commit e0c16f8f32c838f973843869f3d28b94a3fd1e922f3cf53356d87708ea5c274e Author: Dirk Mueller Date: Thu Jul 25 11:46:35 2024 +0000 - Update to version 3.0.9 * Fix bash 5 issue when encountering a short server key extension * Fix HTML issue when using bash 5 * CAA DNS records are now not being queried when nodns is set * MongoDB identification fix * Sanity check when user has broken umask to avoid runtime errors * Fix for newer grep versions * Address weird globbing in bash 3.0 * Fix regexp in STARTTLS detection * Secure renegotiation fix: SNI * Ensure control chars from HTTP header don't end up in html,csv or json * Add sha1WithRSA to sha1WithRSAEncryption for certificates * Fix potential infinite loop in run_pfs() OBS-URL: https://build.opensuse.org/package/show/network:utilities/testssl.sh?expand=0&rev=21 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/testssl.sh-2.9.95-set-install-dir.patch b/testssl.sh-2.9.95-set-install-dir.patch new file mode 100644 index 0000000..6d02188 --- /dev/null +++ b/testssl.sh-2.9.95-set-install-dir.patch @@ -0,0 +1,11 @@ +--- a/testssl.sh 2019-04-25 09:21:23.000000000 +0200 ++++ b/testssl.sh 2019-04-27 11:51:37.267236022 +0200 +@@ -136,7 +136,7 @@ + declare -r SYSTEM="$(uname -s)" + declare -r SYSTEMREV="$(uname -r)" + SYSTEM2="" # currently only being used for WSL = bash on windows +-TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR ++TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-"/usr/share/testssl-sh"}" # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR + CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}" # You can have your stores some place else + ADDITIONAL_CA_FILES="${ADDITIONAL_CA_FILES:-""}" # single file with a CA in PEM format or comma separated lists of them + CIPHERS_BY_STRENGTH_FILE="" diff --git a/testssl.sh-3.0.8.tar.gz b/testssl.sh-3.0.8.tar.gz new file mode 100644 index 0000000..29d8112 --- /dev/null +++ b/testssl.sh-3.0.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:22c5dc6dfc7500db94b6f8a48775f72b5149d0a372b8552ed7666016ee79edf0 +size 9372229 diff --git a/testssl.sh-3.0.9.tar.gz b/testssl.sh-3.0.9.tar.gz new file mode 100644 index 0000000..22d412d --- /dev/null +++ b/testssl.sh-3.0.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:75ecbe4470e74f9ad17f4c4ac733be123b0f67d676ed24cc2b30adb41561e05f +size 9381651 diff --git a/testssl.sh-rpmlintrc b/testssl.sh-rpmlintrc new file mode 100644 index 0000000..6f098d9 --- /dev/null +++ b/testssl.sh-rpmlintrc @@ -0,0 +1 @@ +addFilter("W: pem-certificate /usr/share/testssl-sh/etc/.*pem") diff --git a/testssl.sh.changes b/testssl.sh.changes new file mode 100644 index 0000000..fc3b828 --- /dev/null +++ b/testssl.sh.changes @@ -0,0 +1,325 @@ +------------------------------------------------------------------- +Wed Jul 24 06:52:48 UTC 2024 - Martin Hauke + +- Update to version 3.0.9 + * Fix bash 5 issue when encountering a short server key extension + * Fix HTML issue when using bash 5 + * CAA DNS records are now not being queried when nodns is set + * MongoDB identification fix + * Sanity check when user has broken umask to avoid runtime errors + * Fix for newer grep versions + * Address weird globbing in bash 3.0 + * Fix regexp in STARTTLS detection + * Secure renegotiation fix: SNI + * Ensure control chars from HTTP header don't end up in html,csv + or json + * Add sha1WithRSA to sha1WithRSAEncryption for certificates + * Fix potential infinite loop in run_pfs() + +------------------------------------------------------------------- +Mon Feb 26 12:52:24 UTC 2024 - pgajdos@suse.com + +- Use %autosetup macro. Allows to eliminate the usage of deprecated + %patchN + +------------------------------------------------------------------- +Wed Sep 28 20:54:50 UTC 2022 - Jeff Kowalczyk + +- Update to version 3.0.8 + * Fix grep 3.8 warnings on fgrep and unneeded escapes of hyphen, slash, space (Geert) + * Fix alignment for cipher output (David) + * News binaries (Darwin from Barry), carry now the appendix -bad and fixes a security problem. + * Backport from higher OpenSSL version to support xmpp-server + * Fix CT (David) + * Fix decryption of TLS 1.3 response (David) + * Upgrade Dockerfile to Alpine to 3.15 + * Fix pretty JSON formatting when warning is issued (David) + * Update of certificate stores + * Major update of