On Jan 15, 2026, at 3:12 PM, Theo Buehler <[email protected]> wrote: > > On Thu, Jan 15, 2026 at 07:46:59PM +0000, Kurt Miller wrote: >> security/tls-attacker currently uses jdk-1.8.0. The Attacker.jar >> functionality there was moved to a separate project called tls-scanner >> in later releases. So I ported tls-scanner to keep this functionality >> and so I can remove tls-attacker with a hint to now use tls-scanner. > > Jasper added tls-attacker on my request. It was very useful for some > corner cases, but the py3-tlsfuzzer testsuite covers almost everything > already. > > I'm ok with removing tls-attacker with or without replacement. The > proper successor is tls-anvil, but I haven't looked at this at all > and won't have time for it anytime soon: > > https://github.com/tls-attacker/TLS-Anvil >
I did a quick port of TLS-Anvil but both client and server test modes fail if not run as root. Running as root it wants to do packet captures using https://www.pcap4j.org/ which crashes the jvm on aarch64 at least. So yea, I’m now just looking for okays to remove security/tls-attacker so I can push forward with jdk-1.8.0 removal. -Kurt >> >> security/tls-scanner: >> ----- >> >> COMMENT = TLS configuration and analysis tool based on TLS-Attacker >> >> pkg/DESCR: >> TLS-Scanner is a tool to assist pentesters and security researchers in the >> evaluation of TLS server and client configurations. >> >> I install two connivence scripts TLS-Server-Scanner and TLS-Client-Scanner >> to easily launch the two modes of this scanner. >> >> The README describes how to use both, however the TLS-Server-Scanner >> does not like the self signed certificate and errors out without printing >> a final report. If I point this at a real website (one of my own), it >> completes its tests and produces a final report. >> >> I think the error on self-signed certificate is an upstream bug. >> >> ok to import this and delete tls-attacker? >> > > >
