wip/testssl: Update to version 3.0rc5

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: wip/testssl: Update to version 3.0rc5
From: ng0 <ng0%NetBSD.org@localhost>
Date: Mon, 30 Sep 2019 10:52:55 +0000
Module Name:	pkgsrc-wip
Committed By:	ng0 <ng0%NetBSD.org@localhost>
Pushed By:	ng0
Date:		Mon Sep 30 10:52:55 2019 +0000
Changeset:	1abe8ce448c4ce3a45291ff377e0a06ef431a70e

Modified Files:
	testssl/Makefile
	testssl/PLIST
	testssl/distinfo
Added Files:
	testssl/MESSAGE
	testssl/TODO

Log Message:
wip/testssl: Update to version 3.0rc5

Upstream recommends to switch to this, fixes are no longer
backported to 2.9.x versions.

Changelog:

* Full support of TLS 1.3, shows also drafts supported
* ROBOT check
* Better TLS extension support
* Better OpenSSL 1.1.1 support
* DNS over Proxy and other proxy improvements
* Decoding of unencrypted BIG IP cookies
* Better JSON output: renamed IDs and findings shorter/better parsable
* JSON output now valid also for non-responding servers
* Testing now per default 370 ciphers
* Further improving the robustness of TLS sockets (sending and parsing)
* Support of supplying timeout value for `openssl connect` -- useful for batch/mass scanning
* File input for serial or parallel mass testing can be also in nmap grep(p)able (-oG) format
* LOGJAM: now checking also for DH  and FFDHE groups (TLS 1.2)
* PFS: Display of elliptical curves supported, DH and FFDHE groups (TLS 1.2 + TLS 1.3)
* Check for session resumption (Ticket, ID)
* TLS Robustness check (GREASE)
* Expect-CT Header Detection
* `--phone-out` does certificate revocation checks via OCSP (LDAP+HTTP) and with CRL
* `--phone-out` checks whether the private key has been compromised via https://pwnedkeys.com/
* Fully OpenBSD and LibreSSL support
* Missing SAN warning
* Added support for private CAs
* Man page reviewed
* Better error msg suppression (not fully installed OpenSSL)
* Way better handling of connectivity problems
* Exit codes better: 0 for running without error, 1+n for small errors, >240 for major errors.
* Dockerfile and repo @ docker hub with that file (see above)
* Java Root CA store added
* Better support for XMPP via STARTTLS & faster
* Certificate check for to-name in stream of XMPP
* Support for NNTP via STARTTLS
* Support for SNI and STARTTLS
* More robustness for any STARTTLS protocol (fall back to plaintext while in TLS)
* Fixed TCP fragmentation
* Added `--ids-friendly` switch
* Major update of client simulations with self-collected data

* Way better coverage of ciphers as most checks are done via bash sockets where ever possible
* Further tests via TLS sockets and improvements (handshake parsing, completeness, robustness)
* Testing 359 default ciphers (``testssl.sh -e/-E``) with a mixture of sockets and openssl. Same speed as with openssl only but addtional ciphers such as post-quantum ciphers, new CHAHA20/POLY1305, CamelliaGCM etc.
* TLS 1.2 protocol check via sockets in production
* Finding more TLS extensions via sockets
* TLS Supported Groups Registry (RFC 7919), key shares extension
* Non-flat JSON output support
* File output (CSV, JSON flat, JSON non-flat) supports a minimum severity level (only above supplied level there will be output)
* Native HTML support instead going through 'aha'
* LUCKY13 and SWEET32 checks
* Ticketbleed check
* LOGJAM: now checking also for known DH parameters
* Support of supplying timeout value for ``openssl connect`` -- useful for batch/mass scanning
* Parallel mass testing
* Check for CAA RR
* Check for OCSP must staple
* Check for Certificate Transparency
* Check for session resumption (Ticket, ID)
* Better formatting of output (indentation)
* Choice showing the RFC naming scheme only
* File input for mass testing can be also in nmap grep(p)able (-oG) format
* Postgres und MySQL STARTTLS support
* Man page

