- Update to version 3.0.9

* Fix bash 5 issue when encountering a short server key extension * Fix HTML issue when using bash 5 * CAA DNS records are now not being queried when nodns is set * MongoDB identification fix * Sanity check when user has broken umask to avoid runtime errors * Fix for newer grep versions * Address weird globbing in bash 3.0 * Fix regexp in STARTTLS detection * Secure renegotiation fix: SNI * Ensure control chars from HTTP header don't end up in html,csv or json * Add sha1WithRSA to sha1WithRSAEncryption for certificates * Fix potential infinite loop in run_pfs() OBS-URL: https://build.opensuse.org/package/show/network:utilities/testssl.sh?expand=0&rev=21
2024-07-25 11:46:35 +00:00 · 2024-07-25 11:46:35 +00:00 · e0c16f8f32
commit e0c16f8f32
8 changed files with 432 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/testssl.sh-2.9.95-set-install-dir.patch
+++ b/testssl.sh-2.9.95-set-install-dir.patch
@ -0,0 +1,11 @@
+--- a/testssl.sh	2019-04-25 09:21:23.000000000 +0200
+++ b/testssl.sh	2019-04-27 11:51:37.267236022 +0200
+@@ -136,7 +136,7 @@
+ declare -r SYSTEM="$(uname -s)"
+ declare -r SYSTEMREV="$(uname -r)"
+ SYSTEM2=""                                        # currently only being used for WSL = bash on windows
+-TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}"  # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
+TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-"/usr/share/testssl-sh"}"  # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
+ CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}"          # You can have your stores some place else
+ ADDITIONAL_CA_FILES="${ADDITIONAL_CA_FILES:-""}"  # single file with a CA in PEM format or comma separated lists of them
+ CIPHERS_BY_STRENGTH_FILE=""
--- a/testssl.sh-3.0.8.tar.gz
+++ b/testssl.sh-3.0.8.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:22c5dc6dfc7500db94b6f8a48775f72b5149d0a372b8552ed7666016ee79edf0
+size 9372229
--- a/testssl.sh-3.0.9.tar.gz
+++ b/testssl.sh-3.0.9.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:75ecbe4470e74f9ad17f4c4ac733be123b0f67d676ed24cc2b30adb41561e05f
+size 9381651
--- a/testssl.sh-rpmlintrc
+++ b/testssl.sh-rpmlintrc
@ -0,0 +1 @@
+addFilter("W: pem-certificate /usr/share/testssl-sh/etc/.*pem")
--- a/testssl.sh.changes
+++ b/testssl.sh.changes
@ -0,0 +1,325 @@
+-------------------------------------------------------------------
+Wed Jul 24 06:52:48 UTC 2024 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 3.0.9
+  * Fix bash 5 issue when encountering a short server key extension
+  * Fix HTML issue when using bash 5
+  * CAA DNS records are now not being queried when nodns is set
+  * MongoDB identification fix
+  * Sanity check when user has broken umask to avoid runtime errors
+  * Fix for newer grep versions
+  * Address weird globbing in bash 3.0
+  * Fix regexp in STARTTLS detection
+  * Secure renegotiation fix: SNI
+  * Ensure control chars from HTTP header don't end up in html,csv
+    or json
+  * Add sha1WithRSA to sha1WithRSAEncryption for certificates
+  * Fix potential infinite loop in run_pfs()
+
+-------------------------------------------------------------------
+Mon Feb 26 12:52:24 UTC 2024 - pgajdos@suse.com
+
+- Use %autosetup macro. Allows to eliminate the usage of deprecated
+  %patchN
+
+-------------------------------------------------------------------
+Wed Sep 28 20:54:50 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- Update to version 3.0.8
+  * Fix grep 3.8 warnings on fgrep and unneeded escapes of hyphen, slash, space (Geert)
+  * Fix alignment for cipher output (David)
+  * News binaries (Darwin from Barry), carry now the appendix -bad and fixes a security problem.
