commit sslscan for openSUSE:Factory

Fri, 27 Mar 2026 08:58:27 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package sslscan for openSUSE:Factory checked 
in at 2026-03-27 16:51:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sslscan (Old)
 and      /work/SRC/openSUSE:Factory/.sslscan.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "sslscan"

Fri Mar 27 16:51:23 2026 rev:22 rq:1343149 version:2.2.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/sslscan/sslscan.changes  2025-11-13 
17:31:13.200915881 +0100
+++ /work/SRC/openSUSE:Factory/.sslscan.new.8177/sslscan.changes        
2026-03-27 16:54:07.419042631 +0100
@@ -1,0 +2,9 @@
+Wed Mar 25 14:23:56 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 2.2.1:
+  * Add the "strength" field to the XML output for groups
+  * Add support for PQ hybrid key exchange groups (credit
+    malhotrag)
+  * Show Show PQ groups in cipher output (credit nuxi)
+
+-------------------------------------------------------------------

Old:
----
  sslscan-2.2.0.tar.gz

New:
----
  sslscan-2.2.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sslscan.spec ++++++
--- /var/tmp/diff_new_pack.8QWd57/_old  2026-03-27 16:54:07.895062558 +0100
+++ /var/tmp/diff_new_pack.8QWd57/_new  2026-03-27 16:54:07.899062725 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package sslscan
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           sslscan
-Version:        2.2.0
+Version:        2.2.1
 Release:        0
 Summary:        SSL cipher scanning tool
 License:        SUSE-GPL-3.0+-with-openssl-exception

++++++ sslscan-2.2.0.tar.gz -> sslscan-2.2.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslscan-2.2.0/Changelog new/sslscan-2.2.1/Changelog
--- old/sslscan-2.2.0/Changelog 2025-06-15 12:39:58.000000000 +0200
+++ new/sslscan-2.2.1/Changelog 2025-11-30 18:24:07.000000000 +0100
@@ -1,6 +1,14 @@
 Changelog
 =========
 
+Version: 2.2.1
+Date   : 30/11/2025
+Author : rbsec <[email protected]>
+Changes: The following are a list of changes
+                > Add the "strength" field to the XML output for groups
+                > Add support for PQ hybrid key exchange groups (credit 
malhotrag)
+                > Show Show PQ groups in cipher output (credit nuxi)
+
 Version: 2.2.0
 Date   : 15/06/2025
 Author : rbsec <[email protected]>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslscan-2.2.0/docker_test/expected_output/test_9.txt 
new/sslscan-2.2.1/docker_test/expected_output/test_9.txt
--- old/sslscan-2.2.0/docker_test/expected_output/test_9.txt    2025-06-15 
12:39:58.000000000 +0200
+++ new/sslscan-2.2.1/docker_test/expected_output/test_9.txt    2025-11-30 
18:24:07.000000000 +0100
@@ -24,9 +24,9 @@
 TLSv1.3 not vulnerable to heartbleed
 
   Supported Server Cipher(s):
-Preferred TLSv1.3  128 bits  
TLS_AES_128_GCM_SHA256       
-Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384     
  
-Accepted  TLSv1.3  256 bits  
TLS_CHACHA20_POLY1305_SHA256 
+Preferred TLSv1.3  128 bits  
TLS_AES_128_GCM_SHA256        Group X25519MLKEM768
+Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384     
   Group X25519MLKEM768
+Accepted  TLSv1.3  256 bits  
TLS_CHACHA20_POLY1305_SHA256  Group X25519MLKEM768
 
   Server Key Exchange Group(s):
 TLSv1.3  128 bits  secp256r1 (NIST P-256)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sslscan-2.2.0/sslscan.c new/sslscan-2.2.1/sslscan.c
--- old/sslscan-2.2.0/sslscan.c 2025-06-15 12:39:58.000000000 +0200
+++ new/sslscan-2.2.1/sslscan.c 2025-11-30 18:24:07.000000000 +0100
@@ -1494,10 +1494,22 @@
 
 int ssl_print_tmp_key(struct sslCheckOptions *options, SSL *s)
 {
+    const char *groupname;
 #ifndef LIBRESSL_VERSION_NUMBER
     EVP_PKEY *key;
     if (!SSL_get_server_tmp_key(s, &key))
+    {
+        if (SSL_version(s) == TLS1_3_VERSION)
+        {
+            groupname = SSL_group_to_name(s, SSL_get_negotiated_group(s));
+            if (strstr(groupname, "25519")) {
+                printf(" Group %s%s%s", COL_GREEN, groupname, RESET);
+            } else {
+                printf(" Group %s", groupname);
+            }
+        }
         return 1;
+    }
     switch (EVP_PKEY_id(key)) {
     case EVP_PKEY_RSA:
         if (EVP_PKEY_bits(key) <= 1024)
@@ -4143,8 +4155,7 @@
     switch (mode)
     {
         case mode_version:
-            printf("%s\t\t%s\n\t\t%s\n%s", COL_BLUE, VERSION,
-                    OpenSSL_version(OPENSSL_VERSION), RESET);
+            printf("%s\n%s", VERSION, OpenSSL_version(OPENSSL_VERSION));
             break;
 
