From 2779045d1d2d2add5663ac1a422a9e0936bfab534cdd53fd279dd00042f0f007 Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Wed, 22 Jul 2020 15:03:09 +0000 Subject: [PATCH 1/2] Accepting request 822258 from home:wfrisch:branches:security - Upgrade to version 2.0.0-beta6 * Various bugfixes * Added -4 and -6 options to force IPv4 and IPv6. * Added strength attribute to XML to reflect colouring in stdout * Checks for server signature algorithms. * Checks for server key exchange groups. * Support for SSLv2 and SSLv3 protocol detection regardless of OpenSSL * Support for TLSv1.3 * Support for additional cipher suites. * Print curve name and key strength for ECC certs * Fix a bug with servers that return incorrect cipher IDs. * Add a new "" element to the XML output. * Remove the "Signature Algorithm:" text and spacing from the XML. * Report servers that accept any signature algorithm in the XML - Rebased fedora-sslscan-patents.patch - OpenSSL dependency bumped to >= 1.1 OBS-URL: https://build.opensuse.org/request/show/822258 OBS-URL: https://build.opensuse.org/package/show/security/sslscan?expand=0&rev=18 --- fedora-sslscan-patents.patch | 19 +++++++------------ sslscan-1.11.10-rbsec.tar.gz | 3 --- sslscan-2.0.0~beta6.tar.gz | 3 +++ sslscan.changes | 20 ++++++++++++++++++++ sslscan.spec | 19 ++++++++++--------- 5 files changed, 40 insertions(+), 24 deletions(-) delete mode 100644 sslscan-1.11.10-rbsec.tar.gz create mode 100644 sslscan-2.0.0~beta6.tar.gz diff --git a/fedora-sslscan-patents.patch b/fedora-sslscan-patents.patch index 8ce87f1..84678e3 100644 --- a/fedora-sslscan-patents.patch +++ b/fedora-sslscan-patents.patch @@ -1,22 +1,17 @@ -diff -ur sslscan-1.11.0-rbsec-orig/sslscan.c sslscan-1.11.0-rbsec/sslscan.c ---- sslscan-1.11.0-rbsec-orig/sslscan.c 2015-09-24 16:18:55.000000000 +0200 -+++ sslscan-1.11.0-rbsec/sslscan.c 2016-10-27 11:10:40.634492563 +0200 -@@ -1613,18 +1613,21 @@ +diff --git a/sslscan.c b/sslscan.c +index a7b0233..2698f90 100644 +--- a/sslscan.c ++++ b/sslscan.c +@@ -2891,6 +2891,8 @@ int showCertificate(struct sslCheckOptions *options) printf(" DSA Public Key: NULL\n"); } break; + /* Comment out patented technology not enabled in Fedora */ + /* case EVP_PKEY_EC: - if (publicKey->pkey.ec) - { - // TODO - display key strength - printf_xml(" \n"); -- /* EC_KEY_print(stdoutBIO, publicKey->pkey.ec, 6); */ -+ // EC_KEY_print(stdoutBIO, publicKey->pkey.ec, 6); - } - else + if (EVP_PKEY_get1_EC_KEY(publicKey)!=NULL) { +@@ -2908,6 +2910,7 @@ int showCertificate(struct sslCheckOptions *options) printf(" EC Public Key: NULL\n"); } break; diff --git a/sslscan-1.11.10-rbsec.tar.gz b/sslscan-1.11.10-rbsec.tar.gz deleted file mode 100644 index 4282135..0000000 --- a/sslscan-1.11.10-rbsec.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fbb26fdbf2cf5b2f3f8c88782721b7875f206552cf83201981411e0af9521204 -size 52108 diff --git a/sslscan-2.0.0~beta6.tar.gz b/sslscan-2.0.0~beta6.tar.gz new file mode 100644 index 0000000..ba7f6f1 --- /dev/null +++ b/sslscan-2.0.0~beta6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9a37f8b922a3e8d66680d26f1f9399b03f531353503f2472bad2c319ef176aa8 +size 109783 diff --git a/sslscan.changes b/sslscan.changes index 61a7d7f..98b912f 100644 --- a/sslscan.changes +++ b/sslscan.