- Update to version 3.0.9

* Fix bash 5 issue when encountering a short server key extension
  * Fix HTML issue when using bash 5
  * CAA DNS records are now not being queried when nodns is set
  * MongoDB identification fix
  * Sanity check when user has broken umask to avoid runtime errors
  * Fix for newer grep versions
  * Address weird globbing in bash 3.0
  * Fix regexp in STARTTLS detection
  * Secure renegotiation fix: SNI
  * Ensure control chars from HTTP header don't end up in html,csv
    or json
  * Add sha1WithRSA to sha1WithRSAEncryption for certificates
  * Fix potential infinite loop in run_pfs()

OBS-URL: https://build.opensuse.org/package/show/network:utilities/testssl.sh?expand=0&rev=21
This commit is contained in:
Dirk Mueller 2024-07-25 11:46:35 +00:00 committed by Git OBS Bridge
commit e0c16f8f32
8 changed files with 432 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

View File

@ -0,0 +1,11 @@
--- a/testssl.sh 2019-04-25 09:21:23.000000000 +0200
+++ b/testssl.sh 2019-04-27 11:51:37.267236022 +0200
@@ -136,7 +136,7 @@
declare -r SYSTEM="$(uname -s)"
declare -r SYSTEMREV="$(uname -r)"
SYSTEM2="" # currently only being used for WSL = bash on windows
-TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
+TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-"/usr/share/testssl-sh"}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your stores some place else
ADDITIONAL_CA_FILES="${ADDITIONAL_CA_FILES:-""}" # single file with a CA in PEM format or comma separated lists of them
CIPHERS_BY_STRENGTH_FILE=""

3
testssl.sh-3.0.8.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:22c5dc6dfc7500db94b6f8a48775f72b5149d0a372b8552ed7666016ee79edf0
size 9372229

3
testssl.sh-3.0.9.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:75ecbe4470e74f9ad17f4c4ac733be123b0f67d676ed24cc2b30adb41561e05f
size 9381651

1
testssl.sh-rpmlintrc Normal file
View File

@ -0,0 +1 @@
addFilter("W: pem-certificate /usr/share/testssl-sh/etc/.*pem")

