Hello community,
here is the log from the commit of package sslscan for openSUSE:Factory checked in at 2016-12-02 16:41:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sslscan (Old)
and /work/SRC/openSUSE:Factory/.sslscan.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sslscan"
Changes:
--------
--- /work/SRC/openSUSE:Factory/sslscan/sslscan.changes 2016-11-18 22:02:06.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.sslscan.new/sslscan.changes 2016-12-02 16:41:35.000000000 +0100
@@ -1,0 +2,9 @@
+Mon Nov 28 23:49:30 UTC 2016 - jweberhofer@weberhofer.at
+
+- Upgrade to version 1.11.8
+ * Support alternate SNI hostnames (--sni=)
+ * Allow building with no support for TLS SCSV Fallback
+
+- Removed SSL_MODE_SEND_FALLBACK_SCSV (integrated upstream)
+
+-------------------------------------------------------------------
Old:
----
SSL_MODE_SEND_FALLBACK_SCSV.patch
sslscan-1.11.7-rbsec.tar.gz
New:
----
sslscan-1.11.8-rbsec.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sslscan.spec ++++++
--- /var/tmp/diff_new_pack.8pEbDg/_old 2016-12-02 16:41:36.000000000 +0100
+++ /var/tmp/diff_new_pack.8pEbDg/_new 2016-12-02 16:41:36.000000000 +0100
@@ -17,7 +17,7 @@
Name: sslscan
-Version: 1.11.7
+Version: 1.11.8
Release: 0
Summary: SSL cipher scanning tool
License: SUSE-GPL-3.0+-with-openssl-exception
@@ -26,7 +26,6 @@
Source: https://github.com/rbsec/sslscan/archive/%{version}-rbsec.tar.gz#/%{name}-%{version}-rbsec.tar.gz
#Patches copied from Debian package
Patch1: fedora-sslscan-patents.patch
-Patch2: SSL_MODE_SEND_FALLBACK_SCSV.patch
BuildRequires: openssl-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -40,7 +39,6 @@
%if %{defined fedora}
%patch1 -p1
%endif
-%patch2 -p1
%build
make CFLAGS="%{optflags}" %{?_smp_mflags}
++++++ sslscan-1.11.7-rbsec.tar.gz -> sslscan-1.11.8-rbsec.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/Changelog new/sslscan-1.11.8-rbsec/Changelog
--- old/sslscan-1.11.7-rbsec/Changelog 2016-06-13 14:42:11.000000000 +0200
+++ new/sslscan-1.11.8-rbsec/Changelog 2016-11-06 14:27:11.000000000 +0100
@@ -1,6 +1,13 @@
Changelog
=========
+Version: 1.11.8
+Date : 06/11/2016
+Author : rbsec
+Changes: The following are a list of changes
+ > Support alternate SNI hostnames (--sni=)
+ > Allow building with no support for TLS SCSV Fallback
+
Version: 1.11.7
Date : 13/06/2016
Author : rbsec
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/Makefile new/sslscan-1.11.8-rbsec/Makefile
--- old/sslscan-1.11.7-rbsec/Makefile 2016-06-13 14:42:11.000000000 +0200
+++ new/sslscan-1.11.8-rbsec/Makefile 2016-11-06 14:27:11.000000000 +0100
@@ -66,8 +66,10 @@
exit 1; \
fi
ifeq ($(OS), Darwin)
- install -d sslscan $(DESTDIR)$(BINDIR)/sslscan;
- install -d sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1;
+ install -d $(DESTDIR)$(BINDIR)/;
+ install sslscan $(DESTDIR)$(BINDIR)/sslscan;
+ install -d $(DESTDIR)$(MAN1DIR)/;
+ install sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1;
else
install -D sslscan $(DESTDIR)$(BINDIR)/sslscan;
install -D sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/README.md new/sslscan-1.11.8-rbsec/README.md
--- old/sslscan-1.11.7-rbsec/README.md 2016-06-13 14:42:11.000000000 +0200
+++ new/sslscan-1.11.8-rbsec/README.md 2016-11-06 14:27:11.000000000 +0100
@@ -5,38 +5,40 @@
This is a fork of ioerror's version of sslscan (the original readme of which is included below). Changes are as follows:
* Highlight SSLv2 and SSLv3 ciphers in output.
-* Highlight CBC ciphers on SSLv3 (POODLE)
-* Highlight RC4 ciphers in output.
+* Highlight CBC ciphers on SSLv3 (POODLE).
+* Highlight 3DES and RC4 ciphers in output.