         case mode_help:
@@ -4181,7 +4192,7 @@
             printf("  %s--show-ciphers%s       Show supported client 
ciphers\n", COL_GREEN, RESET);
             printf("  %s--show-cipher-ids%s    Show cipher ids\n", COL_GREEN, 
RESET);
             printf("  %s--iana-names%s         Use IANA/RFC cipher names 
rather than OpenSSL ones\n", COL_GREEN, RESET);
-            printf("  %s--show-times%s         Show handhake times in 
milliseconds\n", COL_GREEN, RESET);
+            printf("  %s--show-times%s         Show handshake times in 
milliseconds\n", COL_GREEN, RESET);
             printf("\n");
             printf("  %s--no-cipher-details%s  Disable EC curve names and 
EDH/RSA key lengths output\n", COL_GREEN, RESET);
             printf("  %s--no-ciphersuites%s    Do not check for supported 
ciphersuites\n", COL_GREEN, RESET);
@@ -5330,7 +5341,8 @@
       0x01, 0x03, // FFDHE6144
       0x01, 0x04, // FFDHE8192
       0x11, 0xec, // X25519MLKEM768
-    }, 28);
+      0x63, 0x99, // X25519Kyber768Draft00
+    }, 30);
   } else {
     bs_append_bytes(tls_extensions, (unsigned char []) {
       0x00, 0x0a, // Extension: supported_groups (10)
@@ -5650,6 +5662,7 @@
 #define NID_TYPE_SECP256R1MLKEM768 9
 #define NID_TYPE_SECP384R1MLKEM1024 10
 #define NID_TYPE_BRAINPOOL_TLS13 11
+#define NID_TYPE_X25519Kyber768Draft00 12
 
   /* Bit strength of DHE 2048 and 3072-bit moduli is taken directly from NIST 
SP 800-57 pt.1, rev4., pg. 53; DHE 4096, 6144, and 8192 are estimated using 
that document. */
   struct group_key_exchange group_key_exchanges[] = {
@@ -5705,6 +5718,7 @@
     {0x11eb, "SecP256r1MLKEM768", 192, COL_PLAIN, -1, 
NID_TYPE_SECP256R1MLKEM768, 1249},
     {0x11ec, "X25519MLKEM768", 192, COL_GREEN, -1, NID_TYPE_X25519MLKEM768, 
1216},
     {0x11ed, "SecP384r1MLKEM1024", 256, COL_PLAIN, -1, 
NID_TYPE_SECP384R1MLKEM1024, 1665},
+    {0x6399, "X25519Kyber768Draft00", 192, COL_GREEN, -1, 
NID_TYPE_X25519Kyber768Draft00, 1216},
   };
 
 
@@ -5778,7 +5792,7 @@
 
         bs_append_mlkem(1024, key_exchange);
 
-      } else if (nid_type == NID_TYPE_X25519MLKEM768) {
+      } else if ((nid_type == NID_TYPE_X25519MLKEM768) || ((nid_type == 
NID_TYPE_X25519Kyber768Draft00))) {
         /* Only defined for TLS v1.3. */
         if (tls_version != TLSv1_3)
           continue;
@@ -6044,16 +6058,23 @@
       }
 
       char *bits_color = RESET;
-      if (group_bit_strength < 112)
+      char *strength;
+      if (group_bit_strength < 112) {
         bits_color = COL_RED;
-      else if (group_bit_strength < 128)
+        strength = "weak";
+      }
+      else if (group_bit_strength < 128) {
         bits_color = COL_YELLOW;
-      else
+        strength = "medium";
+      }
+      else {
         bits_color = COL_GREEN;
+        strength = "good";
+      }
 
       char *printable_TLS_name = getPrintableTLSName(tls_version);
       printf("%s  %s%d%s bits  %s%s%s\n", printable_TLS_name, bits_color, 
group_bit_strength, RESET, color, group_name, RESET);
-      printf_xml("  <group sslversion=\"%s\" bits=\"%d\" name=\"%s\" 
id=\"0x%04x\" />\n", printable_TLS_name, group_bit_strength, group_name, 
group_id);
+      printf_xml("  <group sslversion=\"%s\" bits=\"%d\" name=\"%s\" 
id=\"0x%04x\" strength=\"%s\" />\n", printable_TLS_name, group_bit_strength, 
group_name, group_id, strength);
     }
   }

Reply via email to