325
testssl.sh.changes Normal file
View File

@ -0,0 +1,325 @@
-------------------------------------------------------------------
Wed Jul 24 06:52:48 UTC 2024 - Martin Hauke <mardnh@gmx.de>
- Update to version 3.0.9
* Fix bash 5 issue when encountering a short server key extension
* Fix HTML issue when using bash 5
* CAA DNS records are now not being queried when nodns is set
* MongoDB identification fix
* Sanity check when user has broken umask to avoid runtime errors
* Fix for newer grep versions
* Address weird globbing in bash 3.0
* Fix regexp in STARTTLS detection
* Secure renegotiation fix: SNI
* Ensure control chars from HTTP header don't end up in html,csv
or json
* Add sha1WithRSA to sha1WithRSAEncryption for certificates
* Fix potential infinite loop in run_pfs()
-------------------------------------------------------------------
Mon Feb 26 12:52:24 UTC 2024 - pgajdos@suse.com
- Use %autosetup macro. Allows to eliminate the usage of deprecated
%patchN
-------------------------------------------------------------------
Wed Sep 28 20:54:50 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 3.0.8
* Fix grep 3.8 warnings on fgrep and unneeded escapes of hyphen, slash, space (Geert)
* Fix alignment for cipher output (David)
* News binaries (Darwin from Barry), carry now the appendix -bad and fixes a security problem.
* Backport from higher OpenSSL version to support xmpp-server
* Fix CT (David)
* Fix decryption of TLS 1.3 response (David)
* Upgrade Dockerfile to Alpine to 3.15
* Fix pretty JSON formatting when warning is issued (David)
* Update of certificate stores
* Major update of client simulation (9 new simulations , >4 removed in default run)
* Fix CRIME output on servers only supporting TLS 1.3 (Tomasz)
* Fix censys link
* Fix ome handshake problems w $OPENSSL ciphers, extend determine_optimal_sockets_params() to more
* ciphers, fix PROTOS_OFFERED (David)
* Relax STARTTLS FTP requirement so that it doesn't require TLS after AUTH
* Fix run_server_preference() with no default protocol (David)
* Fix getting CRL / NO_SESSION_ID under some circumstances (David)
* Improve/fix OpenSSL 3.0 compatibility (David)
* Fix formatting to documentation
* Add FFDHE groups to supported_groups (David)
* Include RSA-PSS in ClientHello (David)
- Requires: bind-utils for required tools dig, host and nslookup
-------------------------------------------------------------------
Sat Aug 13 21:43:23 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>
- Update to version 3.0.7
* Fix "ID resumption test failed" bug under Darwin
* Fix "locale error message when en_US.UTF-8 isn't available" bug
* Fix "Darwin / LibreSSL startup problem" which leads to a question upfront
* Make upfront handshake tests more compatible by adding </dev/null
* Take 'HTTP Age' HTTP header into account when determine HTTP time
* Fix JSON header (structured JSON output) name
* Robustness: Update reset_hostdepended_vars() for mass tests
* Simplify determination of git stuff
* Fix "newline to spaces" in JSON and CSV findings
* Fix "Bad file descriptor with --connect-timeout option"
* SSLv2 fixes, OpenSSL fixes 3.X
* Improve cipher_pref_check() for detecting prioritization of ChaCha ciphers
* Simplify + speed up pre-check
* Addressing lame DNS responses on WSL
* Fix big serial # issue in certs
* Fix invalid JSON when certificate issuer containing non-ASCII chars
-------------------------------------------------------------------
Sun Oct 3 14:02:29 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Update to version 3.0.6
* Bugfix: Remove DST x3 Root CA which lead to trust issues for
servers using a Letsencrypt certificate (Miguel Jacq)
* Bugfix: Newer openssl.cnf break detection of openssl binary
* Documenation update to reflect renaming standard ciphers to
cipher categories
* Ignore usage of ~/.digrc where possible
* Fixing host information in JSON output when using STARTTLS
XMPP
* TLS 1.3 improvements wrt server certificates
* Bugfix: Order of -U --ids-friendly doesn't matter anymore
* Disable ANSI codes when TERM=screen
* Improved SSL/TLS port detection in nmap greppable files
using as input to testssl.sh
* Bugfix when nmap files had .txt extension
* Display certficate time in UTC
* Use _uname -n`` instead of hostname --> POSIX
* Few output fixes
-------------------------------------------------------------------
Mon May 10 20:33:48 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Update to version 3.0.5
* Fix off by one error in HSTS (now: 180 instead of 179 days)
* Fix minor output inconsistency in JSON output (Chad)
* Improve compatibility for OpenSSL 3.0 (David Cooper)
* Fix localization issue for ciphers where e.g. in Swedish W is
being treated as a variant of V so that the W in
TLS_ECDHE_RSA_WITH* didn't match the bash pattern
* Fixes in file openssl-iana.mapping.html (Elfranne)
* Fix quoting for CVE+JSON output in run_heartbleed()
* Fix trailing dot issue in hostnames
* Fix improper proper halving of the dates for Let's Encrypt
certificates
-------------------------------------------------------------------
Thu Nov 26 14:45:01 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>
- Update to version 3.0.4
* This version is a quick fix for a regression of detecting SSLv2
ciphers in a basic function.
-------------------------------------------------------------------
Thu Nov 19 09:50:48 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>
- Update to version 3.0.3
* Update certificate stores
* manpage fix (Karl)
* minor speedups for some vulnerability tests
* bash 5.1 fix
* Secure Client-Initiated Renegotiation false positive fix
* BREACH is now medium
* invalid JSON fix and other JSON improvements (David)
* Adding native Android 7 handshake instead of Chrome which has
TLS 1.3 (Christoph)
* Header flag X-XSS-Protection is now labled as INFO
* No cyan colors in HHHTP header flags anymore, colons added
-------------------------------------------------------------------
Fri Jul 24 08:04:11 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>
- Update to version 3.0.2
* Remove potential licensing conflicts
* Fix situations when TLS 1.3 is used for Ticketbleed check
* Improved compatibility with LibreSSL 3.0
* Add brotil compression to BREACH
* Faster and more robust XMPP STARTTLS handshakes
* More robust STARTTLS handshakes
* Fix outputs, sometimes misleading
-------------------------------------------------------------------
Wed Apr 15 09:23:34 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 3.0.1
* Fix hang in BEAST check when there are ciphers starting with
SSL_* but which are no SSLv2 cipher
* Fix bug in setting DISPLAY_CIPHERNAMES when
$CIPHERS_BY_STRENGTH_FILE is not a/v.
* Fix basic auth LF problem
* Fix printing percent chars
* Fix minor HTML generation bug
