Hello community, here is the log from the commit of package sslscan for openSUSE:Factory checked in at 2016-12-02 16:41:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sslscan (Old) and /work/SRC/openSUSE:Factory/.sslscan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sslscan" Changes: -------- --- /work/SRC/openSUSE:Factory/sslscan/sslscan.changes 2016-11-18 22:02:06.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.sslscan.new/sslscan.changes 2016-12-02 16:41:35.000000000 +0100 @@ -1,0 +2,9 @@ +Mon Nov 28 23:49:30 UTC 2016 - jweberho...@weberhofer.at + +- Upgrade to version 1.11.8 + * Support alternate SNI hostnames (--sni=) + * Allow building with no support for TLS SCSV Fallback + +- Removed SSL_MODE_SEND_FALLBACK_SCSV (integrated upstream) + +------------------------------------------------------------------- Old: ---- SSL_MODE_SEND_FALLBACK_SCSV.patch sslscan-1.11.7-rbsec.tar.gz New: ---- sslscan-1.11.8-rbsec.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sslscan.spec ++++++ --- /var/tmp/diff_new_pack.8pEbDg/_old 2016-12-02 16:41:36.000000000 +0100 +++ /var/tmp/diff_new_pack.8pEbDg/_new 2016-12-02 16:41:36.000000000 +0100 @@ -17,7 +17,7 @@ Name: sslscan -Version: 1.11.7 +Version: 1.11.8 Release: 0 Summary: SSL cipher scanning tool License: SUSE-GPL-3.0+-with-openssl-exception @@ -26,7 +26,6 @@ Source: https://github.com/rbsec/sslscan/archive/%{version}-rbsec.tar.gz#/%{name}-%{version}-rbsec.tar.gz #Patches copied from Debian package Patch1: fedora-sslscan-patents.patch -Patch2: SSL_MODE_SEND_FALLBACK_SCSV.patch BuildRequires: openssl-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -40,7 +39,6 @@ %if %{defined fedora} %patch1 -p1 %endif -%patch2 -p1 %build make CFLAGS="%{optflags}" %{?_smp_mflags} ++++++ sslscan-1.11.7-rbsec.tar.gz -> sslscan-1.11.8-rbsec.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/Changelog new/sslscan-1.11.8-rbsec/Changelog --- old/sslscan-1.11.7-rbsec/Changelog 2016-06-13 14:42:11.000000000 +0200 +++ new/sslscan-1.11.8-rbsec/Changelog 2016-11-06 14:27:11.000000000 +0100 @@ -1,6 +1,13 @@ Changelog ========= +Version: 1.11.8 +Date : 06/11/2016 +Author : rbsec <ro...@rbsec.net> +Changes: The following are a list of changes + > Support alternate SNI hostnames (--sni=) + > Allow building with no support for TLS SCSV Fallback + Version: 1.11.7 Date : 13/06/2016 Author : rbsec <ro...@rbsec.net> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/Makefile new/sslscan-1.11.8-rbsec/Makefile --- old/sslscan-1.11.7-rbsec/Makefile 2016-06-13 14:42:11.000000000 +0200 +++ new/sslscan-1.11.8-rbsec/Makefile 2016-11-06 14:27:11.000000000 +0100 @@ -66,8 +66,10 @@ exit 1; \ fi ifeq ($(OS), Darwin) - install -d sslscan $(DESTDIR)$(BINDIR)/sslscan; - install -d sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1; + install -d $(DESTDIR)$(BINDIR)/; + install sslscan $(DESTDIR)$(BINDIR)/sslscan; + install -d $(DESTDIR)$(MAN1DIR)/; + install sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1; else install -D sslscan $(DESTDIR)$(BINDIR)/sslscan; install -D sslscan.1 $(DESTDIR)$(MAN1DIR)/sslscan.1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/README.md new/sslscan-1.11.8-rbsec/README.md --- old/sslscan-1.11.7-rbsec/README.md 2016-06-13 14:42:11.000000000 +0200 +++ new/sslscan-1.11.8-rbsec/README.md 2016-11-06 14:27:11.000000000 +0100 @@ -5,38 +5,40 @@ This is a fork of ioerror's version of sslscan (the original readme of which is included below). Changes are as follows: * Highlight SSLv2 and SSLv3 ciphers in output. -* Highlight CBC ciphers on SSLv3 (POODLE) -* Highlight RC4 ciphers in output. +* Highlight CBC ciphers on SSLv3 (POODLE). +* Highlight 3DES and RC4 ciphers in output. * Highlight PFS+GCM ciphers as good in