+  * Backport from higher OpenSSL version to support xmpp-server
+  * Fix CT (David)
+  * Fix decryption of TLS 1.3 response (David)
+  * Upgrade Dockerfile to Alpine to 3.15
+  * Fix pretty JSON formatting when warning is issued (David)
+  * Update of certificate stores
+  * Major update of client simulation (9 new simulations , >4 removed in default run)
+  * Fix CRIME output on servers only supporting TLS 1.3 (Tomasz)
+  * Fix censys link
+  * Fix ome handshake problems w $OPENSSL ciphers, extend determine_optimal_sockets_params() to more
+  * ciphers, fix PROTOS_OFFERED (David)
+  * Relax STARTTLS FTP requirement so that it doesn't require TLS after AUTH
+  * Fix run_server_preference() with no default protocol (David)
+  * Fix getting CRL / NO_SESSION_ID under some circumstances (David)
+  * Improve/fix OpenSSL 3.0 compatibility (David)
+  * Fix formatting to documentation
+  * Add FFDHE groups to supported_groups (David)
+  * Include RSA-PSS in ClientHello (David)
+- Requires: bind-utils for required tools dig, host and nslookup
+
+-------------------------------------------------------------------
+Sat Aug 13 21:43:23 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- Update to version 3.0.7
+  * Fix "ID resumption test failed" bug under Darwin
+  * Fix "locale error message when en_US.UTF-8 isn't available" bug
+  * Fix "Darwin / LibreSSL startup problem" which leads to a question upfront
+  * Make upfront handshake tests more compatible by adding </dev/null
+  * Take 'HTTP Age' HTTP header into account when determine HTTP time
+  * Fix JSON header (structured JSON output) name
+  * Robustness: Update reset_hostdepended_vars() for mass tests
+  * Simplify determination of git stuff
+  * Fix "newline to spaces" in JSON and CSV findings
+  * Fix "Bad file descriptor with --connect-timeout option"
+  * SSLv2 fixes, OpenSSL fixes 3.X
+  * Improve cipher_pref_check() for detecting prioritization of ChaCha ciphers
+  * Simplify + speed up pre-check
+  * Addressing lame DNS responses on WSL
+  * Fix big serial # issue in certs
+  * Fix invalid JSON when certificate issuer containing non-ASCII chars
+
+-------------------------------------------------------------------
+Sun Oct  3 14:02:29 UTC 2021 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 3.0.6
+  * Bugfix: Remove DST x3 Root CA which lead to trust issues for
+    servers using a Letsencrypt certificate (Miguel Jacq)
+  * Bugfix: Newer openssl.cnf break detection of openssl binary
+  * Documenation update to reflect renaming standard ciphers to
+    cipher categories
+  * Ignore usage of ~/.digrc where possible
+  * Fixing host information in JSON output when using STARTTLS
+    XMPP
+  * TLS 1.3 improvements wrt server certificates
+  * Bugfix: Order of -U --ids-friendly doesn't matter anymore
+  * Disable ANSI codes when TERM=screen
+  * Improved SSL/TLS port detection in nmap greppable files
+    using as input to testssl.sh
+  * Bugfix when nmap files had .txt extension
+  * Display certficate time in UTC
+  * Use _uname -n`` instead of hostname --> POSIX
+  * Few output fixes
+
+-------------------------------------------------------------------
+Mon May 10 20:33:48 UTC 2021 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 3.0.5
+  * Fix off by one error in HSTS (now: 180 instead of 179 days)
+  * Fix minor output inconsistency in JSON output (Chad)
+  * Improve compatibility for OpenSSL 3.0 (David Cooper)
+  * Fix localization issue for ciphers where e.g. in Swedish W is
+    being treated as a variant of V so that the W in
+    TLS_ECDHE_RSA_WITH* didn't match the bash pattern
+  * Fixes in file openssl-iana.mapping.html (Elfranne)
+  * Fix quoting for CVE+JSON output in run_heartbleed()
+  * Fix trailing dot issue in hostnames
+  * Fix improper proper halving of the dates for Let's Encrypt
+    certificates
+
+-------------------------------------------------------------------
+Thu Nov 26 14:45:01 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>
+
+- Update to version 3.0.4
+  * This version is a quick fix for a regression of detecting SSLv2
+    ciphers in a basic function.