* Highlight PFS+GCM ciphers as good in output.
* Highlight NULL (0 bit), weak (<40 bit) and medium (40 < n <= 56) ciphers in output.
* Highlight anonymous (ADH and AECDH) ciphers in output (purple).
-* Hide certificate information by default (display with --get-certificate).
-* Hide rejected ciphers by default (display with --failed).
+* Hide certificate information by default (display with `--get-certificate`).
+* Hide rejected ciphers by default (display with `--failed`).
* Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan).
* Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan).
-* Supports IPv6 hostnames (can be forced with --ipv6).
-* Check for TLS compression (CRIME, disable with --no-compression).
-* Disable cipher suite checking (--no-ciphersuites).
-* Disable coloured output (--no-colour).
+* Supports IPv6 hostnames (can be forced with `--ipv6`).
+* Check for TLS compression (CRIME, disable with `--no-compression`).
+* Disable cipher suite checking `--no-ciphersuites`.
+* Disable coloured output `--no-colour`.
* Removed undocumented -p output option.
-* Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with --no-heartbleed).
+* Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with `--no-heartbleed`).
* Flag certificates signed with MD5 or SHA-1, or with short (<2048 bit) RSA keys.
-* Support scanning RDP servers with --rdp (credit skettler).
+* Support scanning RDP servers with `--rdp` (credit skettler).
* Added option to specify socket timeout.
* Added option for static compilation (credit dmke).
-* Added --sleep option to pause between requests.
-* Disable output for anything than specified checks (--no-preferred).
-* Determine the list of CAs acceptable for client certificates (--show-client-cas).
-* Experimental build support on OSX (credit MikeSchroll)
+* Added `--sleep` option to pause between requests.
+* Disable output for anything than specified checks `--no-preferred`.
+* Determine the list of CAs acceptable for client certificates `--show-client-cas`.
+* Experimental build support on OSX (credit MikeSchroll).
* Flag some self-signed SSL certificates.
* Experimental Windows support (credit jtesta).
-* Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 (--no-cipher-details)
-* Flag weak DHE keys with OpenSSL >= 1.0.2 (--cipher-details)
-* Flag expired certificates
+* Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 `--no-cipher-details`.
+* Flag weak DHE keys with OpenSSL >= 1.0.2 `--cipher-details`.
+* Flag expired certificates.
* Flag TLSv1.0 ciphers in output as weak.
-* Experimental OSX support (static building only)
-* Support for scanning PostgreSQL servers (credit nuxi)
-* Check for TLS Fallback SCSV support
+* Experimental OSX support (static building only).
+* Support for scanning PostgreSQL servers (credit nuxi).
+* Check for TLS Fallback SCSV support.
+* Added StartTLS support for LDAP `--starttls-ldap`.
+* Added SNI support `--sni-name` (credit Ken).
### Building on Windows
Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/TODO new/sslscan-1.11.8-rbsec/TODO
--- old/sslscan-1.11.7-rbsec/TODO 2016-06-13 14:42:11.000000000 +0200
+++ new/sslscan-1.11.8-rbsec/TODO 2016-11-06 14:27:11.000000000 +0100
@@ -5,8 +5,6 @@
Add support for SOCKS5 proxy (or audit for 'usewithtor')
It seems to work fine with 'usewithtor'
It still seems prudent to add proper proxy support
-Add STARTTLS support for LDAP:
- http://www.rfc-editor.org/rfc/rfc2830.txt
Fix XMPP scans that do not support StartTLS:
"stream:error<invalid-namespace xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>"
Add HTML report generation
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/sslscan.1 new/sslscan-1.11.8-rbsec/sslscan.1
--- old/sslscan-1.11.7-rbsec/sslscan.1 2016-06-13 14:42:11.000000000 +0200
+++ new/sslscan-1.11.8-rbsec/sslscan.1 2016-11-06 14:27:11.000000000 +0100
@@ -38,6 +38,10 @@
check. Hosts can be supplied with
ports (i.e. host:port). One target per line
.TP
+.B \-\-sni\-name=<name>
+Use a different hostname for SNI
+.br
+.TP
.B \-\-ipv4
.br
Force IPv4 DNS resolution.
@@ -136,6 +140,9 @@
.B \-\-starttls\-imap
STARTTLS setup for IMAP
.TP
+.B \-\-starttls\-ldap
+STARTTLS setup for LDAP
+.TP
.B \-\-starttls\-pop3
STARTTLS setup for POP3
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/sslscan.c new/sslscan-1.11.8-rbsec/sslscan.c
--- old/sslscan-1.11.7-rbsec/sslscan.c 2016-06-13 14:42:11.000000000 +0200
+++ new/sslscan-1.11.8-rbsec/sslscan.c 2016-11-06 14:27:11.000000000 +0100
@@ -34,6 +34,8 @@
* files in the program, then also delete it here. *
***************************************************************************/
+#define _GNU_SOURCE
+
// Includes...
