Hello community, here is the log from the commit of package sslscan for openSUSE:Factory checked in at 2017-12-29 18:50:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sslscan (Old) and /work/SRC/openSUSE:Factory/.sslscan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sslscan" Fri Dec 29 18:50:31 2017 rev:4 rq:559797 version:1.11.10 Changes: -------- --- /work/SRC/openSUSE:Factory/sslscan/sslscan.changes 2016-12-02 16:41:35.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.sslscan.new/sslscan.changes 2017-12-29 18:50:42.560346976 +0100 @@ -1,0 +2,16 @@ +Mon Dec 25 06:30:34 UTC 2017 - jweberho...@weberhofer.at + +- Fix building on factory (use openssl 1.0.0) + +- Upgrade to version 1.11.10 + * Support for ChaCha ciphers + * Add support for STARTTLS on mysql (--starttls-mysql) + * Display SNI information in XML output + * Mark SHA-1 certificates as weak + +------------------------------------------------------------------- +Mon Dec 18 06:03:17 UTC 2017 - jweberho...@weberhofer.at + +- Fixed building on SLES systems + +------------------------------------------------------------------- Old: ---- sslscan-1.11.8-rbsec.tar.gz New: ---- sslscan-1.11.10-rbsec.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sslscan.spec ++++++ --- /var/tmp/diff_new_pack.K4OrMG/_old 2017-12-29 18:50:43.328126465 +0100 +++ /var/tmp/diff_new_pack.K4OrMG/_new 2017-12-29 18:50:43.336124168 +0100 @@ -1,7 +1,7 @@ # # spec file for package sslscan # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,17 +17,25 @@ Name: sslscan -Version: 1.11.8 +Version: 1.11.10 Release: 0 Summary: SSL cipher scanning tool License: SUSE-GPL-3.0+-with-openssl-exception Group: Productivity/Networking/Diagnostic -Url: https://www.titania-security.com/labs/sslscan +URL: https://github.com/rbsec/sslscan Source: https://github.com/rbsec/sslscan/archive/%{version}-rbsec.tar.gz#/%{name}-%{version}-rbsec.tar.gz #Patches copied from Debian package Patch1: fedora-sslscan-patents.patch -BuildRequires: openssl-devel -BuildRoot: %{_tmppath}/%{name}-%{version}-build +%if 0%{?suse_version} > 1500 +BuildRequires: pkgconfig(libssl) < 1.1.0 +%else +BuildRequires: pkgconfig(libssl) +%endif +%if 0%{?sle_version} +%ifarch x86_64 +BuildRequires: glibc-devel-32bit(x86-32) +%endif +%endif %description SSLScan determines what ciphers are supported on SSL-based services, @@ -49,7 +57,7 @@ make install PREFIX="%{buildroot}%{_prefix}" %files -%defattr(0644,root,root,0755) +%defattr(0644,root,root) %doc LICENSE README.md %attr(0755,root,root) %{_bindir}/sslscan %{_mandir}/man1/sslscan.1%{ext_man} ++++++ sslscan-1.11.8-rbsec.tar.gz -> sslscan-1.11.10-rbsec.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.8-rbsec/Changelog new/sslscan-1.11.10-rbsec/Changelog --- old/sslscan-1.11.8-rbsec/Changelog 2016-11-06 14:27:11.000000000 +0100 +++ new/sslscan-1.11.10-rbsec/Changelog 2017-05-04 18:02:41.000000000 +0200 @@ -1,6 +1,24 @@ Changelog ========= +Version: 1.11.10 +Date : 04/05/2017 +Author : rbsec <ro...@rbsec.net> +Changes: The following are a list of changes + > Build against Peter Mosmans' branch of OpenSSL + > Support for ChaCha ciphers + > NOTE: you will need to run `make clean && make static`. + +Version: 1.11.9 +Date : 09/04/2017 +Author : rbsec <ro...@rbsec.net> +Changes: The following are a list of changes + > Add support for STARTTLS on mysql (--starttls-mysql) + > Display SNI information in XML output + > Fix some compiler warnings + > Mark SHA-1 certificates as weak + > Fix build on some platforms + Version: 1.11.8 Date : 06/11/2016 Author : rbsec <ro...