Merge tag 'upstream/1.11.10-rbsec' into kali/master
Upstream version 1.11.10-rbsec
Sophie Brun
7 years ago
| 0 | 0 |
Changelog
|
| 1 | 1 |
=========
|
|
2 |
|
|
3 |
Version: 1.11.10
|
|
4 |
Date : 04/05/2017
|
|
5 |
Author : rbsec <[email protected]>
|
|
6 |
Changes: The following are a list of changes
|
|
7 |
> Build against Peter Mosmans' branch of OpenSSL
|
|
8 |
> Support for ChaCha ciphers
|
|
9 |
> NOTE: you will need to run `make clean && make static`.
|
| 2 | 10 |
|
| 3 | 11 |
Version: 1.11.9
|
| 4 | 12 |
Date : 09/04/2017
|
| 84 | 84 |
if [ -d openssl -a -d openssl/.git ]; then \
|
| 85 | 85 |
cd ./openssl && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
|
| 86 | 86 |
else \
|
| 87 | |
git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
|
|
87 |
git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/PeterMosmans/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
|
| 88 | 88 |
fi
|
| 89 | |
# Re-enable SSLv2 EXPORT ciphers
|
| 90 | |
sed -i.bak -E 's/# if 0/# if 1/g' openssl/ssl/s2_lib.c
|
| 91 | |
rm openssl/ssl/s2_lib.c.bak
|
| 92 | |
# Re-enable weak (<1024 bit) DH keys
|
| 93 | |
sed -i.bak -E 's/dh_size < [0-9]\+/dh_size < 512/g' openssl/ssl/s3_clnt.c
|
| 94 | |
rm openssl/ssl/s3_clnt.c.bak
|
| 95 | |
# Break the weak DH key test so OpenSSL compiles
|
| 96 | |
sed -i.bak -E 's/dhe512/zzz/g' openssl/test/testssl
|
| 97 | |
rm openssl/test/testssl.bak
|
| 98 | 89 |
|
| 99 | 90 |
# Need to build OpenSSL differently on OSX
|
| 100 | 91 |
ifeq ($(OS), Darwin)
|
|
| 115 | 106 |
$(MAKE) sslscan STATIC_BUILD=TRUE
|
| 116 | 107 |
|
| 117 | 108 |
clean:
|
| 118 | |
if [ -d openssl -a -d openssl/.git ]; then ( cd ./openssl; git clean -fx ); fi;
|
|
109 |
if [ -d openssl ]; then ( rm -rf openssl ); fi;
|
| 119 | 110 |
rm -f sslscan
|
| 120 | 111 |
rm -f .openssl.is.fresh
|
| 66 | 66 |
the SSL ecosystem as a whole, it is a problem for sslscan, which relies on
|
| 67 | 67 |
these legacy features being available in order to detect them on client system.
|
| 68 | 68 |
|
| 69 | |
Keeping these features available while also adding support for the new features
|
| 70 | |
such as TLSv1.3 would either require maintaining a separate fork of OpenSSL
|
| 71 | |
with all the required features enabled, or a complete rewrite of sslscan to use
|
| 72 | |
a different library (or to handle the TLS handshake itself). As such, it is
|
| 73 | |
likely that sslscan **will never support OpenSSL 1.1.0.** It is recommended
|
| 74 | |
that you continue to build statically against OpenSSL 1.0.1, as describeed in
|
| 75 | |
the following section.
|
|
69 |
In order to work around this, sslscan builds against [Peter Mosmans'](https://github.com/PeterMosmans/openssl)
|
|
70 |
fork of OpenSSL, which backports the Chacha20 and Poly1305 ciphers to OpenSSL
|
|
71 |
1.0.2, while keeping the dangerous legacy features (such as SSLv2 and EXPORT
|
|
72 |
ciphers) enabled.
|
| 76 | 73 |
|
| 77 | 74 |
#### Statically linking a custom OpenSSL build
|
| 78 | 75 |
|
| 1667 | 1667 |
{
|
| 1668 | 1668 |
printf("%s%-29s%s", COL_YELLOW, sslCipherPointer->name, RESET);
|
| 1669 | 1669 |
}
|
| 1670 | |
else if (strstr(sslCipherPointer->name, "GCM") && strstr(sslCipherPointer->name, "DHE"))
|
|
1670 |
else if ((strstr(sslCipherPointer->name, "CHACHA20") || (strstr(sslCipherPointer->name, "GCM")))
|
|
1671 |
&& strstr(sslCipherPointer->name, "DHE"))
|
| 1671 | 1672 |
{
|
| 1672 | 1673 |
printf("%s%-29s%s", COL_GREEN, sslCipherPointer->name, RESET);
|
| 1673 | 1674 |
}
|