#ifdef _WIN32
#define WIN32_LEAN_AND_MEAN
@@ -436,6 +438,36 @@
}
}
+ // Setup a LDAP STARTTLS socket
+ if (options->starttls_ldap == true && tlsStarted == false)
+ {
+ tlsStarted = 1;
+ memset(buffer, 0, BUFFERSIZE);
+ char starttls[] = {'0', 0x1d, 0x02, 0x01, 0x01, 'w', 0x18, 0x80, 0x16,
+ '1', '.', '3', '.', '6', '.', '1', '.', '4', '.', '1', '.',
+ '1', '4', '6', '6', '.', '2', '0', '0', '3', '7'};
+ char ok[] = "1.3.6.1.4.1.1466.20037";
+ char unsupported[] = "unsupported extended operation";
+
+ // Send TLS
+ send(socketDescriptor, starttls, sizeof(starttls), 0);
+ if (!readOrLogAndClose(socketDescriptor, buffer, BUFFERSIZE, options))
+ return 0;
+
+ if (memmem(buffer, BUFFERSIZE, ok, sizeof(ok))) {
+ printf_verbose("STARTLS LDAP setup complete.\n");
+ }
+ else if (memmem(buffer, BUFFERSIZE, unsupported, sizeof(unsupported))) {
+ printf_error("%sSTARTLS LDAP connection to %s:%d failed with '%s'.%s\n",
+ COL_RED, options->host, options->port, unsupported, RESET);
+ return 0;
+ } else {
+ printf_error("%sSTARTLS LDAP connection to %s:%d failed with unknown error.%s\n",
+ COL_RED, options->host, options->port, RESET);
+ return 0;
+ }
+ }
+
// Setup a FTP STARTTLS socket
if (options->starttls_ftp == true && tlsStarted == false)
{
@@ -769,7 +801,7 @@
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
// This enables TLS SNI
- SSL_set_tlsext_host_name(ssl, options->host);
+ SSL_set_tlsext_host_name(ssl, options->sniname);
#endif
// Connect SSL over socket
@@ -842,6 +874,7 @@
return status;
}
+#ifdef SSL_MODE_SEND_FALLBACK_SCSV
// Check for TLS_FALLBACK_SCSV
int testFallback(struct sslCheckOptions *options, const SSL_METHOD *sslMethod)
{
@@ -908,7 +941,7 @@
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
// This enables TLS SNI
- SSL_set_tlsext_host_name(ssl, options->host);
+ SSL_set_tlsext_host_name(ssl, options->sniname);
#endif
// Connect SSL over socket
@@ -929,10 +962,12 @@
else if (sslversion == TLS1_VERSION)
{
printf("Server only supports TLSv1.0");
+ status = false;
}
else
{
- printf("Server doesn't support TLS - skipping TLS Fallback SCSV check");
+ printf("Server doesn't support TLS - skipping TLS Fallback SCSV check\n\n");
+ status = false;
}
}
else
@@ -942,17 +977,23 @@
}
else
{
- if (SSL_get_error(ssl, connStatus == 1))
+ if (downgraded)
{
- ERR_get_error();
- if (SSL_get_error(ssl, connStatus == 6))
+ if (SSL_get_error(ssl, connStatus == 1))
{
- printf("Server %ssupports%s TLS Fallback SCSV\n\n", COL_GREEN, RESET);
+ ERR_get_error();
+ if (SSL_get_error(ssl, connStatus == 6))
+ {
+ printf("Server %ssupports%s TLS Fallback SCSV\n\n", COL_GREEN, RESET);
+ status = false;
+ }
}
}
else
{
- printf("Connect failed: %d\n", SSL_get_error(ssl, connStatus));
+ printf("%sConnection failed%s - unable to determine TLS Fallback SCSV support\n\n",
+ COL_YELLOW, RESET);
+ status = false;
}
}
@@ -996,12 +1037,13 @@
}
// Call function again with downgraded protocol
- if (!downgraded)
+ if (status && !downgraded)
{
testFallback(options, secondMethod);
}
return status;
}
+#endif
// Check if the server supports renegotiation
@@ -1066,7 +1108,7 @@
// untested. Please report success or failure! However, this code change
// has worked fine in other projects to which the contributor has added it,
// or HTTP usage.