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Wed Jul 22 14:11:33 UTC 2020 - Wolfgang Frisch + +- Upgrade to version 2.0.0-beta6 + * Various bugfixes + * Added -4 and -6 options to force IPv4 and IPv6. + * Added strength attribute to XML to reflect colouring in stdout + * Checks for server signature algorithms. + * Checks for server key exchange groups. + * Support for SSLv2 and SSLv3 protocol detection regardless of OpenSSL + * Support for TLSv1.3 + * Support for additional cipher suites. + * Print curve name and key strength for ECC certs + * Fix a bug with servers that return incorrect cipher IDs. + * Add a new "" element to the XML output. + * Remove the "Signature Algorithm:" text and spacing from the XML. + * Report servers that accept any signature algorithm in the XML +- Rebased fedora-sslscan-patents.patch +- OpenSSL dependency bumped to >= 1.1 + ------------------------------------------------------------------- Fri Feb 2 12:34:34 UTC 2018 - jweberhofer@weberhofer.at diff --git a/sslscan.spec b/sslscan.spec index 173b60b..fad447f 100644 --- a/sslscan.spec +++ b/sslscan.spec @@ -1,7 +1,7 @@ # # spec file for package sslscan # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,22 +12,22 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: sslscan -Version: 1.11.10 +Version: 2.0.0~beta6 Release: 0 +%define UpstreamVersion 2.0.0-beta6 Summary: SSL cipher scanning tool License: SUSE-GPL-3.0+-with-openssl-exception Group: Productivity/Networking/Diagnostic -URL: https://github.com/rbsec/sslscan -Source: https://github.com/rbsec/sslscan/archive/%{version}-rbsec.tar.gz#/%{name}-%{version}-rbsec.tar.gz +Source: https://github.com/rbsec/sslscan/archive/%{UpstreamVersion}.tar.gz#/%{name}-%{version}.tar.gz #Patches copied from Debian package Patch1: fedora-sslscan-patents.patch BuildRequires: pkgconfig -BuildRequires: pkgconfig(libssl) < 1.1.0 +BuildRequires: pkgconfig(libssl) >= 1.1.0 %if 0%{?sle_version} %ifarch x86_64 BuildRequires: glibc-devel-32bit(x86-32) @@ -40,13 +40,13 @@ such as HTTPS. Furthermore, SSLScan will determine the preferred ciphers of the SSL service. %prep -%setup -q -n %{name}-%{version}-rbsec +%setup -q -n %{name}-%{UpstreamVersion} %if %{defined fedora} %patch1 -p1 %endif %build -make CFLAGS="%{optflags}" %{?_smp_mflags} +make CFLAGS="%{optflags} -fPIE" %{?_smp_mflags} %install install -d "%{buildroot}%{_bindir}" @@ -55,7 +55,8 @@ make install PREFIX="%{buildroot}%{_prefix}" %files %defattr(0644,root,root) -%doc LICENSE README.md +%doc README.md +%license LICENSE %attr(0755,root,root) %{_bindir}/sslscan %{_mandir}/man1/sslscan.1%{ext_man} From 6b7acac750fed06a7cfa61e0d6c7d3c732d780f1f94ce5bedb624c18623a221a Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Thu, 23 Jul 2020 12:28:14 +0000 Subject: [PATCH 2/2] Accepting request 822397 from home:weberho:branches:security - Upgrade to version 2.0.0 Version 2 of sslscan includes a major rewrite of the backend scanning code, which means that it is no longer reliant on the version of OpenSSL for many checks. This means that it is possible to support legacy protocols (SSLv2 and SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL that it has been compiled against. It is still recommended to build statically where possible, but dynamically built version should be significantly more useful. Note that there are also some breaking changes to the XML output, which are documented in the readme file. This rewrite been made possible largely by the work of jtesta, who has been responsible for most of the backend rewrite. - Cleaned up spec file OBS-URL: https://build.opensuse.org/request/show/822397 OBS-URL: https://build.opensuse.org/package/show/security/sslscan?expand=0&rev=19 --- sslscan-2.0.0.tar.gz | 3 +++ sslscan-2.0.0~beta6.tar.gz | 3 --- sslscan.changes | 20 ++++++++++++++++++++ sslscan.spec | 18 ++++++------------ 4 files changed, 29 insertions(+), 15 deletions(-) create mode 100644 sslscan-2.0.0.tar.gz delete mode 100644 sslscan-2.0.0~beta6.tar.gz diff --git a/sslscan-2.0.0.tar.gz b/sslscan-2.0.0.tar.gz new file mode 100644 index 0000000..066f6f9 --- /dev/null +++ b/sslscan-2.0.