The bundled openssl is a crucial part for ssl testing. It is important to compile this tool against a very specific (old and vulnerable) openssl library. The manual (/bin/Readme.md) suggest to use one of the following repositories: - https://github.com/drwetter/openssl - https://github.com/PeterMosmans/openssl First of all, bundled-openssl is not even enabled by default but I belive it should not be optional at all. Secondly, I have enabled it but the tool still uses a system library: Using "OpenSSL 1.0.2o 27 Mar 2018" [~125 ciphers] This version produce false positive results for "Secure Client-Initiated Renegotiation" vulnerability. See the following link for more details: https://securingtomorrow.mcafee.com/technical-how-to/tips-securing-ssl-renegotiation/) emerge --info Portage 2.3.40 (python 3.6.5-final-0, default/linux/amd64/17.0/hardened, gcc-7.3.0, glibc-2.26-r7, 4.17.11-pentoo x86_64) ================================================================= System uname: Linux-4.17.11-pentoo-x86_64-Intel-R-_Core-TM-_i5-3320M_CPU_@_2.60GHz-with-gentoo-2.4.1 KiB Mem: 7971108 total, 2521624 free KiB Swap: 4194300 total, 4190576 free Timestamp of repository gentoo: Sun, 19 Aug 2018 07:45:01 +0000 Head commit of repository gentoo: cd4372788a5dc828180d6499c27188faeaae59a2 Head commit of repository pentoo: faf964e5eec30d1af0635654c38f7dfcf235625f sh bash 4.4_p12 ld GNU ld (Gentoo 2.30 p2) 2.30.0 app-shells/bash: 4.4_p12::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.24.3-r1::gentoo dev-lang/python: 2.7.14-r1::gentoo, 3.6.5::gentoo dev-util/cmake: 3.9.6::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.4.1-r2::gentoo sys-apps/openrc: 0.34.11::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r4::gentoo sys-devel/automake: 1.13.4-r2::gentoo, 1.15.1-r2::gentoo sys-devel/binutils: 2.30-r2::gentoo sys-devel/gcc: 7.3.0-r3::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1-r3::gentoo sys-kernel/linux-headers: 4.13::gentoo (virtual/os-headers) sys-libs/glibc: 2.26-r7::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.asia.gentoo.org/gentoo-portage priority: -1000 sync-rsync-verify-max-age: 24 sync-rsync-extra-opts: sync-rsync-verify-metamanifest: yes sync-rsync-verify-jobs: 1 local-overlay location: /usr/local/portage masters: gentoo priority: 0 pentoo location: /var/db/overlays/pentoo-overlay sync-type: git sync-uri: https://github.com/pentoo/pentoo-overlay masters: gentoo steam-overlay location: /var/db/overlays/steam-overlay masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA OPERA-12 NVIDIA-CUDA PUEL AdobeFlash-11.x Google-TOS dlj-1.1 google-chrome Oracle-BCLA-JavaSE Intel-SDP skype-4.0.0.7-copyright baudline" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -frecord-gcc-switches" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe -frecord-gcc-switches" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--load-average=3.6 --quiet-build" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe -frecord-gcc-switches -frecord-gcc-switches" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe -frecord-gcc-switches -frecord-gcc-switches" GENTOO_MIRRORS="http://gentoo.aditsu.net:8000/" INSTALL_MASK="*.la" LANG="en_SG.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--defsym=__gentoo_check_ldflags__=0" LINGUAS="en ru" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_BINHOST="http://mirror.switch.ch/ftp/mirror/pentoo/Packages/amd64-hardened" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--omit-dir-times" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi activities alsa amd64 branding bzip2 cairo cdda consolekit crypt cups cxx dbus declarative dri dri3 dts dvdr emboss encode exif ffmpeg flac gif glamor gtk hackrf hardened iconv ipv6 jpeg kde kipi kwallet lcms libnotify libtirpc mad minipentoo mng modemmanager mp3 mp4 mpeg multilib ncurses networkmanager nls nptl ogg opengl openmp pam pango pax_kernel pcre pdf phonon pie plasma png policykit ppds qml qt5 readline samba sdl seccomp semantic-desktop spell ssl ssp startup-notification svg tiff truetype udev udisks unicode upower usb vaapi vlc vorbis widgets wxwidgets x264 xattr xcb xcomposite xinerama xml xtpax xv xvid zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon plan sheets stage words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby23" UNICORN_TARGETS="x86" USERLAND="GNU" VIDEO_CARDS="vesa intel i965" XFCE_PLUGINS="brightness menu logout trash" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
