wip/testssl: Update to version 3.0rc5
Upstream recommends to switch to this, fixes are no longer backported to 2.9.x versions. Changelog: * Full support of TLS 1.3, shows also drafts supported * ROBOT check * Better TLS extension support * Better OpenSSL 1.1.1 support * DNS over Proxy and other proxy improvements * Decoding of unencrypted BIG IP cookies * Better JSON output: renamed IDs and findings shorter/better parsable * JSON output now valid also for non-responding servers * Testing now per default 370 ciphers * Further improving the robustness of TLS sockets (sending and parsing) * Support of supplying timeout value for `openssl connect` -- useful for batch/mass scanning * File input for serial or parallel mass testing can be also in nmap grep(p)able (-oG) format * LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2) * PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3) * Check for session resumption (Ticket, ID) * TLS Robustness check (GREASE) * Expect-CT Header Detection * `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL * `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/ * Fully OpenBSD and LibreSSL support * Missing SAN warning * Added support for private CAs * Man page reviewed * Better error msg suppression (not fully installed OpenSSL) * Way better handling of connectivity problems * Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors. * Dockerfile and repo @ docker hub with that file (see above) * Java Root CA store added * Better support for XMPP via STARTTLS & faster * Certificate check for to-name in stream of XMPP * Support for NNTP via STARTTLS * Support for SNI and STARTTLS * More robustness for any STARTTLS protocol (fall back to plaintext while in TLS) * Fixed TCP fragmentation * Added `--ids-friendly` switch * Major update of client simulations with self-collected data * Way better coverage of ciphers as most checks are done via bash sockets where ever possible * Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness) * Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc. * TLS 1.2 protocol check via sockets in production * Finding more TLS extensions via sockets * TLS Supported Groups Registry (RFC 7919), key shares extension * Non-flat JSON output support * File output (CSV, JSON flat, JSON non-flat) supports a minimum severity level (only above supplied level there will be output) * Native HTML support instead going through 'aha' * LUCKY13 and SWEET32 checks * Ticketbleed check * LOGJAM: now checking also for known DH parameters * Support of supplying timeout value for ``openssl connect`` -- useful for batch/mass scanning * Parallel mass testing * Check for CAA RR * Check for OCSP must staple * Check for Certificate Transparency * Check for session resumption (Ticket, ID) * Better formatting of output (indentation) * Choice showing the RFC naming scheme only * File input for mass testing can be also in nmap grep(p)able (-oG) format * Postgres und MySQL STARTTLS support * Man page
This commit is contained in:
parent
27c5df7223
commit
1abe8ce448
|
@ -0,0 +1,12 @@
|
|||
===========================================================================
|
||||
$NetBSD$
|
||||
|
||||
Some functions of testssl.sh require setting the variable
|
||||
|
||||
TESTSSL_INSTALL_DIR
|
||||
|
||||
to
|
||||
|
||||
${PREFIX}/etc/${PKGBASE}
|
||||
|
||||
===========================================================================
|
|
@ -1,21 +1,29 @@
|
|||
# $NetBSD$
|
||||
|
||||
DISTNAME= ${GITHUB_PROJECT}-${PKGVERSION_NOREV}
|
||||
PKGNAME= testssl-2.8
|
||||
PKGNAME= testssl-3.0rc5
|
||||
CATEGORIES= security
|
||||
MASTER_SITES= ${MASTER_SITE_GITHUB:=drwetter/}
|
||||
GITHUB_PROJECT= testssl.sh
|
||||
GITHUB_TAG= v${PKGVERSION_NOREV}
|
||||
GITHUB_TAG= ${PKGVERSION_NOREV}
|
||||
|
||||
MAINTAINER= khorben@defora.org
|
||||
HOMEPAGE= https://testssl.sh/
|
||||
COMMENT= Checks servers for TLS/SSL flaws
|
||||
LICENSE= gnu-gpl-v2
|
||||
|
||||
# Do we need more depends for runtime tools?
|
||||
DEPENDS+= bash-[0-9]*:../../shells/bash
|
||||
|
||||
# Tests are run with "prove" (which is provided with lang/perl5),
|
||||
# a number of tests fail right now + Test::More needs to be packaged.
|
||||
TEST_DEPENDS+= perl5-[0-9]*:../../lang/perl5
|
||||
TEST_DEPENDS+= p5-Data-Dumper-[0-9]*:../../devel/p5-Data-Dumper
|
||||
TEST_DEPENDS+= p5-JSON-[0-9]*:../../converters/p5-JSON
|
||||
#TEST_DEPENDS+= p5-Test-More-[0-9]*:../../devel/p5-Test-More
|
||||
|
||||
NO_BUILD= yes
|
||||
INSTALLATION_DIRS= bin share/doc/${PKGBASE}
|
||||
INSTALLATION_DIRS= bin share/doc/${PKGBASE} etc/${PKGBASE}
|
||||
|
||||
REPLACE_INTERPRETER+= envbash
|
||||
REPLACE.envbash.old= '/usr/bin/env\ bash'
|
||||
|
@ -24,6 +32,15 @@ REPLACE_FILES.envbash= testssl.sh
|
|||
|
||||
do-install:
|
||||
${INSTALL} -m 0755 ${WRKSRC}/testssl.sh ${DESTDIR}${PREFIX}/bin/testssl
|
||||
${INSTALL} -m 0644 ${WRKSRC}/Readme.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}/README.md
|
||||
${INSTALL_DATA} ${WRKSRC}/Readme.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}/README.md
|
||||
|
||||
# Maybe patch in the path to TESTSSL_INSTALL_DIR?
|
||||
post-install:
|
||||
.for f in ca_hashes.txt cipher-mapping.txt client-simulation.txt client-simulation.wiresharked.txt common-primes.txt curves.txt tls_data.txt
|
||||
${INSTALL_DATA} ${WRKSRC}/etc/${f} ${DESTDIR}${PREFIX}/etc/${PKGBASE}
|
||||
.endfor
|
||||
|
||||
do-test:
|
||||
( cd ${WRKSRC} && ${PREFIX}/bin/prove -v )
|
||||
|
||||
.include "../../mk/bsd.pkg.mk"
|
||||
|
|
|
@ -1,3 +1,10 @@
|
|||
@comment $NetBSD$
|
||||
bin/testssl
|
||||
etc/testssl/ca_hashes.txt
|
||||
etc/testssl/cipher-mapping.txt
|
||||
etc/testssl/client-simulation.txt
|
||||
etc/testssl/client-simulation.wiresharked.txt
|
||||
etc/testssl/common-primes.txt
|
||||
etc/testssl/curves.txt
|
||||
etc/testssl/tls_data.txt
|
||||
share/doc/testssl/README.md
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
Fix this:
|
||||
TESTSSL_INSTALL_DIR=/usr/pkg/etc/testssl testssl mta01.hs-bochum.de:587
|
||||
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
|
||||
|
||||
ATTENTION: No TLS data file found -- needed for socket-based handshakes
|
||||
Please note from 2.9 on testssl needs files in "$TESTSSL_INSTALL_DIR/etc/" to function correctly.
|
||||
|
||||
Type "yes" to ignore this warning and proceed at your own risk --> yes
|
||||
|
||||
No engine or GOST support via engine with your /usr/bin/openssl
|
||||
pwd: No such file or directory
|
||||
|
||||
###########################################################
|
||||
testssl 3.0rc5 from https://testssl.sh/dev/
|
||||
|
||||
This program is free software. Distribution and
|
||||
modification under GPLv2 permitted.
|
||||
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
|
||||
|
||||
Please file bugs @ https://testssl.sh/bugs/
|
||||
|
||||
###########################################################
|
||||
|
||||
Using "OpenSSL 1.1.1c 28 May 2019" [~80 ciphers]
|
||||
on localhost:$PWD/bin/openssl
|
||||
(built: "", platform: "NetBSD-x86_64")
|
||||
|
||||
|
||||
|
||||
Fatal error: No IPv4/IPv6 address(es) for "mta01.hs-bochum.de" available
|
|
@ -1,6 +1,6 @@
|
|||
$NetBSD$
|
||||
|
||||
SHA1 (testssl.sh-2.8.tar.gz) = c679e353b51a395a87aeab4609f863697a8ea138
|
||||
RMD160 (testssl.sh-2.8.tar.gz) = 7f7f9ddc1104445afab8a74e6dff7b82890596d6
|
||||
SHA512 (testssl.sh-2.8.tar.gz) = 6c4b5c01a77230ef03caa1f844fa2e72e72bf5d9a28ec143f6b5fbebc4ae7f74d214d4197f4681ebaf4e29f2754785ab329f1563f8c2a0e078311fc75988328a
|
||||
Size (testssl.sh-2.8.tar.gz) = 8529555 bytes
|
||||
SHA1 (testssl.sh-3.0rc5.tar.gz) = fec0e6303b94c46a6e579ca4c0a7740132ec5889
|
||||
RMD160 (testssl.sh-3.0rc5.tar.gz) = bd7911f2f8b57e99859d6731a6ac802fc0951533
|
||||
SHA512 (testssl.sh-3.0rc5.tar.gz) = 2ac175801e3242484d3b882ed49a3cdb7ea7613a4e3fe086b2cb94397decd8465e18db2e83a215b4a49d672d03c7b818ba689a40e7a4d69688e9a691a8722014
|
||||
Size (testssl.sh-3.0rc5.tar.gz) = 9181084 bytes
|
||||
|
|
Loading…
Reference in New Issue