Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sslscan for openSUSE:Factory checked
in at 2024-07-25 15:40:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sslscan (Old)
and /work/SRC/openSUSE:Factory/.sslscan.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sslscan"
Thu Jul 25 15:40:14 2024 rev:19 rq:1189590 version:2.1.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/sslscan/sslscan.changes 2024-02-26
19:50:57.325978730 +0100
+++ /work/SRC/openSUSE:Factory/.sslscan.new.1882/sslscan.changes
2024-07-25 16:02:19.558967679 +0200
@@ -1,0 +2,6 @@
+Thu Jul 25 09:38:59 UTC 2024 - Dirk Müller <dmuel...@suse.com>
+
+- update to 2.1.4:
+ * Display the full cert chain --show-certificates
+
+-------------------------------------------------------------------
Old:
----
sslscan-2.1.3.tar.gz
New:
----
sslscan-2.1.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sslscan.spec ++++++
--- /var/tmp/diff_new_pack.eq0ND9/_old 2024-07-25 16:02:20.042987173 +0200
+++ /var/tmp/diff_new_pack.eq0ND9/_new 2024-07-25 16:02:20.046987334 +0200
@@ -17,7 +17,7 @@
Name: sslscan
-Version: 2.1.3
+Version: 2.1.4
Release: 0
Summary: SSL cipher scanning tool
License: SUSE-GPL-3.0+-with-openssl-exception
++++++ sslscan-2.1.3.tar.gz -> sslscan-2.1.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.1.3/Changelog new/sslscan-2.1.4/Changelog
--- old/sslscan-2.1.3/Changelog 2024-01-21 14:41:31.000000000 +0100
+++ new/sslscan-2.1.4/Changelog 2024-06-16 19:49:50.000000000 +0200
@@ -1,5 +1,11 @@
Changelog
=========
+Version: 2.1.4
+Date : 16/06/2024
+Author : rbsec <ro...@rbsec.net>
+Changes: The following are a list of changes
+ > Display the full cert chain --show-certificates (credit
fhtino)
+
Version: 2.1.3
Date : 21/01/2024
Author : rbsec <ro...@rbsec.net>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.1.3/Makefile new/sslscan-2.1.4/Makefile
--- old/sslscan-2.1.3/Makefile 2024-01-21 14:41:31.000000000 +0100
+++ new/sslscan-2.1.4/Makefile 2024-06-16 19:49:50.000000000 +0200
@@ -35,7 +35,11 @@
# for dynamic linking
LIBS = -lssl -lcrypto
ifneq ($(OS), FreeBSD)
+ifneq ($(findstring MINGW64,$(OS)),MINGW64)
LIBS += -ldl
+else
+ LIBS += -lwsock32 -lWs2_32
+endif
endif
ifeq ($(OS), SunOS)
CFLAGS += -m64
@@ -50,7 +54,13 @@
# Don't enable some hardening flags on OS X because it uses an old version of
Clang
ifneq ($(OS), Darwin)
ifneq ($(OS), SunOS)
+ifneq ($(findstring CYGWIN,$(OS)),CYGWIN)
+ifneq ($(findstring MINGW64,$(OS)),MINGW64)
LDFLAGS += -pie -z relro -z now
+else
+ LDFLAGS += -pie
+endif
+endif
endif
endif
@@ -68,8 +78,10 @@
LIBS = -lssl -lcrypto -lz -lpthread
endif
ifneq ($(OS), FreeBSD)
+ifneq ($(findstring CYGWIN,$(OS)),CYGWIN)
LIBS += -ldl
endif
+endif
ifeq ($(OS), SunOS)
LIBS += -lsocket -lnsl
endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.1.3/README.md new/sslscan-2.1.4/README.md
--- old/sslscan-2.1.3/README.md 2024-01-21 14:41:31.000000000 +0100
+++ new/sslscan-2.1.4/README.md 2024-06-16 19:49:50.000000000 +0200
@@ -30,7 +30,8 @@
[](https://github.com/rbsec/sslscan/actions/workflows/ci.yml)
-This is a fork of ioerror's version of sslscan (the original readme of which
is included below).
+This is a fork of ioerror's version of sslscan (the original readme of which
is included below) by rbsec (ro...@rbsec.net).
+
Key changes are as follows:
* Highlight SSLv2 and SSLv3 ciphers in output.
@@ -71,6 +72,7 @@
* Check for supported key exchange groups.
* Check for supported server signature algorithms.
