wip/testssl: Update to version 3.0rc5

Upstream recommends to switch to this, fixes are no longer backported to 2.9.x versions. Changelog: * Full support of TLS 1.3, shows also drafts supported * ROBOT check * Better TLS extension support * Better OpenSSL 1.1.1 support * DNS over Proxy and other proxy improvements * Decoding of unencrypted BIG IP cookies * Better JSON output: renamed IDs and findings shorter/better parsable * JSON output now valid also for non-responding servers * Testing now per default 370 ciphers * Further improving the robustness of TLS sockets (sending and parsing) * Support of supplying timeout value for `openssl connect` -- useful for batch/mass scanning * File input for serial or parallel mass testing can be also in nmap grep(p)able (-oG) format * LOGJAM: now checking also for DH and FFDHE groups (TLS 1.2) * PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3) * Check for session resumption (Ticket, ID) * TLS Robustness check (GREASE) * Expect-CT Header Detection * `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL * `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/ * Fully OpenBSD and LibreSSL support * Missing SAN warning * Added support for private CAs * Man page reviewed * Better error msg suppression (not fully installed OpenSSL) * Way better handling of connectivity problems * Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors. * Dockerfile and repo @ docker hub with that file (see above) * Java Root CA store added * Better support for XMPP via STARTTLS & faster * Certificate check for to-name in stream of XMPP * Support for NNTP via STARTTLS * Support for SNI and STARTTLS * More robustness for any STARTTLS protocol (fall back to plaintext while in TLS) * Fixed TCP fragmentation * Added `--ids-friendly` switch * Major update of client simulations with self-collected data * Way better coverage of ciphers as most checks are done via bash sockets where ever possible * Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness) * Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc. * TLS 1.2 protocol check via sockets in production * Finding more TLS extensions via sockets * TLS Supported Groups Registry (RFC 7919), key shares extension * Non-flat JSON output support * File output (CSV, JSON flat, JSON non-flat) supports a minimum severity level (only above supplied level there will be output) * Native HTML support instead going through 'aha' * LUCKY13 and SWEET32 checks * Ticketbleed check * LOGJAM: now checking also for known DH parameters * Support of supplying timeout value for ``openssl connect`` -- useful for batch/mass scanning * Parallel mass testing * Check for CAA RR * Check for OCSP must staple * Check for Certificate Transparency * Check for session resumption (Ticket, ID) * Better formatting of output (indentation) * Choice showing the RFC naming scheme only * File input for mass testing can be also in nmap grep(p)able (-oG) format * Postgres und MySQL STARTTLS support * Man page
2019-09-30 10:52:55 +00:00 · 2019-09-30 10:52:55 +00:00 · 1abe8ce448
parent 27c5df7223
commit 1abe8ce448
5 changed files with 74 additions and 8 deletions
--- a/testssl/MESSAGE
+++ b/testssl/MESSAGE
@ -0,0 +1,12 @@
+===========================================================================
+$NetBSD$
+
+Some functions of testssl.sh require setting the variable
+
+  TESTSSL_INSTALL_DIR
+
+to
+
+  ${PREFIX}/etc/${PKGBASE}
+
+===========================================================================
--- a/testssl/Makefile
+++ b/testssl/Makefile
@ -1,21 +1,29 @@
 # $NetBSD$

 DISTNAME=	${GITHUB_PROJECT}-${PKGVERSION_NOREV}
-PKGNAME=	testssl-2.8
+PKGNAME=	testssl-3.0rc5
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GITHUB:=drwetter/}
 GITHUB_PROJECT=	testssl.sh
-GITHUB_TAG=	v${PKGVERSION_NOREV}
+GITHUB_TAG=	${PKGVERSION_NOREV}

 MAINTAINER=	khorben@defora.org
 HOMEPAGE=	https://testssl.sh/
 COMMENT=	Checks servers for TLS/SSL flaws
 LICENSE=	gnu-gpl-v2

+# Do we need more depends for runtime tools?
 DEPENDS+=	bash-[0-9]*:../../shells/bash

+# Tests are run with "prove" (which is provided with lang/perl5),
+# a number of tests fail right now + Test::More needs to be packaged.
+TEST_DEPENDS+=	perl5-[0-9]*:../../lang/perl5
+TEST_DEPENDS+=	p5-Data-Dumper-[0-9]*:../../devel/p5-Data-Dumper
+TEST_DEPENDS+=	p5-JSON-[0-9]*:../../converters/p5-JSON
+#TEST_DEPENDS+=	p5-Test-More-[0-9]*:../../devel/p5-Test-More
+
 NO_BUILD=		yes
-INSTALLATION_DIRS=	bin share/doc/${PKGBASE}
+INSTALLATION_DIRS=	bin share/doc/${PKGBASE} etc/${PKGBASE}