+
+-------------------------------------------------------------------
+Thu Nov 19 09:50:48 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>
+
+- Update to version 3.0.3
+  * Update certificate stores
+  * manpage fix (Karl)
+  * minor speedups for some vulnerability tests
+  * bash 5.1 fix
+  * Secure Client-Initiated Renegotiation false positive fix
+  * BREACH is now medium
+  * invalid JSON fix and other JSON improvements (David)
+  * Adding native Android 7 handshake instead of Chrome which has
+    TLS 1.3 (Christoph)
+  * Header flag X-XSS-Protection is now labled as INFO
+  * No cyan colors in HHHTP header flags anymore, colons added
+
+-------------------------------------------------------------------
+Fri Jul 24 08:04:11 UTC 2020 - Matthias Fehring <buschmann23@opensuse.org>
+
+- Update to version 3.0.2
+  * Remove potential licensing conflicts
+  * Fix situations when TLS 1.3 is used for Ticketbleed check
+  * Improved compatibility with LibreSSL 3.0
+  * Add brotil compression to BREACH
+  * Faster and more robust XMPP STARTTLS handshakes
+  * More robust STARTTLS handshakes
+  * Fix outputs, sometimes misleading
+
+-------------------------------------------------------------------
+Wed Apr 15 09:23:34 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 3.0.1
+  * Fix hang in BEAST check when there are ciphers starting with
+    SSL_* but which are no SSLv2 cipher
+  * Fix bug in setting DISPLAY_CIPHERNAMES when
+    $CIPHERS_BY_STRENGTH_FILE is not a/v.
+  * Fix basic auth LF problem
+  * Fix printing percent chars
+  * Fix minor HTML generation bug
+  * Fix security bug: sanitizing DNS input
+  * make --ids-friendly work again
+  * Update sneaky user agent
+  * Update links in code comments
+  * Cosmetic code updates
+  * Fix output bug when >1 PTR records returned
+  * More output fixes
+
+-------------------------------------------------------------------
+Fri Apr  3 20:05:45 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
+
+- fix bash path for Leap 15.x
+
+-------------------------------------------------------------------
+Thu Jan 23 20:42:34 UTC 2020 - Martin Hauke <mardnh@gmx.de>
+
+- Update to version 3.0
+  * Full support of TLS 1.3, shows also drafts supported
+  * Extended protocol downgrade checks
+  * ROBOT check
+  * Better TLS extension support
+  * Better OpenSSL 1.1.1 and higher versions support as well as
+    LibreSSL >3
+  * DNS over Proxy and other proxy improvements
+  * Decoding of unencrypted BIG IP cookies
+  * Initial client certificate support
+  * Warning of 825 day limit for certificates issued after
+    2018/3/1
+  * Socket timeouts (--connect-timeout)
+  * IDN/IDN2 servername/URI + emoji support, supposed
+    libidn/idn2 is installed and DNS resolver is recent)support
+  * Initial support for certificate compression
+  * Better JSON output: renamed IDs and findings shorter/better
+    parsable, also includes certficate
+  * JSON output now valid also for non-responding servers
+  * Testing now per default 370 ciphers
+  * Further improving the robustness of TLS sockets (sending
+    and parsing)
+  * Support of supplying timeout value for openssl connect
+    -- useful for batch/mass scanning
+  * File input for serial or parallel mass testing can be also in
+    nmap grep(p)able (-oG) format
+  * LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2)
+  * PFS: Display of elliptical curves supported, DH and FFDHE
+    groups (TLS 1.2 + TLS 1.3)
+  * Check for session resumption (Ticket, ID)
+  * TLS Robustness check GREASE and more
+  * Server preference distinguishes between TLS 1.3 and lower
+    protocols
+  * Mark TLS 1.0 and TLS 1.1 as deprecated
+  * Does a few startup checks which make later tests easier and
+    faster (determine_optimal_\*())
+  * Expect-CT header detection
+  * --phone-out does certificate revocation checks via OCSP
+    (LDAP+HTTP) and with CRL
+  * --phone-out checks whether the private key has been
+    compromised via https://pwnedkeys.com/
+  * Missing SAN warning
+  * Added support for private CAs
+  * Way better handling of connectivity problems (counting those,
+    if threshold exceeded -> bye)
+  * Fixed TCP fragmentation
+  * Added --ids-friendly switch
+  * Exit codes better: 0 for running without error, 1+n for small
+    errors, >240 for major errors.