* Display IANA/RFC cipher names `--iana-names`
+* Display the full certifiate chain `--show-certificates`
### Building on Linux
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.1.3/sslscan.1 new/sslscan-2.1.4/sslscan.1
--- old/sslscan-2.1.3/sslscan.1 2024-01-21 14:41:31.000000000 +0100
+++ new/sslscan-2.1.4/sslscan.1 2024-06-16 19:49:50.000000000 +0200
@@ -48,6 +48,10 @@
.B \-\-show\-certificate
Display certificate information.
.TP
+.B \-\-show\-certificates
+Display the full certificate chain.
+.TP
+.B \-\-no\-check\-certificate
.B \-\-no\-check\-certificate
Don't flag certificates signed with weak algorithms (MD5 and SHA-1) or short
(<2048 bit) RSA keys
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.1.3/sslscan.c new/sslscan-2.1.4/sslscan.c
--- old/sslscan-2.1.3/sslscan.c 2024-01-21 14:41:31.000000000 +0100
+++ new/sslscan-2.1.4/sslscan.c 2024-06-16 19:49:50.000000000 +0200
@@ -2814,186 +2814,204 @@
BIO_set_fp(fileBIO, options->xmlOutput,
BIO_NOCLOSE);
}
- // Get Certificate...
- printf("\n %sSSL Certificate:%s\n", COL_BLUE,
RESET);
- printf_xml(" <certificate type=\"full\">\n");
- x509Cert = SSL_get_peer_certificate(ssl);
- if (x509Cert != NULL)
- {
+ // Get certificate(s) chain
+ STACK_OF(X509) *certificatesChain;
- // Print a base64 blob version of the cert
- printf(" Certificate blob:\n");
- PEM_write_bio_X509(stdoutBIO,x509Cert);
- if (options->xmlOutput)
- {
- printf_xml(" <certificate-blob>\n");
- PEM_write_bio_X509(fileBIO,x509Cert);
- printf_xml(" </certificate-blob>\n");
- }
+ if (options->showCertificates == true)
+ {
+ certificatesChain =
SSL_get_peer_cert_chain(ssl);
+ }
+ else
+ {
+ X509 *peerCertificate =
SSL_get_peer_certificate(ssl);
+ certificatesChain = sk_X509_new_null();
+ sk_X509_push(certificatesChain,
peerCertificate);
+ }
- //SSL_set_verify(ssl,
SSL_VERIFY_NONE|SSL_VERIFY_CLIENT_ONCE, NULL);
+ for (int cert_index = 0; cert_index <
sk_X509_num(certificatesChain); cert_index++)
+ {
+ // Get Certificate...
+ printf("\n %sSSL Certificate: %s\n",
COL_BLUE, RESET);
+ printf_xml(" <certificate type=\"full\">\n");
- //X509_print_ex(bp, x509Cert, 0, 0);
+ x509Cert = sk_X509_value(certificatesChain,
cert_index);
- // Cert Version
- if (!(X509_FLAG_COMPAT & X509_FLAG_NO_VERSION))
+ if (x509Cert != NULL)
{
- tempLong = X509_get_version(x509Cert);
- printf(" Version: %lu\n", tempLong);
- printf_xml(" <version>%lu</version>\n",
tempLong);
- }
- // Cert Serial No. - Code adapted from
OpenSSL's crypto/asn1/t_x509.c
- if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SERIAL))
- {
- ASN1_INTEGER *bs;
- BIO *bp;
- BIO *xml_bp;
- bp = BIO_new_fp(stdout, BIO_NOCLOSE);
+ // Print a base64 blob version of the cert
+ printf(" Certificate blob:\n");
+ PEM_write_bio_X509(stdoutBIO,x509Cert);
if (options->xmlOutput)
- xml_bp =
BIO_new_fp(options->xmlOutput, BIO_NOCLOSE);
- long l;
- int i;
- const char *neg;
- bs=X509_get_serialNumber(x509Cert);
+ {
+ printf_xml(" <certificate-blob>\n");
+ PEM_write_bio_X509(fileBIO,x509Cert);
+ printf_xml(" </certificate-blob>\n");
+ }
- if (BIO_write(bp," Serial Number:",18)
<= 0)
- return(1);
+ // SSL_set_verify(ssl,
SSL_VERIFY_NONE|SSL_VERIFY_CLIENT_ONCE, NULL);
- if (bs->length <= 4)
+ // X509_print_ex(bp, x509Cert, 0, 0);
+
+ // Cert Version
+ if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_VERSION))
{
- l=ASN1_INTEGER_get(bs);
- if (l < 0)
- {
- l= -l;
- neg="-";
- }
- else
- neg="";
- if (BIO_printf(bp," %s%lu
(%s0x%lx)\n",neg,l,neg,l) <= 0)
- return(1);
- if (options->xmlOutput)
- if (BIO_printf(xml_bp,"
<serial>%s%lu (%s0x%lx)</serial>\n",neg,l,neg,l) <= 0)
- return(1);
+ tempLong = X509_get_version(x509Cert);
+ printf(" Version: %lu\n", tempLong);
+ printf_xml("
<version>%lu</version>\n", tempLong);
}
- else
+
+ // Cert Serial No. - Code adapted from
OpenSSL's crypto/asn1/t_x509.c
+ if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_SERIAL))
{
- neg=(bs->type == V_ASN1_NEG_INTEGER)?"