 REPLACE_INTERPRETER+=	envbash
 REPLACE.envbash.old=	'/usr/bin/env\ bash'
@ -24,6 +32,15 @@ REPLACE_FILES.envbash=	testssl.sh

 do-install:
 	${INSTALL} -m 0755 ${WRKSRC}/testssl.sh ${DESTDIR}${PREFIX}/bin/testssl
-	${INSTALL} -m 0644 ${WRKSRC}/Readme.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}/README.md
+	${INSTALL_DATA} ${WRKSRC}/Readme.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}/README.md
+
+# Maybe patch in the path to TESTSSL_INSTALL_DIR?
+post-install:
+.for f in ca_hashes.txt cipher-mapping.txt client-simulation.txt client-simulation.wiresharked.txt common-primes.txt curves.txt tls_data.txt
+	${INSTALL_DATA} ${WRKSRC}/etc/${f} ${DESTDIR}${PREFIX}/etc/${PKGBASE}
+.endfor
+
+do-test:
+	( cd ${WRKSRC} && ${PREFIX}/bin/prove -v )

 .include "../../mk/bsd.pkg.mk"
--- a/testssl/PLIST
+++ b/testssl/PLIST
@ -1,3 +1,10 @@
@comment $NetBSD$
 bin/testssl
+etc/testssl/ca_hashes.txt
+etc/testssl/cipher-mapping.txt
+etc/testssl/client-simulation.txt
+etc/testssl/client-simulation.wiresharked.txt
+etc/testssl/common-primes.txt
+etc/testssl/curves.txt
+etc/testssl/tls_data.txt
 share/doc/testssl/README.md
--- a/testssl/TODO
+++ b/testssl/TODO
@ -0,0 +1,30 @@
+Fix this:
+TESTSSL_INSTALL_DIR=/usr/pkg/etc/testssl testssl mta01.hs-bochum.de:587
+shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
+
+ATTENTION: No TLS data file found -- needed for socket-based handshakes
+Please note from 2.9 on testssl needs files in "$TESTSSL_INSTALL_DIR/etc/" to function correctly.
+
+Type "yes" to ignore this warning and proceed at your own risk --> yes
+
+No engine or GOST support via engine with your /usr/bin/openssl
+pwd: No such file or directory
+
+###########################################################
+    testssl       3.0rc5 from https://testssl.sh/dev/
+
+      This program is free software. Distribution and
+             modification under GPLv2 permitted.
+      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
+
+       Please file bugs @ https://testssl.sh/bugs/
+
+###########################################################
+
+ Using "OpenSSL 1.1.1c  28 May 2019" [~80 ciphers]
+ on localhost:$PWD/bin/openssl
+ (built: "", platform: "NetBSD-x86_64")
+
+
+
+Fatal error: No IPv4/IPv6 address(es) for "mta01.hs-bochum.de" available
--- a/testssl/distinfo
+++ b/testssl/distinfo
@ -1,6 +1,6 @@
 $NetBSD$

-SHA1 (testssl.sh-2.8.tar.gz) = c679e353b51a395a87aeab4609f863697a8ea138
-RMD160 (testssl.sh-2.8.tar.gz) = 7f7f9ddc1104445afab8a74e6dff7b82890596d6
-SHA512 (testssl.sh-2.8.tar.gz) = 6c4b5c01a77230ef03caa1f844fa2e72e72bf5d9a28ec143f6b5fbebc4ae7f74d214d4197f4681ebaf4e29f2754785ab329f1563f8c2a0e078311fc75988328a
-Size (testssl.sh-2.8.tar.gz) = 8529555 bytes
+SHA1 (testssl.sh-3.0rc5.tar.gz) = fec0e6303b94c46a6e579ca4c0a7740132ec5889
+RMD160 (testssl.sh-3.0rc5.tar.gz) = bd7911f2f8b57e99859d6731a6ac802fc0951533
+SHA512 (testssl.sh-3.0rc5.tar.gz) = 2ac175801e3242484d3b882ed49a3cdb7ea7613a4e3fe086b2cb94397decd8465e18db2e83a215b4a49d672d03c7b818ba689a40e7a4d69688e9a691a8722014
+Size (testssl.sh-3.0rc5.tar.gz) = 9181084 bytes