Merge tag 'upstream/1.11.10-rbsec' into kali/master
Upstream version 1.11.10-rbsec
Sophie Brun
7 years ago
0 | 0 |
Changelog
|
1 | 1 |
=========
|
|
2 |
|
|
3 |
Version: 1.11.10
|
|
4 |
Date : 04/05/2017
|
|
5 |
Author : rbsec <[email protected]>
|
|
6 |
Changes: The following are a list of changes
|
|
7 |
> Build against Peter Mosmans' branch of OpenSSL
|
|
8 |
> Support for ChaCha ciphers
|
|
9 |
> NOTE: you will need to run `make clean && make static`.
|
2 | 10 |
|
3 | 11 |
Version: 1.11.9
|
4 | 12 |
Date : 09/04/2017
|
84 | 84 |
if [ -d openssl -a -d openssl/.git ]; then \
|
85 | 85 |
cd ./openssl && git checkout OpenSSL_1_0_2-stable && git pull | grep -q "Already up-to-date." && [ -e ../.openssl.is.fresh ] || touch ../.openssl.is.fresh ; \
|
86 | 86 |
else \
|
87 | |
git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/openssl/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
|
|
87 |
git clone --depth 1 -b OpenSSL_1_0_2-stable https://github.com/PeterMosmans/openssl ./openssl && cd ./openssl && touch ../.openssl.is.fresh ; \
|
88 | 88 |
fi
|
89 | |
# Re-enable SSLv2 EXPORT ciphers
|
90 | |
sed -i.bak -E 's/# if 0/# if 1/g' openssl/ssl/s2_lib.c
|
91 | |
rm openssl/ssl/s2_lib.c.bak
|
92 | |
# Re-enable weak (<1024 bit) DH keys
|
93 | |
sed -i.bak -E 's/dh_size < [0-9]\+/dh_size < 512/g' openssl/ssl/s3_clnt.c
|
94 | |
rm openssl/ssl/s3_clnt.c.bak
|
95 | |
# Break the weak DH key test so OpenSSL compiles
|
96 | |
sed -i.bak -E 's/dhe512/zzz/g' openssl/test/testssl
|
97 | |
rm openssl/test/testssl.bak
|
98 | 89 |
|
99 | 90 |
# Need to build OpenSSL differently on OSX
|
100 | 91 |
ifeq ($(OS), Darwin)
|
|
115 | 106 |
$(MAKE) sslscan STATIC_BUILD=TRUE
|
116 | 107 |
|
117 | 108 |
clean:
|
118 | |
if [ -d openssl -a -d openssl/.git ]; then ( cd ./openssl; git clean -fx ); fi;
|
|
109 |
if [ -d openssl ]; then ( rm -rf openssl ); fi;
|
119 | 110 |
rm -f sslscan
|
120 | 111 |
rm -f .openssl.is.fresh
|
66 | 66 |
the SSL ecosystem as a whole, it is a problem for sslscan, which relies on
|
67 | 67 |
these legacy features being available in order to detect them on client system.
|
68 | 68 |
|
69 | |
Keeping these features available while also adding support for the new features
|
70 | |
such as TLSv1.3 would either require maintaining a separate fork of OpenSSL
|
71 | |
with all the required features enabled, or a complete rewrite of sslscan to use
|
72 | |
a different library (or to handle the TLS handshake itself). As such, it is
|
73 | |
likely that sslscan **will never support OpenSSL 1.1.0.** It is recommended
|
74 | |
that you continue to build statically against OpenSSL 1.0.1, as describeed in
|
75 | |
the following section.
|
|
69 |
In order to work around this, sslscan builds against [Peter Mosmans'](https://github.com/PeterMosmans/openssl)
|
|
70 |
fork of OpenSSL, which backports the Chacha20 and Poly1305 ciphers to OpenSSL
|
|
71 |
1.0.2, while keeping the dangerous legacy features (such as SSLv2 and EXPORT
|
|
72 |
ciphers) enabled.
|
76 | 73 |
|
77 | 74 |
#### Statically linking a custom OpenSSL build
|
78 | 75 |
|
1667 | 1667 |
{
|
1668 | 1668 |
printf("%s%-29s%s", COL_YELLOW, sslCipherPointer->name, RESET);
|
1669 | 1669 |
}
|
1670 | |
else if (strstr(sslCipherPointer->name, "GCM") && strstr(sslCipherPointer->name, "DHE"))
|
|
1670 |
else if ((strstr(sslCipherPointer->name, "CHACHA20") || (strstr(sslCipherPointer->name, "GCM")))
|
|
1671 |
&& strstr(sslCipherPointer->name, "DHE"))
|
1671 | 1672 |
{
|
1672 | 1673 |
printf("%s%-29s%s", COL_GREEN, sslCipherPointer->name, RESET);
|
1673 | 1674 |
}
|