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f582c4b1c9ff6cadde4a3130a3f721866faf6048f5b1cddd1f696dc5a6fb7921 +size 109677 diff --git a/sslscan-2.0.0~beta6.tar.gz b/sslscan-2.0.0~beta6.tar.gz deleted file mode 100644 index ba7f6f1..0000000 --- a/sslscan-2.0.0~beta6.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9a37f8b922a3e8d66680d26f1f9399b03f531353503f2472bad2c319ef176aa8 -size 109783 diff --git a/sslscan.changes b/sslscan.changes index 98b912f..882cbe2 100644 --- a/sslscan.changes +++ b/sslscan.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Thu Jul 23 12:25:27 UTC 2020 - Johannes Weberhofer + +- Upgrade to version 2.0.0 + Version 2 of sslscan includes a major rewrite of the backend scanning code, + which means that it is no longer reliant on the version of OpenSSL for many + checks. This means that it is possible to support legacy protocols (SSLv2 and + SSLv3), as well as supporting TLSv1.3 - regardless of the version of OpenSSL + that it has been compiled against. It is still recommended to build statically + where possible, but dynamically built version should be significantly more + useful. + + Note that there are also some breaking changes to the XML output, which are + documented in the readme file. + + This rewrite been made possible largely by the work of jtesta, who has been + responsible for most of the backend rewrite. + +- Cleaned up spec file + ------------------------------------------------------------------- Wed Jul 22 14:11:33 UTC 2020 - Wolfgang Frisch diff --git a/sslscan.spec b/sslscan.spec index fad447f..93c4608 100644 --- a/sslscan.spec +++ b/sslscan.spec @@ -17,22 +17,16 @@ Name: sslscan -Version: 2.0.0~beta6 +Version: 2.0.0 Release: 0 -%define UpstreamVersion 2.0.0-beta6 Summary: SSL cipher scanning tool License: SUSE-GPL-3.0+-with-openssl-exception Group: Productivity/Networking/Diagnostic -Source: https://github.com/rbsec/sslscan/archive/%{UpstreamVersion}.tar.gz#/%{name}-%{version}.tar.gz +Source: https://github.com/rbsec/sslscan/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz #Patches copied from Debian package Patch1: fedora-sslscan-patents.patch BuildRequires: pkgconfig -BuildRequires: pkgconfig(libssl) >= 1.1.0 -%if 0%{?sle_version} -%ifarch x86_64 -BuildRequires: glibc-devel-32bit(x86-32) -%endif -%endif +BuildRequires: pkgconfig(libssl) >= 1.1.1 %description SSLScan determines what ciphers are supported on SSL-based services, @@ -40,13 +34,13 @@ such as HTTPS. Furthermore, SSLScan will determine the preferred ciphers of the SSL service. %prep -%setup -q -n %{name}-%{UpstreamVersion} +%setup -q %if %{defined fedora} %patch1 -p1 %endif %build -make CFLAGS="%{optflags} -fPIE" %{?_smp_mflags} +%make_build CFLAGS="%{optflags} -fPIE" %install install -d "%{buildroot}%{_bindir}" @@ -58,6 +52,6 @@ make install PREFIX="%{buildroot}%{_prefix}" %doc README.md %license LICENSE %attr(0755,root,root) %{_bindir}/sslscan -%{_mandir}/man1/sslscan.1%{ext_man} +%{_mandir}/man1/sslscan.1%{?ext_man} %changelog