- SSL_set_tlsext_host_name(ssl, options->host);
+ SSL_set_tlsext_host_name(ssl, options->sniname);
#endif
// Connect SSL over socket
@@ -1443,7 +1485,7 @@
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
// This enables TLS SNI
- SSL_set_tlsext_host_name (ssl, options->host);
+ SSL_set_tlsext_host_name (ssl, options->sniname);
#endif
// Connect SSL over socket
@@ -1593,7 +1635,7 @@
{
printf("%s%-29s%s", COL_RED, sslCipherPointer->name, RESET);
}
- else if (strstr(sslCipherPointer->name, "RC4"))
+ else if (strstr(sslCipherPointer->name, "RC4") || strstr(sslCipherPointer->name, "DES"))
{
printf("%s%-29s%s", COL_YELLOW, sslCipherPointer->name, RESET);
}
@@ -1743,7 +1785,7 @@
// untested. Please report success or failure! However, this code change
// has worked fine in other projects to which the contributor has added it,
// or HTTP usage.
- SSL_set_tlsext_host_name (ssl, options->host);
+ SSL_set_tlsext_host_name (ssl, options->sniname);
#endif
// Connect SSL over socket
@@ -2161,7 +2203,7 @@
// untested. Please report success or failure! However, this code change
// has worked fine in other projects to which the contributor has added it,
// or HTTP usage.
- SSL_set_tlsext_host_name (ssl, options->host);
+ SSL_set_tlsext_host_name (ssl, options->sniname);
#endif
SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
SSL_CTX_set_tlsext_status_cb(options->ctx, ocsp_resp_cb);
@@ -2432,7 +2474,7 @@
// untested. Please report success or failure! However, this code change
// has worked fine in other projects to which the contributor has added it,
// or HTTP usage.
- SSL_set_tlsext_host_name (ssl, options->host);
+ SSL_set_tlsext_host_name (ssl, options->sniname);
#endif
// Connect SSL over socket
@@ -2875,7 +2917,7 @@
// untested. Please report success or failure! However, this code change
// has worked fine in other projects to which the contributor has added it,
// or HTTP usage.
- SSL_set_tlsext_host_name (ssl, options->host);
+ SSL_set_tlsext_host_name (ssl, options->sniname);
#endif
// Connect SSL over socket
@@ -3140,13 +3182,16 @@
}
printf("\n");
}
-
if (status == true && options->fallback )
{
printf(" %sTLS Fallback SCSV:%s\n", COL_BLUE, RESET);
+#ifdef SSL_MODE_SEND_FALLBACK_SCSV
testFallback(options, NULL);
+#else
+ printf("%sOpenSSL version does not support SCSV fallback%s\n\n", COL_RED, RESET);
+
+#endif
}
-
if (status == true && options->reneg )
{
printf(" %sTLS renegotiation:%s\n", COL_BLUE, RESET);
@@ -3335,6 +3380,7 @@
options.starttls_ftp = false;
options.starttls_imap = false;
options.starttls_irc = false;
+ options.starttls_ldap = false;
options.starttls_pop3 = false;
options.starttls_smtp = false;
options.starttls_xmpp = false;
@@ -3480,6 +3526,10 @@
else if (strcmp("--starttls-irc", argv[argLoop]) == 0)
options.starttls_irc = true;
+ // StartTLS... LDAP
+ else if (strcmp("--starttls-ldap", argv[argLoop]) == 0)
+ options.starttls_ldap = true;
+
// StartTLS... POP3
else if (strcmp("--starttls-pop3", argv[argLoop]) == 0)
options.starttls_pop3 = true;
@@ -3562,6 +3612,13 @@
else if (strcmp("--ocsp", argv[argLoop]) == 0)
options.ocspStatus = true;
+ // SNI name
+ else if (strncmp("--sni-name=", argv[argLoop], 11) == 0)
+ strncpy(options.sniname, argv[argLoop]+11, strlen(argv[argLoop])-11);
+
+ else if (strcmp("--ocsp", argv[argLoop]) == 0)
+ options.ocspStatus = true;
+
// Host (maybe port too)...
else if (argLoop + 1 == argc)
@@ -3608,10 +3665,24 @@
strncpy(options.host, hostString, sizeof(options.host) -1);
+ // No SNI name passed on command line
+ if (strlen(options.sniname) == 0)
+ {
+ strncpy(options.sniname, options.host, sizeof(options.host));
+ }
+
// Get port (if it exists)...