* Fix security bug: sanitizing DNS input
* make --ids-friendly work again
* Update sneaky user agent
* Update links in code comments
* Cosmetic code updates
* Fix output bug when >1 PTR records returned
* More output fixes
-------------------------------------------------------------------
Fri Apr 3 20:05:45 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
- fix bash path for Leap 15.x
-------------------------------------------------------------------
Thu Jan 23 20:42:34 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 3.0
* Full support of TLS 1.3, shows also drafts supported
* Extended protocol downgrade checks
* ROBOT check
* Better TLS extension support
* Better OpenSSL 1.1.1 and higher versions support as well as
LibreSSL >3
* DNS over Proxy and other proxy improvements
* Decoding of unencrypted BIG IP cookies
* Initial client certificate support
* Warning of 825 day limit for certificates issued after
2018/3/1
* Socket timeouts (--connect-timeout)
* IDN/IDN2 servername/URI + emoji support, supposed
libidn/idn2 is installed and DNS resolver is recent)support
* Initial support for certificate compression
* Better JSON output: renamed IDs and findings shorter/better
parsable, also includes certficate
* JSON output now valid also for non-responding servers
* Testing now per default 370 ciphers
* Further improving the robustness of TLS sockets (sending
and parsing)
* Support of supplying timeout value for openssl connect
-- useful for batch/mass scanning
* File input for serial or parallel mass testing can be also in
nmap grep(p)able (-oG) format
* LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2)
* PFS: Display of elliptical curves supported, DH and FFDHE
groups (TLS 1.2 + TLS 1.3)
* Check for session resumption (Ticket, ID)
* TLS Robustness check GREASE and more
* Server preference distinguishes between TLS 1.3 and lower
protocols
* Mark TLS 1.0 and TLS 1.1 as deprecated
* Does a few startup checks which make later tests easier and
faster (determine_optimal_\*())
* Expect-CT header detection
* --phone-out does certificate revocation checks via OCSP
(LDAP+HTTP) and with CRL
* --phone-out checks whether the private key has been
compromised via https://pwnedkeys.com/
* Missing SAN warning
* Added support for private CAs
* Way better handling of connectivity problems (counting those,
if threshold exceeded -> bye)
* Fixed TCP fragmentation
* Added --ids-friendly switch
* Exit codes better: 0 for running without error, 1+n for small
errors, >240 for major errors.
* Better error msg suppression (not fully installed OpenSSL)
* Better parsing of HTTP headers & better output of longer HTTP
headers
* Display more HTTP security headers
* HTTP Basic Auth support for HTTP header
* experimental "eTLS" detection
* Dockerfile and repo @ docker hub with that file (see above)
* Java Root CA store added
* Better support for XMPP via STARTTLS & faster
* Certificate check for to-name in stream of XMPP
* Support for NNTP and LMTP via STARTTLS, fixes for MySQL and
PostgresQL
* Support for SNI and STARTTLS
* More robustness for any STARTTLS protocol (fall back to
plaintext while in TLS caused problems)
* Renegotiation checks improved, also no false potive for Node.js
anymore
* Major update of client simulations with self-collected
up-to-date data
* Update of CA certificate stores
* Lots of bug fixes
* More travis/CI checks -- still place for improvements
* Bigger man page review
- specfile cleanup
- Add testssl.sh.rpmlintrc
-------------------------------------------------------------------
Wed Dec 11 21:11:28 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>
- Update to testssl.sh 2.9.96 (aka 3.0rc6)
* Socket timeouts (--connect-timeout)
* IDN/IDN2 servername support
* pwnedkeys.com support
* Initial support for certificate compression
* Initial client certificate support
* Better indentation for HTTP header outputs
* Better parsing of HTTP headers
* Penalize absence of TLS 1.2 anymore if server supports TLS 1.3 only
* Several improvements related to protocol determination and downgrade responses
* Some logic related using TLS 1.3 aware OpenSSL binaries more or less automagically
* Internal improvements to server preference checks
* Lots of internal and some speed improvements in "pre-flight checks" (comes before outputting any test)
* Mark TLS 1.0 and TLS 1.1 as deprecated
* Support newer OpenSSL/LibreSSL versions
* Improved detection of wrong user input when file was supplied for --csv,--json and --html
* Update client handshakes with newer client data and deprecate other clients
* Regression in CAA RR fixed
* Session resumption fixes
* Session ticket fixes
* Fixes for STARTTLS MySQL and PostgreSQL
* Unit tests for (almost) every STARTTLS protocol supported
* A lot of minor fixes
-------------------------------------------------------------------
Sat Apr 27 09:55:54 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>
- Update to testssl.sh 2.9.95 (aka 3.0rc5)
* Modernized client handshakes
* Further code sanitizing
* Fixes in CSV files and JSON files creation and some ACE
loadbalancer related improvements
* Fix session tickets and resumption
* OpenSSL 1.1.1 fixes
* Darwin OpenSSL binary
* Updated certificate store
* Add SSLv2 to SWEET
- update testssl.sh-2.9.92-set-install-dir.patch to
testssl.sh-2.9.95-set-install-dir.patch
-------------------------------------------------------------------
Tue Feb 19 10:43:36 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>
- Update to testssl.sh 2.9.94 (aka 3.0rc4)
* Documentation fixes and additions
* Add new openssl helper binaries
* Bug fix: Scan continues if one of multiple IP addresses per
hostname has a problem
* "eTLS" detection ("visibility information")
* Minimize initial warning "doesn't seem to be a TLS/SSL enabled
server" by using sockets
* Several improvement for SSLv2 only servers
* Handle different cipher preference < TLS 1.3 vs. TLS 1.3
* Clarify & improve Standard Cipher check (potentially breaking
change)
* Improve SWEET32 test
* Finding certificates is faster and independent on openssl
-------------------------------------------------------------------
Sat Dec 1 15:58:11 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>
- Update to testssl.sh 2.9.93 (aka 3.0rc3)
* add SSLv2 ciphers *total ciphers now being tested for: 370)
* updated client simulation data
* TLS 1.3 improvements
* STARTTLS NNTP support
* STARTTLS XMPP faster and more reliable
* include DH groups (primes) in pfs section
* Fix TCP fragmentation under remaining OS: FreeBSD / Mac OS X
* further bugfixes and clarifications
-------------------------------------------------------------------
Wed Nov 28 09:52:06 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>
- initial package version 2.9.92 (aka 3.0rc2)