client simulation (9 new simulations , >4 removed in default run) + * Fix CRIME output on servers only supporting TLS 1.3 (Tomasz) + * Fix censys link + * Fix ome handshake problems w $OPENSSL ciphers, extend determine_optimal_sockets_params() to more + * ciphers, fix PROTOS_OFFERED (David) + * Relax STARTTLS FTP requirement so that it doesn't require TLS after AUTH + * Fix run_server_preference() with no default protocol (David) + * Fix getting CRL / NO_SESSION_ID under some circumstances (David) + * Improve/fix OpenSSL 3.0 compatibility (David) + * Fix formatting to documentation + * Add FFDHE groups to supported_groups (David) + * Include RSA-PSS in ClientHello (David) +- Requires: bind-utils for required tools dig, host and nslookup + +------------------------------------------------------------------- +Sat Aug 13 21:43:23 UTC 2022 - Jeff Kowalczyk + +- Update to version 3.0.7 + * Fix "ID resumption test failed" bug under Darwin + * Fix "locale error message when en_US.UTF-8 isn't available" bug + * Fix "Darwin / LibreSSL startup problem" which leads to a question upfront + * Make upfront handshake tests more compatible by adding + +- Update to version 3.0.6 + * Bugfix: Remove DST x3 Root CA which lead to trust issues for + servers using a Letsencrypt certificate (Miguel Jacq) + * Bugfix: Newer openssl.cnf break detection of openssl binary + * Documenation update to reflect renaming standard ciphers to + cipher categories + * Ignore usage of ~/.digrc where possible + * Fixing host information in JSON output when using STARTTLS + XMPP + * TLS 1.3 improvements wrt server certificates + * Bugfix: Order of -U --ids-friendly doesn't matter anymore + * Disable ANSI codes when TERM=screen + * Improved SSL/TLS port detection in nmap greppable files + using as input to testssl.sh + * Bugfix when nmap files had .txt extension + * Display certficate time in UTC + * Use _uname -n`` instead of hostname --> POSIX + * Few output fixes + +------------------------------------------------------------------- +Mon May 10 20:33:48 UTC 2021 - Martin Hauke + +- Update to version 3.0.5 + * Fix off by one error in HSTS (now: 180 instead of 179 days) + * Fix minor output inconsistency in JSON output (Chad) + * Improve compatibility for OpenSSL 3.0 (David Cooper) + * Fix localization issue for ciphers where e.g. in Swedish W is + being treated as a variant of V so that the W in + TLS_ECDHE_RSA_WITH* didn't match the bash pattern + * Fixes in file openssl-iana.mapping.html (Elfranne) + * Fix quoting for CVE+JSON output in run_heartbleed() + * Fix trailing dot issue in hostnames + * Fix improper proper halving of the dates for Let's Encrypt + certificates + +------------------------------------------------------------------- +Thu Nov 26 14:45:01 UTC 2020 - Matthias Fehring + +- Update to version 3.0.4 + * This version is a quick fix for a regression of detecting SSLv2 + ciphers in a basic function. + +------------------------------------------------------------------- +Thu Nov 19 09:50:48 UTC 2020 - Matthias Fehring + +- Update to version 3.0.3 + * Update certificate stores + * manpage fix (Karl) + * minor speedups for some vulnerability tests + * bash 5.1 fix + * Secure Client-Initiated Renegotiation false positive fix + * BREACH is now medium + * invalid JSON fix and other JSON improvements (David) + * Adding native Android 7 handshake instead of Chrome which has + TLS 1.3 (Christoph) + * Header flag X-XSS-Protection is now labled as INFO + * No cyan colors in HHHTP header flags anymore, colons added + +------------------------------------------------------------------- +Fri Jul 24 08:04:11 UTC 2020 - Matthias Fehring + +- Update to version 3.0.2 + * Remove potential licensing conflicts + * Fix situations when TLS 1.3 is used for Ticketbleed check + * Improved compatibility with LibreSSL 3.0 + * Add brotil compression to BREACH + * Faster and more robust XMPP STARTTLS handshakes + * More robust STARTTLS handshakes + * Fix outputs, sometimes misleading + +------------------------------------------------------------------- +Wed Apr 15 09:23:34 UTC 2020 - Martin Hauke + +- Update to version 3.0.1 + * Fix hang in BEAST check when there are ciphers starting with + SSL_* but which are no SSLv2 cipher + * Fix bug in setting DISPLAY_CIPHERNAMES when + $CIPHERS_BY_STRENGTH_FILE