output. * Highlight NULL (0 bit), weak (<40 bit) and medium (40 < n <= 56) ciphers in output. * Highlight anonymous (ADH and AECDH) ciphers in output (purple). -* Hide certificate information by default (display with --get-certificate). -* Hide rejected ciphers by default (display with --failed). +* Hide certificate information by default (display with `--get-certificate`). +* Hide rejected ciphers by default (display with `--failed`). * Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan). * Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan). -* Supports IPv6 hostnames (can be forced with --ipv6). -* Check for TLS compression (CRIME, disable with --no-compression). -* Disable cipher suite checking (--no-ciphersuites). -* Disable coloured output (--no-colour). +* Supports IPv6 hostnames (can be forced with `--ipv6`). +* Check for TLS compression (CRIME, disable with `--no-compression`). +* Disable cipher suite checking `--no-ciphersuites`. +* Disable coloured output `--no-colour`. * Removed undocumented -p output option. -* Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with --no-heartbleed). +* Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with `--no-heartbleed`). * Flag certificates signed with MD5 or SHA-1, or with short (<2048 bit) RSA keys. -* Support scanning RDP servers with --rdp (credit skettler). +* Support scanning RDP servers with `--rdp` (credit skettler). * Added option to specify socket timeout. * Added option for static compilation (credit dmke). -* Added --sleep option to pause between requests. -* Disable output for anything than specified checks (--no-preferred). -* Determine the list of CAs acceptable for client certificates (--show-client-cas). -* Experimental build support on OSX (credit MikeSchroll) +* Added `--sleep` option to pause between requests. +* Disable output for anything than specified checks `--no-preferred`. +* Determine the list of CAs acceptable for client certificates `--show-client-cas`. +* Experimental build support on OSX (credit MikeSchroll). * Flag some self-signed SSL certificates. * Experimental Windows support (credit jtesta). -* Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 (--no-cipher-details) -* Flag weak DHE keys with OpenSSL >= 1.0.2 (--cipher-details) -* Flag expired certificates +* Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 `--no-cipher-details`. +* Flag weak DHE keys with OpenSSL >= 1.0.2 `--cipher-details`. +* Flag expired certificates. * Flag TLSv1.0 ciphers in output as weak. -* Experimental OSX support (static building only) -* Support for scanning PostgreSQL servers (credit nuxi) -* Check for TLS Fallback SCSV support +* Experimental OSX support (static building only). +* Support for scanning PostgreSQL servers (credit nuxi). +* Check for TLS Fallback SCSV support. +* Added StartTLS support for LDAP `--starttls-ldap`. +* Added SNI support `--sni-name` (credit Ken). ### Building on Windows Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/TODO new/sslscan-1.11.8-rbsec/TODO --- old/sslscan-1.11.7-rbsec/TODO 2016-06-13 14:42:11.000000000 +0200 +++ new/sslscan-1.11.8-rbsec/TODO 2016-11-06 14:27:11.000000000 +0100 @@ -5,8 +5,6 @@ Add support for SOCKS5 proxy (or audit for 'usewithtor') It seems to work fine with 'usewithtor' It still seems prudent to add proper proxy support -Add STARTTLS support for LDAP: - http://www.rfc-editor.org/rfc/rfc2830.txt Fix XMPP scans that do not support StartTLS: "<stream:error><invalid-namespace xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error>" Add HTML report generation diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/sslscan.1 new/sslscan-1.11.8-rbsec/sslscan.1 --- old/sslscan-1.11.7-rbsec/sslscan.1 2016-06-13 14:42:11.000000000 +0200 +++ new/sslscan-1.11.8-rbsec/sslscan.1 2016-11-06 14:27:11.000000000 +0100 @@ -38,6 +38,10 @@ check. Hosts can be supplied with ports (i.e. host:port). One target per line .TP +.B \-\-sni\-name=<name> +Use a different hostname for SNI +.br +.TP .B \-\-ipv4 .br Force IPv4 DNS resolution. @@ -136,6 +140,9 @@ .B \-\-starttls\-imap STARTTLS setup for IMAP .TP +.B \-\-starttls\-ldap +STARTTLS setup for LDAP +.TP .B \-\-starttls\-pop3 STARTTLS setup for POP3 .TP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/sslscan.c new/sslscan-1.11.8-rbsec/sslscan.c --- old/sslscan-1.11.7-rbsec/sslscan.c 2016-06-13 14:42:11.000000000 +0200 +++ new/sslscan-1.11.8-rbsec/sslscan.c 2016-11-06 14:27:11.000000000 +0100 @@ -34,6 +34,8 @@ * files in the program, then also delete it here. * ***************************************************************************/ +#define _GNU_SOURCE + // Includes... #ifdef _WIN32 #define WIN32_LEAN_AND_MEAN @@ -436,6 +438,36 @@ } } + // Setup a LDAP STARTTLS socket + if (options->starttls_ldap == true && tlsStarted == false) + { + tlsStarted = 1; + memset(buffer, 0, BUFFERSIZE); + char starttls[] = {'0', 0x1d, 0x02, 0x01, 0x01, 'w', 0x18, 0x80, 0x16, + '1', '.', '3', '.', '6', '.', '1', '.', '4', '.', '1', '.', + '1', '4', '6', '6', '.', '2', '0', '0', '3', '7'}; + char ok[] = "1.3.6.1.4.1.1466.20037"; + char unsupported[] = "unsupported extended operation"; + + // Send TLS + send(socketDescriptor, starttls, sizeof(starttls), 0); + if (!readOrLogAndClose(socketDescriptor, buffer, BUFFERSIZE, options)) + return 0; + + if (memmem(buffer, BUFFERSIZE, ok, sizeof(ok))) { + printf_verbose("STARTLS LDAP setup complete.\n"); + } + else if (memmem(buffer, BUFFERSIZE, unsupported, sizeof(unsupported))) { + printf_error("%sSTARTLS LDAP connection to %s:%d failed with '%s'.%s\n", + COL_RED, options->host, options->port, unsupported, RESET); + return 0; + } else { + printf_error("%sSTARTLS LDAP connection to %s:%d failed with unknown error.%s\n", + COL_RED, options->host, options->port, RESET); + return 0; + } + } + // Setup a FTP STARTTLS socket if (options->starttls_ftp == true && tlsStarted == false) { @@ -769,7 +801,7 @@ #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) // This enables TLS SNI - SSL_set_tlsext_host_name(ssl, options->host); + SSL_set_tlsext_host_name(ssl, options->sniname); #endif // Connect SSL over socket @@ -842,6 +874,7 @@ return status; } +#ifdef SSL_MODE_SEND_FALLBACK_SCSV // Check for TLS_FALLBACK_SCSV int testFallback(struct sslCheckOptions *options, const SSL_METHOD *sslMethod) { @@ -908,7 +941,7 @@ #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) // This enables TLS SNI - SSL_set_tlsext_host_name(ssl, options->host); + SSL_set_tlsext_host_name(ssl, options->sniname); #endif // Connect SSL over socket @@ -929,10 +962,12 @@ else if (sslversion == TLS1_VERSION) { printf("Server only supports TLSv1.0"); + status = false; } else { - printf("Server doesn't support TLS - skipping TLS Fallback SCSV check"); + printf("Server doesn't support TLS - skipping TLS Fallback SCSV check\n\n"); + status = false; } } else @@ -942,17 +977,23 @@ } else { - if (SSL_get_error(ssl, connStatus == 1)) + if (downgraded) { - ERR_get_error(); - if (SSL_get_error(ssl, connStatus == 6)) + if (SSL_get_error(ssl, connStatus == 1)) { - printf("Server %ssupports%s TLS Fallback SCSV\n\n", COL_GREEN, RESET); + ERR_get_error(); + if (SSL_get_error(ssl, connStatus == 6)) + { + printf("Server %ssupports%s TLS Fallback SCSV\n\n", COL_GREEN, RESET); + status = false; + } } } else { - printf("Connect failed: %d\n", SSL_get_error(ssl, connStatus)); + printf("%sConnection failed%s - unable to determine TLS Fallback SCSV support\n\n", + COL_YELLOW, RESET); + status = false; } } @@ -996,12 +1037,13 @@ } // Call function again with downgraded protocol - if (!downgraded) + if (status && !downgraded) { testFallback(options, secondMethod); } return status; } +#endif // Check if the server supports renegotiation @@ -1066,7 +1108,7 @@ // untested. Please report success or failure! However, this code change // has worked fine in other projects to which the contributor has added it, // or HTTP usage. - SSL_set_tlsext_host_name(ssl, options->host); + SSL_set_tlsext_host_name(ssl, options->sniname); #endif // Connect SSL over socket @@ -1443,7 +1485,7 @@ #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) // This enables TLS SNI - SSL_set_tlsext_host_name (ssl, options->host); + SSL_set_tlsext_host_name (ssl, options->sniname); #endif // Connect SSL over socket @@ -1593,7 +1635,7 @@ { printf("%s%-29s%s", COL_RED, sslCipherPointer->name, RESET); } - else if (strstr(sslCipherPointer->name, "RC4")) + else if (strstr(sslCipherPointer->name, "RC4") || strstr(sslCipherPointer->name, "DES")) { printf("%s%-29s%s", COL_YELLOW, sslCipherPointer->name, RESET); } @@ -1743,7 +1785,7 @@ // untested. Please report success or failure! However, this code change // has worked fine in other projects to which the contributor has added it, // or HTTP usage. - SSL_set_tlsext_host_name (ssl, options->host); + SSL_set_tlsext_host_name (ssl, options->sniname); #endif // Connect SSL over socket @@ -2161,7 +2203,7 @@ // untested. Please report success or failure! However, this code change // has worked fine in other projects to which the contributor has added it, // or HTTP usage. - SSL_set_tlsext_host_name (ssl, options->host); + SSL_set_tlsext_host_name (ssl, options->sniname); #endif SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); SSL_CTX_set_tlsext_status_cb(options->ctx, ocsp_resp_cb); @@ -2432,7 +2474,7 @@ // untested. Please report success or failure! However, this code change // has worked fine in other projects to which the contributor has added it, // or HTTP usage. - SSL_set_tlsext_host_name (ssl, options->host); + SSL_set_tlsext_host_name (ssl, options->sniname); #endif // Connect SSL over socket @@ -2875,7 +2917,7 @@ // untested. Please report success or failure! However, this code change // has worked fine in other projects to which the contributor has added it, // or HTTP usage. - SSL_set_tlsext_host_name (ssl, options->host); + SSL_set_tlsext_host_name (ssl, options->sniname); #endif // Connect SSL over socket @@ -3140,13 +3182,16 @@ } printf("\n"); } - if (status == true && options->fallback ) { printf(" %sTLS Fallback SCSV:%s\n", COL_BLUE, RESET); +#ifdef SSL_MODE_SEND_FALLBACK_SCSV testFallback(options, NULL); +#else + printf("%sOpenSSL version does not support SCSV fallback%s\n\n", COL_RED, RESET); + +#endif } - if (status == true && options->reneg ) { printf(" %sTLS renegotiation:%s\n", COL_BLUE, RESET); @@ -3335,6 +3380,7 @@ options.starttls_ftp = false; options.starttls_imap = false; options.starttls_irc = false; + options.starttls_ldap = false; options.starttls_pop3 = false; options.starttls_smtp = false; options.starttls_xmpp = false; @@ -3480,6 +3526,10 @@ else if (strcmp("--starttls-irc", argv[argLoop]) == 0) options.starttls_irc = true; + // StartTLS... LDAP + else if (strcmp("--starttls-ldap", argv[argLoop]) == 0) + options.starttls_ldap = true; + // StartTLS... POP3 else if (strcmp("--starttls-pop3", argv[argLoop]) == 0) options.starttls_pop3 = true; @@ -3562,6 +3612,13 @@ else if (strcmp("--ocsp", argv[argLoop]) == 0) options.ocspStatus = true; + // SNI name + else if (strncmp("--sni-name=", argv[argLoop], 11) == 0) + strncpy(options.sniname, argv[argLoop]+11, strlen(argv[argLoop])-11); + + else if (strcmp("--ocsp", argv[argLoop]) == 0) + options.ocspStatus = true; + // Host (maybe port too)... else if (argLoop + 1 == argc) @@ -3608,10 +3665,24 @@ strncpy(options.host, hostString, sizeof(options.host) -1); + // No SNI name passed on command line + if (strlen(options.sniname) == 0) + { + strncpy(options.sniname, options.host, sizeof(options.host)); + } + // Get port (if it exists)... tempInt++; - if (tempInt < maxSize - 1) - options.port = atoi(hostString + tempInt); + if (tempInt < maxSize) + { + errno = 0; + options.port = strtol((hostString + tempInt), NULL, 10); + if (options.port < 1 || options.port > 65535) + { + printf("\n%sInvalid port specified%s\n\n", COL_RED, RESET); + exit(1); + } + } else if (options.port == 0) { if (options.starttls_ftp) options.port = 21; @@ -3619,6 +3690,8 @@ options.port = 143; else if (options.starttls_irc) options.port = 6667; + else if (options.starttls_ldap) + options.port = 389; else if (options.starttls_pop3) options.port = 110; else if (options.starttls_smtp) @@ -3700,6 +3773,7 @@ printf("%sOptions:%s\n", COL_BLUE, RESET); printf(" %s--targets=<file>%s A file containing a list of hosts to check.\n", COL_GREEN, RESET); printf(" Hosts can be supplied with ports (host:port)\n"); + printf(" %s--sni-name=<name>%s Hostname for SNI\n", COL_GREEN, RESET); printf(" %s--ipv4%s Only use IPv4\n", COL_GREEN, RESET); printf(" %s--ipv6%s Only use IPv6\n", COL_GREEN, RESET); printf(" %s--show-certificate%s Show full certificate information\n", COL_GREEN, RESET); @@ -3726,13 +3800,16 @@ printf(" %s--pkpass=<password>%s The password for the private key or PKCS#12 file\n", COL_GREEN, RESET); printf(" %s--certs=<file>%s A file containing PEM/ASN1 formatted client certificates\n", COL_GREEN, RESET); printf(" %s--no-ciphersuites%s Do not check for supported ciphersuites\n", COL_GREEN, RESET); +#ifdef SSL_MODE_SEND_FALLBACK_SCSV printf(" %s--no-fallback%s Do not check for TLS Fallback SCSV\n", COL_GREEN, RESET); +#endif printf(" %s--no-renegotiation%s Do not check for TLS renegotiation\n", COL_GREEN, RESET); printf(" %s--no-compression%s Do not check for TLS compression (CRIME)\n", COL_GREEN, RESET); printf(" %s--no-heartbleed%s Do not check for OpenSSL Heartbleed (CVE-2014-0160)\n", COL_GREEN, RESET); printf(" %s--starttls-ftp%s STARTTLS setup for FTP\n", COL_GREEN, RESET); printf(" %s--starttls-imap%s STARTTLS setup for IMAP\n", COL_GREEN, RESET); printf(" %s--starttls-irc%s STARTTLS setup for IRC\n", COL_GREEN, RESET); + printf(" %s--starttls-ldap%s STARTTLS setup for LDAP\n", COL_GREEN, RESET); printf(" %s--starttls-pop3%s STARTTLS setup for POP3\n", COL_GREEN, RESET); printf(" %s--starttls-smtp%s STARTTLS setup for SMTP\n", COL_GREEN, RESET); printf(" %s--starttls-xmpp%s STARTTLS setup for XMPP\n", COL_GREEN, RESET); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.7-rbsec/sslscan.h new/sslscan-1.11.8-rbsec/sslscan.h --- old/sslscan-1.11.7-rbsec/sslscan.h 2016-06-13 14:42:11.000000000 +0200 +++ new/sslscan-1.11.8-rbsec/sslscan.h 2016-11-06 14:27:11.000000000 +0100 @@ -114,6 +114,7 @@ { // Program Options... char host[512]; + char sniname[512]; int port; int showCertificate; int checkCertificate; @@ -129,6 +130,7 @@ int starttls_ftp; int starttls_imap; int starttls_irc; + int starttls_ldap; int starttls_pop3; int starttls_smtp; int starttls_xmpp; @@ -203,7 +205,9 @@ int testCompression(struct sslCheckOptions *, const SSL_METHOD *); int testRenegotiation(struct sslCheckOptions *, const SSL_METHOD *); +#ifdef SSL_MODE_SEND_FALLBACK_SCSV int testfallback(struct sslCheckOptions *, const SSL_METHOD *); +#endif int testHeartbleed(struct sslCheckOptions *, const SSL_METHOD *); int testCipher(struct sslCheckOptions *, const SSL_METHOD *); int testProtocolCiphers(struct sslCheckOptions *, const SSL_METHOD *);