(Negative)":"";
- if (BIO_printf(bp,"%1s%s","",neg) <= 0)
+ ASN1_INTEGER *bs;
+ BIO *bp;
+ BIO *xml_bp;
+ bp = BIO_new_fp(stdout, BIO_NOCLOSE);
+ if (options->xmlOutput)
+ xml_bp =
BIO_new_fp(options->xmlOutput, BIO_NOCLOSE);
+ long l;
+ int i;
+ const char *neg;
+ bs=X509_get_serialNumber(x509Cert);
+
+ if (BIO_write(bp," Serial
Number:",18) <= 0)
return(1);
- if (options->xmlOutput)
- if (BIO_printf(xml_bp,"
<serial>") <= 0)
+ if (bs->length <= 4)
+ {
+ l=ASN1_INTEGER_get(bs);
+ if (l < 0)
+ {
+ l= -l;
+ neg="-";
+ }
+ else
+ neg="";
+ if (BIO_printf(bp," %s%lu
(%s0x%lx)\n",neg,l,neg,l) <= 0)
return(1);
-
- for (i=0; i<bs->length; i++)
+ if (options->xmlOutput)
+ if (BIO_printf(xml_bp,"
<serial>%s%lu (%s0x%lx)</serial>\n",neg,l,neg,l) <= 0)
+ return(1);
+ }
+ else
{
- if
(BIO_printf(bp,"%02x%c",bs->data[i],
- ((i+1 ==
bs->length)?'\n':':')) <= 0)
+ neg=(bs->type ==
V_ASN1_NEG_INTEGER)?" (Negative)":"";
+ if (BIO_printf(bp,"%1s%s","",neg)
<= 0)
return(1);
- if (options->xmlOutput) {
- if (i+1 == bs->length)
- {
- if
(BIO_printf(xml_bp,"%02x",bs->data[i]) <= 0)
- return(1);
- }
- else
- {
- if
(BIO_printf(xml_bp,"%02x%c",bs->data[i], ':') <= 0)
- return(1);
+
+ if (options->xmlOutput)
+ if (BIO_printf(xml_bp,"
<serial>") <= 0)
+ return(1);
+
+ for (i=0; i<bs->length; i++)
+ {
+ if
(BIO_printf(bp,"%02x%c",bs->data[i],
+ ((i+1 ==
bs->length)?'\n':':')) <= 0)
+ return(1);
+ if (options->xmlOutput) {
+ if (i+1 == bs->length)
+ {
+ if
(BIO_printf(xml_bp,"%02x",bs->data[i]) <= 0)
+ return(1);
+ }
+ else
+ {
+ if
(BIO_printf(xml_bp,"%02x%c",bs->data[i], ':') <= 0)
+ return(1);
+ }
}
}
- }
- if (options->xmlOutput)
- if
(BIO_printf(xml_bp,"</serial>\n") <= 0)
- return(1);
+ if (options->xmlOutput)
+ if
(BIO_printf(xml_bp,"</serial>\n") <= 0)
+ return(1);
+ }
+ if(NULL != bp)
+ BIO_free(bp);
+ // We don't free the xml_bp because it
will be used in the future
}
- if(NULL != bp)
- BIO_free(bp);
- // We don't free the xml_bp because it
will be used in the future
- }
- // Signature Algo...
- if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SIGNAME))
- {
- X509_signature_print(stdoutBIO,
X509_get0_tbs_sigalg(x509Cert), NULL);
-/* printf(" Signature Algorithm: ");
- i2a_ASN1_OBJECT(stdoutBIO,
X509_get0_tbs_sigalg(x509Cert));
- printf("\n");
-*/
- if (options->xmlOutput)
+ // Signature Algo...