is not a/v. + * Fix basic auth LF problem + * Fix printing percent chars + * Fix minor HTML generation bug + * Fix security bug: sanitizing DNS input + * make --ids-friendly work again + * Update sneaky user agent + * Update links in code comments + * Cosmetic code updates + * Fix output bug when >1 PTR records returned + * More output fixes + +------------------------------------------------------------------- +Fri Apr 3 20:05:45 UTC 2020 - Christian Boltz + +- fix bash path for Leap 15.x + +------------------------------------------------------------------- +Thu Jan 23 20:42:34 UTC 2020 - Martin Hauke + +- Update to version 3.0 + * Full support of TLS 1.3, shows also drafts supported + * Extended protocol downgrade checks + * ROBOT check + * Better TLS extension support + * Better OpenSSL 1.1.1 and higher versions support as well as + LibreSSL >3 + * DNS over Proxy and other proxy improvements + * Decoding of unencrypted BIG IP cookies + * Initial client certificate support + * Warning of 825 day limit for certificates issued after + 2018/3/1 + * Socket timeouts (--connect-timeout) + * IDN/IDN2 servername/URI + emoji support, supposed + libidn/idn2 is installed and DNS resolver is recent)support + * Initial support for certificate compression + * Better JSON output: renamed IDs and findings shorter/better + parsable, also includes certficate + * JSON output now valid also for non-responding servers + * Testing now per default 370 ciphers + * Further improving the robustness of TLS sockets (sending + and parsing) + * Support of supplying timeout value for openssl connect + -- useful for batch/mass scanning + * File input for serial or parallel mass testing can be also in + nmap grep(p)able (-oG) format + * LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2) + * PFS: Display of elliptical curves supported, DH and FFDHE + groups (TLS 1.2 + TLS 1.3) + * Check for session resumption (Ticket, ID) + * TLS Robustness check GREASE and more + * Server preference distinguishes between TLS 1.3 and lower + protocols + * Mark TLS 1.0 and TLS 1.1 as deprecated + * Does a few startup checks which make later tests easier and + faster (determine_optimal_\*()) + * Expect-CT header detection + * --phone-out does certificate revocation checks via OCSP + (LDAP+HTTP) and with CRL + * --phone-out checks whether the private key has been + compromised via https://pwnedkeys.com/ + * Missing SAN warning + * Added support for private CAs + * Way better handling of connectivity problems (counting those, + if threshold exceeded -> bye) + * Fixed TCP fragmentation + * Added --ids-friendly switch + * Exit codes better: 0 for running without error, 1+n for small + errors, >240 for major errors. + * Better error msg suppression (not fully installed OpenSSL) + * Better parsing of HTTP headers & better output of longer HTTP + headers + * Display more HTTP security headers + * HTTP Basic Auth support for HTTP header + * experimental "eTLS" detection + * Dockerfile and repo @ docker hub with that file (see above) + * Java Root CA store added + * Better support for XMPP via STARTTLS & faster + * Certificate check for to-name in stream of XMPP + * Support for NNTP and LMTP via STARTTLS, fixes for MySQL and + PostgresQL + * Support for SNI and STARTTLS + * More robustness for any STARTTLS protocol (fall back to + plaintext while in TLS caused problems) + * Renegotiation checks improved, also no false potive for Node.js + anymore + * Major update of client simulations with self-collected + up-to-date data + * Update of CA certificate stores + * Lots of bug fixes + * More travis/CI checks -- still place for improvements + * Bigger man page review +- specfile cleanup +- Add testssl.sh.rpmlintrc + +------------------------------------------------------------------- +Wed Dec 11 21:11:28 UTC 2019 - Matthias Fehring + +- Update to testssl.sh 2.9.96 (aka 3.0rc6) + * Socket timeouts (--connect-timeout) + * IDN/IDN2 servername support + * pwnedkeys.com support + * Initial support for certificate compression + * Initial client certificate support + * Better indentation for HTTP header outputs + * Better parsing of HTTP headers + * Penalize absence of TLS 1.2 anymore if server supports TLS 1.3 only + * Several improvements related to protocol determination and downgrade