+  * Better error msg suppression (not fully installed OpenSSL)
+  * Better parsing of HTTP headers & better output of longer HTTP
+    headers
+  * Display more HTTP security headers
+  * HTTP Basic Auth support for HTTP header
+  * experimental "eTLS" detection
+  * Dockerfile and repo @ docker hub with that file (see above)
+  * Java Root CA store added
+  * Better support for XMPP via STARTTLS & faster
+  * Certificate check for to-name in stream of XMPP
+  * Support for NNTP and LMTP via STARTTLS, fixes for MySQL and
+    PostgresQL
+  * Support for SNI and STARTTLS
+  * More robustness for any STARTTLS protocol (fall back to
+    plaintext while in TLS caused problems)
+  * Renegotiation checks improved, also no false potive for Node.js
+    anymore
+  * Major update of client simulations with self-collected
+    up-to-date data
+  * Update of CA certificate stores
+  * Lots of bug fixes
+  * More travis/CI checks -- still place for improvements
+  * Bigger man page review
+- specfile cleanup
+- Add testssl.sh.rpmlintrc
+
+-------------------------------------------------------------------
+Wed Dec 11 21:11:28 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>
+
+- Update to testssl.sh 2.9.96 (aka 3.0rc6)
+  * Socket timeouts (--connect-timeout)
+  * IDN/IDN2 servername support
+  * pwnedkeys.com support
+  * Initial support for certificate compression
+  * Initial client certificate support
+  * Better indentation for HTTP header outputs
+  * Better parsing of HTTP headers
+  * Penalize absence of TLS 1.2 anymore if server supports TLS 1.3 only
+  * Several improvements related to protocol determination and downgrade responses
+  * Some logic related using TLS 1.3 aware OpenSSL binaries more or less automagically
+  * Internal improvements to server preference checks
+  * Lots of internal and some speed improvements in "pre-flight checks" (comes before outputting any test)
+  * Mark TLS 1.0 and TLS 1.1 as deprecated
+  * Support newer OpenSSL/LibreSSL versions
+  * Improved detection of wrong user input when file was supplied for --csv,--json and --html
+  * Update client handshakes with newer client data and deprecate other clients
+  * Regression in CAA RR fixed
+  * Session resumption fixes
+  * Session ticket fixes
+  * Fixes for STARTTLS MySQL and PostgreSQL
+  * Unit tests for (almost) every STARTTLS protocol supported
+  * A lot of minor fixes
+
+-------------------------------------------------------------------
+Sat Apr 27 09:55:54 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>
+
+- Update to testssl.sh 2.9.95 (aka 3.0rc5)
+  * Modernized client handshakes
+  * Further code sanitizing
+  * Fixes in CSV files and JSON files creation and some ACE
+    loadbalancer related improvements
+  * Fix session tickets and resumption
+  * OpenSSL 1.1.1 fixes
+  * Darwin OpenSSL binary
+  * Updated certificate store
+  * Add SSLv2 to SWEET
+- update testssl.sh-2.9.92-set-install-dir.patch to
+  testssl.sh-2.9.95-set-install-dir.patch
+
+-------------------------------------------------------------------
+Tue Feb 19 10:43:36 UTC 2019 - Matthias Fehring <buschmann23@opensuse.org>