+ if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_SIGNAME))
{
- printf_xml(" <signature-algorithm>");
- X509_signature_print(fileBIO,
X509_get0_tbs_sigalg(x509Cert), NULL);
- printf_xml("</signature-algorithm>\n");
+ X509_signature_print(stdoutBIO,
X509_get0_tbs_sigalg(x509Cert), NULL);
+ /*
printf(" Signature Algorithm: ");
+
i2a_ASN1_OBJECT(stdoutBIO, X509_get0_tbs_sigalg(x509Cert));
+
printf("\n");
+ */
+ if (options->xmlOutput)
+ {
+ printf_xml("
<signature-algorithm>");
+ X509_signature_print(fileBIO,
X509_get0_tbs_sigalg(x509Cert), NULL);
+
printf_xml("</signature-algorithm>\n");
+ }
}
- }
- // SSL Certificate Issuer...
- if (!(X509_FLAG_COMPAT & X509_FLAG_NO_ISSUER))
- {
-
X509_NAME_oneline(X509_get_issuer_name(x509Cert), buffer, sizeof(buffer) - 1);
- printf(" Issuer: %s\n", buffer);
- printf_xml("
<issuer><![CDATA[%s]]></issuer>\n", buffer);
- }
-
- // Validity...
- if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_VALIDITY))
- {
- printf(" Not valid before: ");
- ASN1_TIME_print(stdoutBIO,
X509_get_notBefore(x509Cert));
- if (options->xmlOutput)
+ // SSL Certificate Issuer...
+ if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_ISSUER))
{
- printf_xml(" <not-valid-before>");
- ASN1_TIME_print(fileBIO,
X509_get_notBefore(x509Cert));
- printf_xml("</not-valid-before>\n");
+
X509_NAME_oneline(X509_get_issuer_name(x509Cert), buffer, sizeof(buffer) - 1);
+ printf(" Issuer: %s\n", buffer);
+ printf_xml("
<issuer><![CDATA[%s]]></issuer>\n", buffer);
}
- printf("\n Not valid after: ");
- ASN1_TIME_print(stdoutBIO,
X509_get_notAfter(x509Cert));
- printf("\n");
- if (options->xmlOutput)
- {
- printf_xml(" <not-valid-after>");
- ASN1_TIME_print(fileBIO,
X509_get_notAfter(x509Cert));
- printf_xml("</not-valid-after>\n");
- }
- }
-
- // SSL Certificate Subject...
- if (!(X509_FLAG_COMPAT & X509_FLAG_NO_SUBJECT))
- {
-
X509_NAME_oneline(X509_get_subject_name(x509Cert), buffer, sizeof(buffer) - 1);
- printf(" Subject: %s\n", buffer);
- printf_xml("
<subject><![CDATA[%s]]></subject>\n", buffer);
- }
- // Public Key Algo...
- if (!(X509_FLAG_COMPAT & X509_FLAG_NO_PUBKEY))
- {
- printf(" Public Key Algorithm: ");
- ASN1_OBJECT *xpoid = NULL;
- i2a_ASN1_OBJECT(stdoutBIO, xpoid);
- printf("\n");
- if (options->xmlOutput)
+ // Validity...
+ if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_VALIDITY))
{
- printf_xml(" <pk-algorithm>");
- i2a_ASN1_OBJECT(fileBIO, xpoid);
- printf_xml("</pk-algorithm>\n");
+ printf(" Not valid before: ");
+ ASN1_TIME_print(stdoutBIO,
X509_get_notBefore(x509Cert));
+ if (options->xmlOutput)
+ {
+ printf_xml("
<not-valid-before>");
+ ASN1_TIME_print(fileBIO,
X509_get_notBefore(x509Cert));
+
printf_xml("</not-valid-before>\n");
+ }
+ printf("\n Not valid after: ");
+ ASN1_TIME_print(stdoutBIO,
X509_get_notAfter(x509Cert));
+ printf("\n");
+ if (options->xmlOutput)
+ {
+ printf_xml(" <not-valid-after>");
+ ASN1_TIME_print(fileBIO,
X509_get_notAfter(x509Cert));
+ printf_xml("</not-valid-after>\n");
+ }
}
- // Public Key...
- publicKey = X509_get_pubkey(x509Cert);
- if (publicKey == NULL)
+ // SSL Certificate Subject...