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=1abe8ce448c4ce3a45291ff377e0a06ef431a70e

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 testssl/MESSAGE  | 12 ++++++++++++
 testssl/Makefile | 25 +++++++++++++++++++++----
 testssl/PLIST    |  7 +++++++
 testssl/TODO     | 30 ++++++++++++++++++++++++++++++
 testssl/distinfo |  8 ++++----
 5 files changed, 74 insertions(+), 8 deletions(-)

diffs:
diff --git a/testssl/MESSAGE b/testssl/MESSAGE
new file mode 100644
index 0000000000..dd700ee335
--- /dev/null
+++ b/testssl/MESSAGE
@@ -0,0 +1,12 @@
+===========================================================================
+$NetBSD$
+
+Some functions of testssl.sh require setting the variable
+
+  TESTSSL_INSTALL_DIR
+
+to
+
+  ${PREFIX}/etc/${PKGBASE}
+
+===========================================================================
diff --git a/testssl/Makefile b/testssl/Makefile
index fca8044cba..f99aa1b6ff 100644
--- a/testssl/Makefile
+++ b/testssl/Makefile
@@ -1,21 +1,29 @@
 # $NetBSD$
 
 DISTNAME=	${GITHUB_PROJECT}-${PKGVERSION_NOREV}
-PKGNAME=	testssl-2.8
+PKGNAME=	testssl-3.0rc5
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GITHUB:=drwetter/}
 GITHUB_PROJECT=	testssl.sh
-GITHUB_TAG=	v${PKGVERSION_NOREV}
+GITHUB_TAG=	${PKGVERSION_NOREV}
 
 MAINTAINER=	khorben%defora.org@localhost
 HOMEPAGE=	https://testssl.sh/
 COMMENT=	Checks servers for TLS/SSL flaws
 LICENSE=	gnu-gpl-v2
 
+# Do we need more depends for runtime tools?
 DEPENDS+=	bash-[0-9]*:../../shells/bash
 
+# Tests are run with "prove" (which is provided with lang/perl5),
+# a number of tests fail right now + Test::More needs to be packaged.
+TEST_DEPENDS+=	perl5-[0-9]*:../../lang/perl5
+TEST_DEPENDS+=	p5-Data-Dumper-[0-9]*:../../devel/p5-Data-Dumper
+TEST_DEPENDS+=	p5-JSON-[0-9]*:../../converters/p5-JSON
+#TEST_DEPENDS+=	p5-Test-More-[0-9]*:../../devel/p5-Test-More
+
 NO_BUILD=		yes
-INSTALLATION_DIRS=	bin share/doc/${PKGBASE}
+INSTALLATION_DIRS=	bin share/doc/${PKGBASE} etc/${PKGBASE}
 
 REPLACE_INTERPRETER+=	envbash
 REPLACE.envbash.old=	'/usr/bin/env\ bash'
@@ -24,6 +32,15 @@ REPLACE_FILES.envbash=	testssl.sh
 
 do-install:
 	${INSTALL} -m 0755 ${WRKSRC}/testssl.sh ${DESTDIR}${PREFIX}/bin/testssl
-	${INSTALL} -m 0644 ${WRKSRC}/Readme.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}/README.md
+	${INSTALL_DATA} ${WRKSRC}/Readme.md ${DESTDIR}${PREFIX}/share/doc/${PKGBASE}/README.md
+
+# Maybe patch in the path to TESTSSL_INSTALL_DIR?
+post-install:
+.for f in ca_hashes.txt cipher-mapping.txt client-simulation.txt client-simulation.wiresharked.txt common-primes.txt curves.txt tls_data.txt
+	${INSTALL_DATA} ${WRKSRC}/etc/${f} ${DESTDIR}${PREFIX}/etc/${PKGBASE}
+.endfor
+
+do-test:
+	( cd ${WRKSRC} && ${PREFIX}/bin/prove -v )
 