+
+- Update to testssl.sh 2.9.94 (aka 3.0rc4)
+  * Documentation fixes and additions
+  * Add new openssl helper binaries
+  * Bug fix: Scan continues if one of multiple IP addresses per
+    hostname has a problem
+  * "eTLS" detection ("visibility information")
+  * Minimize initial warning "doesn't seem to be a TLS/SSL enabled
+    server" by using sockets
+  * Several improvement for SSLv2 only servers
+  * Handle different cipher preference < TLS 1.3 vs. TLS 1.3
+  * Clarify & improve Standard Cipher check (potentially breaking
+    change)
+  * Improve SWEET32 test
+  * Finding certificates is faster and independent on openssl
+
+-------------------------------------------------------------------
+Sat Dec  1 15:58:11 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>
+
+- Update to testssl.sh 2.9.93 (aka 3.0rc3)
+  * add SSLv2 ciphers *total ciphers now being tested for: 370)
+  * updated client simulation data
+  * TLS 1.3 improvements
+  * STARTTLS NNTP support
+  * STARTTLS XMPP faster and more reliable
+  * include DH groups (primes) in pfs section
+  * Fix TCP fragmentation under remaining OS: FreeBSD / Mac OS X
+  * further bugfixes and clarifications
+
+-------------------------------------------------------------------
+Wed Nov 28 09:52:06 UTC 2018 - Matthias Fehring <buschmann23@opensuse.org>
+
+- initial package version 2.9.92 (aka 3.0rc2)
--- a/testssl.sh.spec
+++ b/testssl.sh.spec
@ -0,0 +1,65 @@
+#
+# spec file for package testssl.sh
+#
+# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2018 Matthias Fehring <buschmann23@opensuse.org>
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define _data_dir_name testssl-sh
+
+Name:           testssl.sh
+Version:        3.0.9
+Release:        0
+Summary:        Testing TLS/SSL Encryption Anywhere On Any Port
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Security
+URL:            https://testssl.sh
+Source0:        https://github.com/drwetter/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1:        %{name}-rpmlintrc
+Patch0:         testssl.sh-2.9.95-set-install-dir.patch
+Requires:       bash >= 3.2
+Requires:       bind-utils
+Requires:       openssl
+BuildArch:      noarch
+
+%description
+testssl.sh is a free command line tool which checks a server's service on
+any port for the support of TLS/SSL ciphers, protocols as well as some
+cryptographic flaws.
+
+%prep
+%autosetup -p1
+%if 0%{?suse_version} > 1500
+sed -i 's|#!/usr/bin/env bash|#!/usr/bin/bash|g' testssl.sh
+%else
+# in Leap 15.x, it's still /bin/bash
+sed -i 's|#!/usr/bin/env bash|#!/bin/bash|g' testssl.sh
+%endif
+
+%build
+
+%install
+install -D -m 0644 -t %{buildroot}/%{_datadir}/%{_data_dir_name}/etc etc/*
+install -D -m 0755 -t %{buildroot}/%{_bindir} %{name}
+install -D -m 0644 -T doc/testssl.1 %{buildroot}/%{_mandir}/man1/%{name}.1
+
+%files
+%license LICENSE
+%doc CHANGELOG.md CREDITS.md Readme.md
+%{_bindir}/%{name}
+%{_datadir}/%{_data_dir_name}
+%{_mandir}/man1/%{name}.1%{ext_man}
+
+%changelog
				`@ -0,0 +1 @@`
				`addFilter("W: pem-certificate /usr/share/testssl-sh/etc/.*pem")`