 + * Fix XML output to use "TLSv1.0" in preferred ciphers, not "TLSv1" + * Added --cipher-details option to display EC curves and EDH keys + Note that this feature requires OpenSSL >= 1.0.2 + * Update static build options to compile against OpenSSL 1.0.2 + +- Version 1.10.0 + * Experimental build support (credit jtesta). + * Support XMPP server-to-server connections (--xmpp-server). + +- Version 1.9.11 + * Makefile updates to assist packaging in Kali. + * Fix missing static build number when compiling from tarball. + +- Version 1.9.10 + * Display certificate CN, Altnames and Issuer in default output. + * Flag certificates where CN == issuer, or CN = * + * Highlight GCM ciphersuites as good + +- Version 1.9.9 + * Added --show-client-cas option to determine trusted CAs + for client authentication + * Added --no-preferred option to disable any output except specified + +- Version 1.9.8 + * Added --sleep option to pause between request + * Only check for heartbleed against specified TLS version + * Added --sleep option to pause between request + * Fix issues compiling against OpenSSL 0.9.8 + * Highlight CBC ciphersuites on SSLv3 (POODLE) + * Experimental build support on OSX (credit MikeSchroll) + +- Version 1.9.7 + * Added option for static compilation with OpenSSL (credit dmke) + * Added "sslmethod" attribute to Heartbleed XML output (credit dmke) + * Split headers into sslscan.h (credit dmke) + +- Version 1.9.6 + * Highlight NULL ciphers in output. + * Highlight SSLv3 ciphers. + * Added --rdp option to support RDP servers (credit skettler). + * Added --timeout option to set socket timeout (default 3s). + +- Version 1.9.5 + * Renamed --get-certificate option to --show-certficate. + * Display certificate signing algorithm highlighting weak algorithms. + * Display certificate key strength highlighting weak keys. + * Bumped XML version to 1.9.5 due to minor changes. + +- Version 1.9.4 + * Check for SSLv2 and SSLv3 ciphers over STARTTLS. + +- Version 1.9.3 + * Fixed broken STARTTLS SMTP check. + +- Version 1.9.2 + * Added check for OpenSSL Heartbleed (CVE-2014-0160). + +- Version 1.9.1 + * Added --tlsall option to only scan TLS ciphersuites. + * Scan all TLS versions by default for STARTTLS services. + * Added support for IPv6 addresses using square bracket notation [:1]. + * Highlight anonymous (ADH and AECDH) ciphers in output. + * Added option to disable colour in output (--no-colour). + * Removed undocumented -p output option. + * Removed old references to titania.co.uk domain. + +- Version 1.9 + * Highlight SSLv2 ciphers + * Highlight weak (n <= 40 bit) and medium (40 < n <= 56 bit) ciphers + * Highlight RC4 ciphers + * Highlight anonymous (ADH) ciphers + * Hide certificate information by default + * Hide rejected ciphers by default (display with --failed). + * Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan). + * Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan). + * Supports IPv6 hostnames (can be forced with --ipv6). + * Check for TLS compression (CRIME, disable with --no-compression) + +- Version 1.8.4 + * Add demo targets in Makefile + * Refactoring of code by Adam Langley + * Add SNI patch from Tim Brown + * Bug fixes from craSH and Cygwin build improvements + +- Version 1.8.3 + + * Improve new protocol setup support for STARTTLS: POP3, IMAP, FTP, and + XMPP This modeled after the support found in OpenSSL's s_client + * Add verbose option to print more info + * Add default ports when a STARTTLS setup flag is called without any port at all +------------------------------------------------------------------- +Sun Apr 27 17:35:29 UTC 2014 - lars@linux-schulserver.de + +- enable parallel build + +------------------------------------------------------------------- +Tue Sep 11 14:16:02 UTC 2012 - frank.lichtenheld@sophos.com + +- add TLSv1.1 and TLSv1.2 support for OpenSSL >= 1.0.1 + +------------------------------------------------------------------- +Fri Aug 10 21:09:50 UTC 2012 - frank.lichtenheld@sophos.com + +- import patch from fedora to allow building on fedora + +------------------------------------------------------------------- +Thu Aug 9 20:01:09 UTC 2012 - frank.lichtenheld@sophos.com + +- initial packaging +* patches taken from Debian packaging + diff --git a/sslscan.spec b/sslscan.spec new file mode 100644 index 0000000..934d761 --- /dev/null +++ b/sslscan.spec @@ -0,0 +1,58 @@ +# +# spec file for package sslscan +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: sslscan +Version: 2.1.5 +Release: 0 +Summary: SSL cipher scanning tool +License: SUSE-GPL-3.0+-with-openssl-exception +Group: Productivity/Networking/Diagnostic +URL: https://github.com/rbsec/sslscan +Source: https://github.com/rbsec/sslscan/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz +#Patches copied from Debian package +Patch1: fedora-sslscan-patents.patch +BuildRequires: pkgconfig +BuildRequires: pkgconfig(libssl) >= 3.0 + +%description +SSLScan determines what ciphers are supported on SSL-based services, +such as HTTPS. Furthermore, SSLScan will determine the preferred +ciphers of the SSL service. + +%prep +%setup -q +%if %{defined fedora} +%patch -P 1 -p1 +%endif + +%build +%make_build CFLAGS="%{optflags} -fPIE" + +%install +install -d "%{buildroot}%{_bindir}" +install -d "%{buildroot}%{_mandir}/man1" +make install PREFIX="%{buildroot}%{_prefix}" + +%files +%defattr(0644,root,root) +%doc README.md +%license LICENSE +%attr(0755,root,root) %{_bindir}/sslscan +%{_mandir}/man1/sslscan.1%{?ext_man} + +%changelog