responses + * Some logic related using TLS 1.3 aware OpenSSL binaries more or less automagically + * Internal improvements to server preference checks + * Lots of internal and some speed improvements in "pre-flight checks" (comes before outputting any test) + * Mark TLS 1.0 and TLS 1.1 as deprecated + * Support newer OpenSSL/LibreSSL versions + * Improved detection of wrong user input when file was supplied for --csv,--json and --html + * Update client handshakes with newer client data and deprecate other clients + * Regression in CAA RR fixed + * Session resumption fixes + * Session ticket fixes + * Fixes for STARTTLS MySQL and PostgreSQL + * Unit tests for (almost) every STARTTLS protocol supported + * A lot of minor fixes + +------------------------------------------------------------------- +Sat Apr 27 09:55:54 UTC 2019 - Matthias Fehring + +- Update to testssl.sh 2.9.95 (aka 3.0rc5) + * Modernized client handshakes + * Further code sanitizing + * Fixes in CSV files and JSON files creation and some ACE + loadbalancer related improvements + * Fix session tickets and resumption + * OpenSSL 1.1.1 fixes + * Darwin OpenSSL binary + * Updated certificate store + * Add SSLv2 to SWEET +- update testssl.sh-2.9.92-set-install-dir.patch to + testssl.sh-2.9.95-set-install-dir.patch + +------------------------------------------------------------------- +Tue Feb 19 10:43:36 UTC 2019 - Matthias Fehring + +- Update to testssl.sh 2.9.94 (aka 3.0rc4) + * Documentation fixes and additions + * Add new openssl helper binaries + * Bug fix: Scan continues if one of multiple IP addresses per + hostname has a problem + * "eTLS" detection ("visibility information") + * Minimize initial warning "doesn't seem to be a TLS/SSL enabled + server" by using sockets + * Several improvement for SSLv2 only servers + * Handle different cipher preference < TLS 1.3 vs. TLS 1.3 + * Clarify & improve Standard Cipher check (potentially breaking + change) + * Improve SWEET32 test + * Finding certificates is faster and independent on openssl + +------------------------------------------------------------------- +Sat Dec 1 15:58:11 UTC 2018 - Matthias Fehring + +- Update to testssl.sh 2.9.93 (aka 3.0rc3) + * add SSLv2 ciphers *total ciphers now being tested for: 370) + * updated client simulation data + * TLS 1.3 improvements + * STARTTLS NNTP support + * STARTTLS XMPP faster and more reliable + * include DH groups (primes) in pfs section + * Fix TCP fragmentation under remaining OS: FreeBSD / Mac OS X + * further bugfixes and clarifications + +------------------------------------------------------------------- +Wed Nov 28 09:52:06 UTC 2018 - Matthias Fehring + +- initial package version 2.9.92 (aka 3.0rc2) diff --git a/testssl.sh.spec b/testssl.sh.spec new file mode 100644 index 0000000..6e62278 --- /dev/null +++ b/testssl.sh.spec @@ -0,0 +1,65 @@ +# +# spec file for package testssl.sh +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2018 Matthias Fehring +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define _data_dir_name testssl-sh + +Name: testssl.sh +Version: 3.0.9 +Release: 0 +Summary: Testing TLS/SSL Encryption Anywhere On Any Port +License: GPL-2.0-or-later +Group: Productivity/Networking/Security +URL: https://testssl.sh +Source0: https://github.com/drwetter/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source1: %{name}-rpmlintrc +Patch0: testssl.sh-2.9.95-set-install-dir.patch +Requires: bash >= 3.2 +Requires: bind-utils +Requires: openssl +BuildArch: noarch + +%description +testssl.sh is a free command line tool which checks a server's service on +any port for the support of TLS/SSL ciphers, protocols as well as some +cryptographic flaws. + +%prep +%autosetup -p1 +%if 0%{?suse_version} > 1500 +sed -i 's|#!/usr/bin/env bash|#!/usr/bin/bash|g' testssl.sh +%else +# in Leap 15.x, it's still /bin/bash +sed -i 's|#!/usr/bin/env bash|#!/bin/bash|g' testssl.sh +%endif + +%build + +%install +install -D -m 0644 -t %{buildroot}/%{_datadir}/%{_data_dir_name}/etc etc/* +install -D -m 0755 -t %{buildroot}/%{_bindir} %{name} +install -D -m 0644 -T doc/testssl.1 %{buildroot}/%{_mandir}/man1/%{name}.1 + +%files +%license LICENSE +%doc CHANGELOG.md CREDITS.md Readme.md +%{_bindir}/%{name} +%{_datadir}/%{_data_dir_name} +%{_mandir}/man1/%{name}.1%{ext_man} + +%changelog