@rbsec.net> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.8-rbsec/Makefile new/sslscan-1.11.10-rbsec/Makefile --- old/sslscan-1.11.8-rbsec/Makefile 2016-11-06 14:27:11.000000000 +0100 +++ new/sslscan-1.11.10-rbsec/Makefile 2017-05-04 18:02:41.000000000 +0200 @@ -85,17 +85,8 @@ if [ -d openssl -a -d openssl/.git ]; then \ cd ./openssl && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \ else \ - git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \ + git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/PeterMosmans/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \ fi - # Re-enable SSLv2 EXPORT ciphers - sed -i.bak 's/# if 0/# if 1/g' openssl/ssl/s2_lib.c - rm openssl/ssl/s2_lib.c.bak - # Re-enable weak (<1024 bit) DH keys - sed -i.bak 's/dh_size < [0-9]\+/dh_size < 512/g' openssl/ssl/s3_clnt.c - rm openssl/ssl/s3_clnt.c.bak - # Break the weak DH key test so OpenSSL compiles - sed -i.bak 's/dhe512/zzz/g' openssl/test/testssl - rm openssl/test/testssl.bak # Need to build OpenSSL differently on OSX ifeq ($(OS), Darwin) @@ -116,6 +107,6 @@ $(MAKE) sslscan STATIC_BUILD=TRUE clean: - if [ -d openssl -a -d openssl/.git ]; then ( cd ./openssl; git clean -fx ); fi; + if [ -d openssl ]; then ( rm -rf openssl ); fi; rm -f sslscan rm -f .openssl.is.fresh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.8-rbsec/README.md new/sslscan-1.11.10-rbsec/README.md --- old/sslscan-1.11.8-rbsec/README.md 2016-11-06 14:27:11.000000000 +0100 +++ new/sslscan-1.11.10-rbsec/README.md 2017-05-04 18:02:41.000000000 +0200 @@ -39,6 +39,7 @@ * Check for TLS Fallback SCSV support. * Added StartTLS support for LDAP `--starttls-ldap`. * Added SNI support `--sni-name` (credit Ken). +* Support STARTTLS for MySQL (credit bk2017). ### Building on Windows Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can @@ -60,6 +61,17 @@ ### OpenSSL issues +#### OpenSSL 1.1.0 Support +OpenSSL 1.1.0 introduced a number of significant changes, including the removal +of old and insecure features such as SSLv2. While this is a very good thing for +the SSL ecosystem as a whole, it is a problem for sslscan, which relies on +these legacy features being available in order to detect them on client system. + +In order to work around this, sslscan builds against [Peter Mosmans'](https://github.com/PeterMosmans/openssl) +fork of OpenSSL, which backports the Chacha20 and Poly1305 ciphers to OpenSSL +1.0.2, while keeping the dangerous legacy features (such as SSLv2 and EXPORT +ciphers) enabled. + #### Statically linking a custom OpenSSL build It is possible to ignore the OpenSSL system installation and ship your own diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.8-rbsec/sslscan.1 new/sslscan-1.11.10-rbsec/sslscan.1 --- old/sslscan-1.11.8-rbsec/sslscan.1 2016-11-06 14:27:11.000000000 +0100 +++ new/sslscan-1.11.10-rbsec/sslscan.1 2017-05-04 18:02:41.000000000 +0200 @@ -154,6 +154,9 @@ .B \-\-starttls\-psql STARTTLS setup for PostgreSQL .TP +.B \-\-starttls\-mysql +STARTTLS setup for MySQL +.TP .B \-\-starttls\-xmpp STARTTLS setup for XMPP .TP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.8-rbsec/sslscan.c new/sslscan-1.11.10-rbsec/sslscan.c --- old/sslscan-1.11.8-rbsec/sslscan.c 2016-11-06 14:27:11.000000000 +0100 +++ new/sslscan-1.11.10-rbsec/sslscan.c 2017-05-04 18:02:41.000000000 +0200 @@ -107,6 +107,10 @@ /** Does output xml to stdout? */ static int xml_to_stdout = 0; +#if OPENSSL_VERSION_NUMBER < 0x1000100L +unsigned long SSL_CIPHER_get_id(const SSL_CIPHER* cipher) { return cipher->id; } +#endif + // Adds Ciphers to the Cipher List structure int populateCipherList(struct sslCheckOptions *options, const SSL_METHOD *sslMethod) { @@ -305,10 +309,25 @@ } } + if (options->starttls_mysql == true && tlsStarted == false) + { + tlsStarted = 1; + // Taken from https://github.com/tetlowgm/sslscan/blob/master/sslscan.c + + const char mysqlssl[] = { 0x20, 0x00, 0x00, 0x01, 0x85, 0xae, 0x7f, 0x00, + 0x00, 0x00, 0x00, 0x01, 0x21, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00}; + + if (!readOrLogAndClose(socketDescriptor, buffer, BUFFERSIZE, options)) + return 0; + send(socketDescriptor, mysqlssl, sizeof(mysqlssl), 0); + } + // We could use an XML parser but frankly it seems like a security disaster if (options->starttls_xmpp == true && tlsStarted == false) { - /* This is so ghetto, you cannot release it! */ char xmpp_setup[1024]; // options->host is 512 bytes long /* XXX: TODO - options->host isn't always the host you want to test @@ -454,10 +473,18 @@ if (!readOrLogAndClose(socketDescriptor, buffer, BUFFERSIZE, options)) return 0; +#ifdef __USE_GNU if (memmem(buffer, BUFFERSIZE, ok, sizeof(ok))) { +#else + if (strnstr(buffer, ok, BUFFERSIZE)) { +#endif printf_verbose("STARTLS LDAP setup complete.\n"); } +#ifdef __USE_GNU else if (memmem(buffer, BUFFERSIZE, unsupported, sizeof(unsupported))) { +#else + else if (strnstr(buffer, unsupported, BUFFERSIZE)) { +#endif printf_error("%sSTARTLS LDAP connection to %s:%d failed with '%s'.%s\n", COL_RED, options->host, options->port, unsupported, RESET); return 0; @@ -951,11 +978,13 @@ if (!downgraded) { sslversion = SSL_version(ssl); +#if OPENSSL_VERSION_NUMBER >= 0x10001000L if (sslversion == TLS1_2_VERSION) { secondMethod = TLSv1_1_client_method(); - } - else if (sslversion == TLS1_VERSION) + } else +#endif + if (sslversion == TLS1_VERSION) { secondMethod = TLSv1_client_method(); } @@ -1155,14 +1184,14 @@ printf_verbose("Attempting SSL_do_handshake(ssl)\n"); SSL_do_handshake(ssl); // Send renegotiation request to server //TODO :: XXX hanging here - if (ssl->state == SSL_ST_OK) + if (SSL_get_state(ssl) == SSL_ST_OK) { res = SSL_do_handshake(ssl); // Send renegotiation request to server if( res != 1 ) { printf_error("\n\nSSL_do_handshake() call failed\n"); } - if (ssl->state == SSL_ST_OK) + if (SSL_get_state(ssl) == SSL_ST_OK) { /* our renegotiation is complete */ renOut->supported = true; @@ -1504,8 +1533,8 @@ return false; } - cipherid = SSL_CIPHER_get_id(sslCipherPointer); - cipherid = cipherid & 0x00ffffff; // remove first byte which is the version (0x03 for TLSv1/SSLv3) + cipherid = SSL_CIPHER_get_id(sslCipherPointer); + cipherid = cipherid & 0x00ffffff; // remove first byte which is the version (0x03 for TLSv1/SSLv3) // Show Cipher Status printf_xml(" <cipher status=\""); @@ -1639,7 +1668,8 @@ { printf("%s%-29s%s", COL_YELLOW, sslCipherPointer->name, RESET); } - else if (strstr(sslCipherPointer->name, "GCM") && strstr(sslCipherPointer->name, "DHE")) + else if ((strstr(sslCipherPointer->name, "CHACHA20") || (strstr(sslCipherPointer->name, "GCM"))) + && strstr(sslCipherPointer->name, "DHE")) { printf("%s%-29s%s", COL_GREEN, sslCipherPointer->name, RESET); } @@ -1827,14 +1857,10 @@ printf("Signature Algorithm: "); i2t_ASN1_OBJECT(certAlgorithm, sizeof(certAlgorithm), x509Cert->cert_info->signature->algorithm); strtok(certAlgorithm, "\n"); - if (strstr(certAlgorithm, "md5")) + if (strstr(certAlgorithm, "md5") || strstr(certAlgorithm, "sha1")) { printf("%s%s%s\n", COL_RED, certAlgorithm, RESET); } - else if (strstr(certAlgorithm, "sha1")) - { - printf("%s%s%s\n", COL_YELLOW, certAlgorithm, RESET); - } else if (strstr(certAlgorithm, "sha512") || strstr(certAlgorithm, "sha256")) { printf("%s%s%s\n", COL_GREEN, certAlgorithm, RESET); @@ -3113,7 +3139,7 @@ int status = true; // XML Output... - printf_xml(" <ssltest host=\"%s\" port=\"%d\">\n", options->host, options->port); + printf_xml(" <ssltest host=\"%s\" sniname=\"%s\" port=\"%d\">\n", options->host, options->sniname, options->port); // Verbose