Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sslscan for openSUSE:Factory checked in at 2023-11-13 22:18:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sslscan (Old) and /work/SRC/openSUSE:Factory/.sslscan.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sslscan" Mon Nov 13 22:18:33 2023 rev:15 rq:1125005 version:2.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/sslscan/sslscan.changes 2023-09-20 13:27:10.250306004 +0200 +++ /work/SRC/openSUSE:Factory/.sslscan.new.17445/sslscan.changes 2023-11-13 22:21:05.491990223 +0100 @@ -1,0 +2,6 @@ +Fri Nov 10 15:21:49 UTC 2023 - Dirk Müller <dmuel...@suse.com> + +- update to 2.1.1: + * Work around several dodgy TLS implementations + +------------------------------------------------------------------- Old: ---- sslscan-2.1.0.tar.gz New: ---- sslscan-2.1.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sslscan.spec ++++++ --- /var/tmp/diff_new_pack.gQ0Ke5/_old 2023-11-13 22:21:06.240017765 +0100 +++ /var/tmp/diff_new_pack.gQ0Ke5/_new 2023-11-13 22:21:06.240017765 +0100 @@ -17,7 +17,7 @@ Name: sslscan -Version: 2.1.0 +Version: 2.1.1 Release: 0 Summary: SSL cipher scanning tool License: SUSE-GPL-3.0+-with-openssl-exception ++++++ sslscan-2.1.0.tar.gz -> sslscan-2.1.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-2.1.0/Changelog new/sslscan-2.1.1/Changelog --- old/sslscan-2.1.0/Changelog 2023-09-05 15:54:34.000000000 +0200 +++ new/sslscan-2.1.1/Changelog 2023-09-19 19:17:50.000000000 +0200 @@ -1,5 +1,11 @@ Changelog ========= +Version: 2.1.1 +Date : 19/09/2023 +Author : rbsec <ro...@rbsec.net> +Changes: The following are a list of changes + > Work around several dodgy TLS implementations (credit jtesta) + Version: 2.1.0 Date : 05/09/2023 Author : rbsec <ro...@rbsec.net> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-2.1.0/Makefile new/sslscan-2.1.1/Makefile --- old/sslscan-2.1.0/Makefile 2023-09-05 15:54:34.000000000 +0200 +++ new/sslscan-2.1.1/Makefile 2023-09-19 19:17:50.000000000 +0200 @@ -131,7 +131,7 @@ if [ -d openssl -a -d openssl/.git ]; then \ cd ./openssl && git checkout `git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort --version-sort | tail -n 1` && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \ else \ - git clone --depth 1 -b `git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort --version-sort | tail -n 1` https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \ + git clone --depth 1 -b `git ls-remote https://github.com/openssl/openssl | grep -Eo '(openssl-3\.0\.[0-9]+)' | sort -V | tail -n 1` https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \ fi # Need to build OpenSSL differently on OSX diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sslscan-2.1.0/sslscan.c new/sslscan-2.1.1/sslscan.c --- old/sslscan-2.1.0/sslscan.c 2023-09-05 15:54:34.000000000 +0200 +++ new/sslscan-2.1.1/sslscan.c 2023-09-19 19:17:50.000000000 +0200 @@ -1871,20 +1871,18 @@ // Connect SSL over socket cipherStatus = SSL_connect(ssl); + printf_verbose("SSL_connect() returned: %d\n", cipherStatus); sslCipherPointer = SSL_get_current_cipher(ssl); - cipherbits = SSL_CIPHER_get_bits(sslCipherPointer, NULL); - - if (cipherStatus == 0) - { - return false; - } - else if (cipherStatus != 1) - { - printf_verbose("SSL_get_error(ssl, cipherStatus) said: %d\n", SSL_get_error(ssl, cipherStatus)); - return false; + if (sslCipherPointer == NULL) { + printf_verbose("SSL_get_current_cipher() returned NULL; this indicates that the server did not choose a cipher from our list (%s)\n", options->cipherstring); + SSL_shutdown(ssl); + FREE_SSL(ssl); + CLOSE(socketDescriptor); + return false; } + cipherbits = SSL_CIPHER_get_bits(sslCipherPointer, NULL); cipherid = SSL_CIPHER_get_id(sslCipherPointer); cipherid = cipherid & 0x00ffffff; // remove first byte which is the version (0x03 for TLSv1/SSLv3) @@ -1907,24 +1905,18 @@ milliseconds_elapsed = tval_elapsed.tv_sec * 1000 + (int)tval_elapsed.tv_usec / 1000; } - outputCipher(options, ssl, cleanSslMethod, cipherid, ciphername, cipherbits, (cipherStatus == 1), milliseconds_elapsed); + outputCipher(options, ssl, cleanSslMethod, cipherid, ciphername, cipherbits, 1, milliseconds_elapsed); // Disconnect SSL over socket - if (cipherStatus == 1) - { - const char *usedcipher = SSL_get_cipher_name(ssl); - if(sslMethod==TLSv1_3_client_method()) - { // Remove cipher from TLSv1.3 list - cipherRemove(options->cipherstring, usedcipher); - } - else - { - // Using strcat rather than strncat to avoid a warning from GCC - strcat(options->cipherstring, ":!"); - strncat(options->cipherstring, usedcipher, strlen(usedcipher)); - } - SSL_shutdown(ssl); + const char *usedcipher = SSL_get_cipher_name(ssl); + if(sslMethod == TLSv1_3_client_method()) + cipherRemove(options->cipherstring, usedcipher); // Remove cipher from TLSv1.3 list + else { + // Using strcat rather than strncat to avoid a warning from GCC + strcat(options->cipherstring, ":!"); + strncat(options->cipherstring, usedcipher, strlen(usedcipher)); } + SSL_shutdown(ssl); // Free SSL object FREE_SSL(ssl); @@ -5372,8 +5364,14 @@ bs_append_uint32_t(client_hello, rand); } - /* Session ID Length: 0 */ - bs_append_bytes(client_hello, (unsigned char []) { 0x00 }, 1); + /* Session ID Length: 32 */ + bs_append_bytes(client_hello, (unsigned char []) { 32 }, 1); + + /* A "random" 32-byte session ID. */ + for (int i = 0; i < 8; i++) { + rand += (time_now ^ (uint32_t)((~(i + 0) << 24) | (~(i + 1) << 16) | (~(i + 2) << 8) | (~(i + 3) << 0))); + bs_append_uint32_t(client_hello, rand); + } /* Add the length (in bytes) of the ciphersuites list to the Client Hello. */ bs_append_ushort(client_hello, bs_get_len(ciphersuite_list));