tempInt++;
- if (tempInt < maxSize - 1)
- options.port = atoi(hostString + tempInt);
+ if (tempInt < maxSize)
+ {
+ errno = 0;
+ options.port = strtol((hostString + tempInt), NULL, 10);
+ if (options.port < 1 || options.port > 65535)
+ {
+ printf("\n%sInvalid port specified%s\n\n", COL_RED, RESET);
+ exit(1);
+ }
+ }
else if (options.port == 0) {
if (options.starttls_ftp)
options.port = 21;
@@ -3619,6 +3690,8 @@
options.port = 143;
else if (options.starttls_irc)
options.port = 6667;
+ else if (options.starttls_ldap)
+ options.port = 389;
else if (options.starttls_pop3)
options.port = 110;
else if (options.starttls_smtp)
@@ -3700,6 +3773,7 @@
printf("%sOptions:%s\n", COL_BLUE, RESET);
printf(" %s--targets=<file>%s A file containing a list of hosts to check.\n", COL_GREEN, RESET);
printf(" Hosts can be supplied with ports (host:port)\n");
+ printf(" %s--sni-name=<name>%s Hostname for SNI\n", COL_GREEN, RESET);
printf(" %s--ipv4%s Only use IPv4\n", COL_GREEN, RESET);
printf(" %s--ipv6%s Only use IPv6\n", COL_GREEN, RESET);
printf(" %s--show-certificate%s Show full certificate information\n", COL_GREEN, RESET);
@@ -3726,13 +3800,16 @@
printf(" %s--pkpass=<password>%s The password for the private key or PKCS#12 file\n", COL_GREEN, RESET);
printf(" %s--certs=<file>%s A file containing PEM/ASN1 formatted client certificates\n", COL_GREEN, RESET);
printf(" %s--no-ciphersuites%s Do not check for supported ciphersuites\n", COL_GREEN, RESET);
+#ifdef SSL_MODE_SEND_FALLBACK_SCSV
printf(" %s--no-fallback%s Do not check for TLS Fallback SCSV\n", COL_GREEN, RESET);
+#endif
printf(" %s--no-renegotiation%s Do not check for TLS renegotiation\n", COL_GREEN, RESET);
printf(" %s--no-compression%s Do not check for TLS compression (CRIME)\n", COL_GREEN, RESET);
printf(" %s--no-heartbleed%s Do not check for OpenSSL Heartbleed (CVE-2014-0160)\n", COL_GREEN, RESET);
printf(" %s--starttls-ftp%s STARTTLS setup for FTP\n", COL_GREEN, RESET);
printf(" %s--starttls-imap%s STARTTLS setup for IMAP\n", COL_GREEN, RESET);
printf(" %s--starttls-irc%s STARTTLS setup for IRC\n", COL_GREEN, RESET);
+ printf(" %s--starttls-ldap%s STARTTLS setup for LDAP\n", COL_GREEN, RESET);
printf(" %s--starttls-pop3%s STARTTLS setup for POP3\n", COL_GREEN, RESET);
printf(" %s--starttls-smtp%s STARTTLS setup for SMTP\n", COL_GREEN, RESET);
printf(" %s--starttls-xmpp%s STARTTLS setup for XMPP\n", COL_GREEN, RESET);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/sslscan.h new/sslscan-1.11.8-rbsec/sslscan.h
--- old/sslscan-1.11.7-rbsec/sslscan.h 2016-06-13 14:42:11.000000000 +0200
+++ new/sslscan-1.11.8-rbsec/sslscan.h 2016-11-06 14:27:11.000000000 +0100
@@ -114,6 +114,7 @@
{
// Program Options...
char host[512];
+ char sniname[512];
int port;
int showCertificate;
int checkCertificate;
@@ -129,6 +130,7 @@
int starttls_ftp;
int starttls_imap;
int starttls_irc;
+ int starttls_ldap;
int starttls_pop3;
int starttls_smtp;
int starttls_xmpp;
@@ -203,7 +205,9 @@
int testCompression(struct sslCheckOptions *, const SSL_METHOD *);
int testRenegotiation(struct sslCheckOptions *, const SSL_METHOD *);
+#ifdef SSL_MODE_SEND_FALLBACK_SCSV
int testfallback(struct sslCheckOptions *, const SSL_METHOD *);
+#endif
int testHeartbleed(struct sslCheckOptions *, const SSL_METHOD *);
int testCipher(struct sslCheckOptions *, const SSL_METHOD *);
int testProtocolCiphers(struct sslCheckOptions *, const SSL_METHOD *);