 .include "../../mk/bsd.pkg.mk"
diff --git a/testssl/PLIST b/testssl/PLIST
index 22e8ef3c29..2597400f67 100644
--- a/testssl/PLIST
+++ b/testssl/PLIST
@@ -1,3 +1,10 @@
 @comment $NetBSD$
 bin/testssl
+etc/testssl/ca_hashes.txt
+etc/testssl/cipher-mapping.txt
+etc/testssl/client-simulation.txt
+etc/testssl/client-simulation.wiresharked.txt
+etc/testssl/common-primes.txt
+etc/testssl/curves.txt
+etc/testssl/tls_data.txt
 share/doc/testssl/README.md
diff --git a/testssl/TODO b/testssl/TODO
new file mode 100644
index 0000000000..008e41e768
--- /dev/null
+++ b/testssl/TODO
@@ -0,0 +1,30 @@
+Fix this:
+TESTSSL_INSTALL_DIR=/usr/pkg/etc/testssl testssl mta01.hs-bochum.de:587
+shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
+
+ATTENTION: No TLS data file found -- needed for socket-based handshakes
+Please note from 2.9 on testssl needs files in "$TESTSSL_INSTALL_DIR/etc/" to function correctly.
+
+Type "yes" to ignore this warning and proceed at your own risk --> yes
+
+No engine or GOST support via engine with your /usr/bin/openssl
+pwd: No such file or directory
+
+###########################################################
+    testssl       3.0rc5 from https://testssl.sh/dev/
+
+      This program is free software. Distribution and
+             modification under GPLv2 permitted.
+      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
+
+       Please file bugs @ https://testssl.sh/bugs/
+
+###########################################################
+
+ Using "OpenSSL 1.1.1c  28 May 2019" [~80 ciphers]
+ on localhost:$PWD/bin/openssl
+ (built: "", platform: "NetBSD-x86_64")
+
+
+
+Fatal error: No IPv4/IPv6 address(es) for "mta01.hs-bochum.de" available
diff --git a/testssl/distinfo b/testssl/distinfo
index 0704c4ec70..d47059a08f 100644
--- a/testssl/distinfo
+++ b/testssl/distinfo
@@ -1,6 +1,6 @@
 $NetBSD$
 
-SHA1 (testssl.sh-2.8.tar.gz) = c679e353b51a395a87aeab4609f863697a8ea138
-RMD160 (testssl.sh-2.8.tar.gz) = 7f7f9ddc1104445afab8a74e6dff7b82890596d6
-SHA512 (testssl.sh-2.8.tar.gz) = 6c4b5c01a77230ef03caa1f844fa2e72e72bf5d9a28ec143f6b5fbebc4ae7f74d214d4197f4681ebaf4e29f2754785ab329f1563f8c2a0e078311fc75988328a
-Size (testssl.sh-2.8.tar.gz) = 8529555 bytes
+SHA1 (testssl.sh-3.0rc5.tar.gz) = fec0e6303b94c46a6e579ca4c0a7740132ec5889
+RMD160 (testssl.sh-3.0rc5.tar.gz) = bd7911f2f8b57e99859d6731a6ac802fc0951533
+SHA512 (testssl.sh-3.0rc5.tar.gz) = 2ac175801e3242484d3b882ed49a3cdb7ea7613a4e3fe086b2cb94397decd8465e18db2e83a215b4a49d672d03c7b818ba689a40e7a4d69688e9a691a8722014
+Size (testssl.sh-3.0rc5.tar.gz) = 9181084 bytes
Prev by Date: httrack: Update to 3.49.2
Next by Date: basepkg: version update to 1.6.6
Previous by Thread: httrack: Update to 3.49.2
Next by Thread: basepkg: version update to 1.6.6
Indexes:
Home | Main Index | Thread Index | Old Index