65
testssl.sh.spec Normal file
View File

@ -0,0 +1,65 @@
#
# spec file for package testssl.sh
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2018 Matthias Fehring <buschmann23@opensuse.org>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define _data_dir_name testssl-sh
Name: testssl.sh
Version: 3.0.9
Release: 0
Summary: Testing TLS/SSL Encryption Anywhere On Any Port
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
URL: https://testssl.sh
Source0: https://github.com/drwetter/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: %{name}-rpmlintrc
Patch0: testssl.sh-2.9.95-set-install-dir.patch
Requires: bash >= 3.2
Requires: bind-utils
Requires: openssl
BuildArch: noarch
%description
testssl.sh is a free command line tool which checks a server's service on
any port for the support of TLS/SSL ciphers, protocols as well as some
cryptographic flaws.
%prep
%autosetup -p1
%if 0%{?suse_version} > 1500
sed -i 's|#!/usr/bin/env bash|#!/usr/bin/bash|g' testssl.sh
%else
# in Leap 15.x, it's still /bin/bash
sed -i 's|#!/usr/bin/env bash|#!/bin/bash|g' testssl.sh
%endif
%build
%install
install -D -m 0644 -t %{buildroot}/%{_datadir}/%{_data_dir_name}/etc etc/*
install -D -m 0755 -t %{buildroot}/%{_bindir} %{name}
install -D -m 0644 -T doc/testssl.1 %{buildroot}/%{_mandir}/man1/%{name}.1
%files
%license LICENSE
%doc CHANGELOG.md CREDITS.md Readme.md
%{_bindir}/%{name}
%{_datadir}/%{_data_dir_name}
%{_mandir}/man1/%{name}.1%{ext_man}
%changelog