The quick workaround is to specify env variable: OPENSSL=/opt/testssl/openssl.Linux.x86_64 testssl.sh However, it is platform dependant and it might be easier to compile the required openssl library statically. We have fixed a similar bug in sslscan: https://bugs.gentoo.org/603828
Please fix asap
I have created a new ebuild for the forked openssl (openssl-bad) and patched testssl ( sed -i ${PN}.sh \ -e 's|OPENSSL="$1/openssl"|OPENSSL="$1/openssl-bad"|' || die) Feel free to use it: https://github.com/pentoo/pentoo-overlay/commit/bd6396c83e0f9fc2dc1d45104a7b5950d596fe0f
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9e4b6ccb7e424d708f67be1512cdb3df88ebccf commit b9e4b6ccb7e424d708f67be1512cdb3df88ebccf Author: Michael Palimaka <kensington@gentoo.org> AuthorDate: 2018-10-06 10:52:53 +0000 Commit: Michael Palimaka <kensington@gentoo.org> CommitDate: 2018-10-06 10:54:39 +0000 net-analyzer/testssl: use bundled openssl by default when enabled Closes: https://bugs.gentoo.org/664084 Signed-off-by: Michael Palimaka <kensington@gentoo.org> Package-Manager: Portage-2.3.49, Repoman-2.3.11 net-analyzer/testssl/testssl-2.9.5_p5-r1.ebuild | 60 +++++++++++++++++++++++++ 1 file changed, 60 insertions(+)
Thanks for the feedback. There was previously a postinst message when USE="bundled-openssl" was enabled, however I've improved the ebuild to use the bundled binary by default when enabled. I agree that an even better solution would be to use a dedicated openssl build like your openssl-bad, unfortunately I don't have the bandwidth to take on maintaining any new packages right now.
I have looked at the fix and feel it is not complete. The flag is still disabled by default and you have only applied it for amd64 platform. There are 3 linux openssl binaries provided with this package so you can apply the same for x85 and add kerberos flag for amd64.
I'm afraid I'm not comfortable with enabling a USE flag that installs a binary blog by default. If we did have the custom openssl build in the tree to depend on instead that would be a different story. Handling of the x86 binary isn't in place since the ebuild isn't keyworded for x86 yet (nobody has requested it). I'm not familiar with what the difference with openssl.Linux.x86_64.krb5 is, do you have any idea?
I'm a big confused, isn't it keyworded and even stable on x86? https://github.com/gentoo/gentoo/blob/master/net-analyzer/testssl/testssl-2.9.5_p5.ebuild#L15 As for the kerberos, see the following https://github.com/drwetter/testssl.sh/blob/2.9dev/bin/Readme.md The documentation says "Kerberos ciphers" : - 193(+4 GOST) ciphers including kerberos - 179(+4 GOST) ciphers without kerberos Unfortunately, upstream didn't provide it for x86 so I decided to fork openssl-bad at this point. It solved all problems at once.
(In reply to Anton Bolshakov from comment #8) > I'm a big confused, isn't it keyworded and even stable on x86? > > https://github.com/gentoo/gentoo/blob/master/net-analyzer/testssl/testssl-2. > 9.5_p5.ebuild#L15 I'm not sure how I missed that! Fix incoming.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51bd4d9ca1d701bc651d904425a043226beab092 commit 51bd4d9ca1d701bc651d904425a043226beab092 Author: Michael Palimaka <kensington@gentoo.org> AuthorDate: 2018-10-11 13:22:13 +0000 Commit: Michael Palimaka <kensington@gentoo.org> CommitDate: 2018-10-11 13:23:02 +0000 net-analyzer/testssl: revbump fixes improves bundled-openssl support Bug: https://bugs.gentoo.org/664084 Signed-off-by: Michael Palimaka <kensington@gentoo.org> Package-Manager: Portage-2.3.49, Repoman-2.3.11 net-analyzer/testssl/testssl-2.9.5_p5-r2.ebuild | 74 +++++++++++++++++++++++++ 1 file changed, 74 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90c11d51417b23f50168756ce89a603375486331 commit 90c11d51417b23f50168756ce89a603375486331 Author: Michael Palimaka <kensington@gentoo.org> AuthorDate: 2018-10-11 13:20:17 +0000 Commit: Michael Palimaka <kensington@gentoo.org> CommitDate: 2018-10-11 13:23:01 +0000 profiles: handle net-analyzer/testssl arch-specific USE flags Bug: https://bugs.gentoo.org/664084 Signed-off-by: Michael Palimaka <kensington@gentoo.org> profiles/arch/amd64/package.use.mask | 4 ++++ profiles/arch/base/package.use.mask | 4 ++++ profiles/arch/x86/package.use.mask | 4 ++++ 3 files changed, 12 insertions(+)
great, thanks! I haven't tested but it looks ok.