+ if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_SUBJECT))
{
- printf(" Public Key: Could not
load\n");
- printf_xml(" <pk error=\"true\"
/>\n");
+
X509_NAME_oneline(X509_get_subject_name(x509Cert), buffer, sizeof(buffer) - 1);
+ printf(" Subject: %s\n", buffer);
+ printf_xml("
<subject><![CDATA[%s]]></subject>\n", buffer);
}
- else
+
+ // Public Key Algo...
+ if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_PUBKEY))
{
- switch (EVP_PKEY_id(publicKey))
+ printf(" Public Key Algorithm: ");
+ ASN1_OBJECT *xpoid = NULL;
+ i2a_ASN1_OBJECT(stdoutBIO, xpoid);
+ printf("\n");
+ if (options->xmlOutput)
+ {
+ printf_xml(" <pk-algorithm>");
+ i2a_ASN1_OBJECT(fileBIO, xpoid);
+ printf_xml("</pk-algorithm>\n");
+ }
+
+ // Public Key...
+ publicKey = X509_get_pubkey(x509Cert);
+ if (publicKey == NULL)
{
+ printf(" Public Key: Could not
load\n");
+ printf_xml(" <pk error=\"true\"
/>\n");
+ }
+ else
+ {
+ switch (EVP_PKEY_id(publicKey))
+ {
case EVP_PKEY_RSA:
if
(EVP_PKEY_get1_RSA(publicKey)!=NULL)
{
@@ -3049,77 +3067,79 @@
printf(" Public Key:
Unknown\n");
printf_xml(" <pk
error=\"true\" type=\"unknown\" />\n");
break;
- }
+ }
- EVP_PKEY_free(publicKey);
+ EVP_PKEY_free(publicKey);
+ }
}
- }
- // X509 v3...
- if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_EXTENSIONS))
- {
- if
(sk_X509_EXTENSION_num(X509_get0_extensions(x509Cert)) > 0)
+ // X509 v3...
+ if (!(X509_FLAG_COMPAT &
X509_FLAG_NO_EXTENSIONS))
{
- printf(" X509v3 Extensions:\n");
- printf_xml(" <X509v3-Extensions>\n");
- for (tempInt = 0; tempInt <
sk_X509_EXTENSION_num(X509_get0_extensions(x509Cert)); tempInt++)
+ if
(sk_X509_EXTENSION_num(X509_get0_extensions(x509Cert)) > 0)
{
- // Get Extension...
- extension =
sk_X509_EXTENSION_value(X509_get0_extensions(x509Cert), tempInt);
-
- // Print Extension name...
- printf(" ");
- asn1Object =
X509_EXTENSION_get_object(extension);
- i2a_ASN1_OBJECT(stdoutBIO,
asn1Object);
- tempInt2 =
X509_EXTENSION_get_critical(extension);
- BIO_printf(stdoutBIO, ": %s\n",
tempInt2 ? "critical" : "");
- if (options->xmlOutput)
+ printf(" X509v3 Extensions:\n");
+ printf_xml("
<X509v3-Extensions>\n");
+ for (tempInt = 0; tempInt <
sk_X509_EXTENSION_num(X509_get0_extensions(x509Cert)); tempInt++)
{
- printf_xml(" <extension
name=\"");
- i2a_ASN1_OBJECT(fileBIO,
asn1Object);
- BIO_printf(fileBIO,
"\"%s><![CDATA[", tempInt2 ? " level=\"critical\"" : "");
- }
+ // Get Extension...
+ extension =
sk_X509_EXTENSION_value(X509_get0_extensions(x509Cert), tempInt);
- // Print Extension value...
- if (!X509V3_EXT_print(stdoutBIO,
extension, X509_FLAG_COMPAT, 8))
- {
- printf(" ");
- ASN1_STRING_print(stdoutBIO,
X509_EXTENSION_get_data(extension));
- }
- if (options->xmlOutput)
- {
- if (!X509V3_EXT_print(fileBIO,
extension, X509_FLAG_COMPAT, 0))
-
ASN1_STRING_print(stdoutBIO, X509_EXTENSION_get_data(extension));
-
printf_xml("]]></extension>\n");
+ // Print Extension name...