warning about STARTTLS and SSLv3 if (options->sslVersion == ssl_v3 || options->sslVersion == ssl_all) @@ -3121,8 +3147,8 @@ printf_verbose("Some servers will fail to response to SSLv3 ciphers over STARTTLS\nIf your scan hangs, try using the --tlsall option\n\n"); } - // Test renegotiation - printf("Testing SSL server %s%s%s on port %s%d%s\n\n", COL_GREEN, options->host, RESET, COL_GREEN, options->port, RESET); + printf("Testing SSL server %s%s%s on port %s%d%s using SNI name %s%s%s\n\n", COL_GREEN, options->host, RESET, + COL_GREEN, options->port, RESET, COL_GREEN, options->sniname, RESET); if (options->showClientCiphers == true) { @@ -3383,6 +3409,7 @@ options.starttls_ldap = false; options.starttls_pop3 = false; options.starttls_smtp = false; + options.starttls_mysql = false; options.starttls_xmpp = false; options.starttls_psql = false; options.xmpp_server = false; @@ -3538,6 +3565,10 @@ else if (strcmp("--starttls-smtp", argv[argLoop]) == 0) options.starttls_smtp = true; + // StartTLS... MYSQL + else if (strcmp("--starttls-mysql", argv[argLoop]) == 0) + options.starttls_mysql = true; + // StartTLS... XMPP else if (strcmp("--starttls-xmpp", argv[argLoop]) == 0) options.starttls_xmpp = true; @@ -3648,21 +3679,25 @@ hostString++; } - while ((hostString[tempInt] != 0) && ((squareBrackets == true && hostString[tempInt] != ']') || (squareBrackets == false && hostString[tempInt] != ':'))) + while ((hostString[tempInt] != 0) && ((squareBrackets == true && hostString[tempInt] != ']') + || (squareBrackets == false && hostString[tempInt] != ':'))) + { tempInt++; + } - if (squareBrackets == true && hostString[tempInt] == ']') + if (squareBrackets == true && hostString[tempInt] == ']') + { + hostString[tempInt] = 0; + if (tempInt < maxSize && hostString[tempInt + 1] == ':') { + tempInt++; hostString[tempInt] = 0; - if (tempInt < maxSize && hostString[tempInt + 1] == ':') - { - tempInt++; - hostString[tempInt] = 0; - } } - else - hostString[tempInt] = 0; - + } + else + { + hostString[tempInt] = 0; + } strncpy(options.host, hostString, sizeof(options.host) -1); // No SNI name passed on command line @@ -3696,6 +3731,8 @@ options.port = 110; else if (options.starttls_smtp) options.port = 25; + else if (options.starttls_mysql) + options.port = 3306; else if (options.starttls_xmpp) options.port = 5222; else if (options.starttls_psql) @@ -3812,6 +3849,7 @@ printf(" %s--starttls-ldap%s STARTTLS setup for LDAP\n", COL_GREEN, RESET); printf(" %s--starttls-pop3%s STARTTLS setup for POP3\n", COL_GREEN, RESET); printf(" %s--starttls-smtp%s STARTTLS setup for SMTP\n", COL_GREEN, RESET); + printf(" %s--starttls-mysql%s STARTTLS setup for MYSQL\n", COL_GREEN, RESET); printf(" %s--starttls-xmpp%s STARTTLS setup for XMPP\n", COL_GREEN, RESET); printf(" %s--starttls-psql%s STARTTLS setup for PostgreSQL\n", COL_GREEN, RESET); printf(" %s--xmpp-server%s Use a server-to-server XMPP handshake\n", COL_GREEN, RESET); @@ -3891,7 +3929,18 @@ tempInt++; if (strlen(line + tempInt) > 0) { - options.port = atoi(line + tempInt); + int port; + port = atoi(line + tempInt); + // Invalid port + if (port == 0) + { + printf_error("%sERROR: Invalid port specified.%s", COL_RED, RESET); + exit(1); + } + else + { + options.port = port; + } } // Otherwise assume 443 else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-1.11.8-rbsec/sslscan.h new/sslscan-1.11.10-rbsec/sslscan.h --- old/sslscan-1.11.8-rbsec/sslscan.h 2016-11-06 14:27:11.000000000 +0100 +++ new/sslscan-1.11.10-rbsec/sslscan.h 2017-05-04 18:02:41.000000000 +0200 @@ -133,6 +133,7 @@ int starttls_ldap; int starttls_pop3; int starttls_smtp; + int starttls_mysql; int starttls_xmpp; int starttls_psql; int xmpp_server;