+ printf(" ");
+ asn1Object =
X509_EXTENSION_get_object(extension);
+ i2a_ASN1_OBJECT(stdoutBIO,
asn1Object);
+ tempInt2 =
X509_EXTENSION_get_critical(extension);
+ BIO_printf(stdoutBIO, ":
%s\n", tempInt2 ? "critical" : "");
+ if (options->xmlOutput)
+ {
+ printf_xml(" <extension
name=\"");
+ i2a_ASN1_OBJECT(fileBIO,
asn1Object);
+ BIO_printf(fileBIO,
"\"%s><![CDATA[", tempInt2 ? " level=\"critical\"" : "");
+ }
+
+ // Print Extension value...
+ if
(!X509V3_EXT_print(stdoutBIO, extension, X509_FLAG_COMPAT, 8))
+ {
+ printf(" ");
+
ASN1_STRING_print(stdoutBIO, X509_EXTENSION_get_data(extension));
+ }
+ if (options->xmlOutput)
+ {
+ if
(!X509V3_EXT_print(fileBIO, extension, X509_FLAG_COMPAT, 0))
+
ASN1_STRING_print(stdoutBIO, X509_EXTENSION_get_data(extension));
+
printf_xml("]]></extension>\n");
+ }
+ printf("\n");
}
- printf("\n");
+ printf_xml("
</X509v3-Extensions>\n");
}
- printf_xml("
</X509v3-Extensions>\n");
}
- }
- // Verify Certificate...
- printf(" Verify Certificate:\n");
- verifyError = SSL_get_verify_result(ssl);
- if (verifyError == X509_V_OK)
- {
- printf(" Certificate passed
verification\n");
+ // Verify Certificate...
+ printf(" Verify m:\n");
+ verifyError = SSL_get_verify_result(ssl);
+ if (verifyError == X509_V_OK)
+ {
+ printf(" Certificate passed
verification\n");
+ }
+ else
+ {
+ printf(" %s\n",
X509_verify_cert_error_string(verifyError));
+ }
+
+ // Free X509 Certificate...
+ X509_free(x509Cert);
}
+
else
{
- printf(" %s\n",
X509_verify_cert_error_string(verifyError));
+ printf(" Unable to parse
certificate\n");
}
- // Free X509 Certificate...
- X509_free(x509Cert);
- }
-
- else {
- printf(" Unable to parse certificate\n");
+ printf_xml(" </certificate>\n");
}
- printf_xml(" </certificate>\n");
-
// Free BIO
BIO_free(stdoutBIO);
if (options->xmlOutput)
@@ -3710,8 +3730,9 @@
if (status == true && (options->showCertificate == true ||
options->checkCertificate == true))
{
printf_xml(" <certificates>\n");
- // Full certificate details (--show-certificates)
- if (status == true && options->showCertificate == true)
+
+ // Full certificate details
+ if (status == true && (options->showCertificate == true ||
options->showCertificates == true))
{
status = showCertificate(options);
}
@@ -3874,10 +3895,14 @@
options->targets = argLoop;
}
- // Show certificate
+ // Show certificate (only one)
else if (strcmp("--show-certificate", argv[argLoop]) == 0)
options->showCertificate = true;
+ // Show certificates (all)
+ else if (strcmp("--show-certificates", argv[argLoop]) == 0)
+ options->showCertificates = true;
+
// Don't check certificate strength
else if (strcmp("--no-check-certificate", argv[argLoop]) == 0)
options->checkCertificate = false;
@@ -4239,6 +4264,7 @@
printf(" %s--ipv6, -6%s Only use IPv6\n", COL_GREEN,
RESET);
printf("\n");
printf(" %s--show-certificate%s Show full certificate
information\n", COL_GREEN, RESET);
+ printf(" %s--show-certificates%s Show chain full certificates
information\n", COL_GREEN, RESET);
printf(" %s--show-client-cas%s Show trusted CAs for TLS client
auth\n", COL_GREEN, RESET);
printf(" %s--no-check-certificate%s Don't warn about weak
certificate algorithm or keys\n", COL_GREEN, RESET);
printf(" %s--ocsp%s Request OCSP response from
server\n", COL_GREEN, RESET);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sslscan-2.1.3/sslscan.h new/sslscan-2.1.4/sslscan.h
--- old/sslscan-2.1.3/sslscan.h 2024-01-21 14:41:31.000000000 +0100
+++ new/sslscan-2.1.4/sslscan.h 2024-06-16 19:49:50.000000000 +0200
@@ -151,6 +151,7 @@
char addrstr[INET6_ADDRSTRLEN];
int port;
int showCertificate;
+ int showCertificates;
int checkCertificate;
int showTrustedCAs;
int showClientCiphers;
