From nobody Mon Apr 1 11:38:32 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V7TY42mhfz5GJ9C; Mon, 1 Apr 2024 11:38:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V7TY42MGxz40mT; Mon, 1 Apr 2024 11:38:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711971512; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FidXN3OjJyU2Q6PVmrjH5A79UQoQ/nXKjzLJippt/lY=; b=D/Go2ra66u0vM5tqcJcsnmg718cjDNSX0QaFeAay48KTvggWqYIyKC5IWMwi5RJ+o00rDB ixmuQJe2OSuxtIts9oEIKcdSJC4uXj6onA6pJBNfaVbUJs7VbQwogHPKOGkY0mhn3+Jzfd ULO1K9e6JpWcCqQAFyYOhRjnfNOw9LqSO/ZSFpbkbwLuEVoncV+nPwiOZoEz6ykq51rXVk 2SwPlVAecPdM2u+TyhakgWE7QxAkDaYAtUmtcB11llV2rTycYi2P4wWAkdHHIX8LwVOiu3 XYsZBnIrn61sYl6BGRAD0dc63ereEJH1vKhzPekXPBdOFOywKzEWYdtI5lD4BQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711971512; a=rsa-sha256; cv=none; b=wKPB54NPu82dG/aTiRwjihufJNCNV27DjTY2/PRG10gdn5cBz9zMQEGTDTAPSqEWJaL8tC +R8Urem3HZ8faEJvPtZc0KXESqWPb2zo338GhomuhLU8pR6KA59P1L87TW8imGWL1Q7J6M oEPcGa1q3un+qN/u1nb7Eewzv3mc3tpfFU4FL7dQFafJ3Op5PzuabSeIoC9bZw2e4+bdXh W/lGs/uxr5+b1IJZHiuOO+kfhnORcS7EflokHX6BDfa5UQ4t3WRa71WqRlHZIi0faOCk/S CaCTAaAhSSZtekzm/jArntYrv7qBBpd3K/HLa+ZBH6X9uHGqUvk5I32sGLwxzw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711971512; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FidXN3OjJyU2Q6PVmrjH5A79UQoQ/nXKjzLJippt/lY=; b=ZnsrEomaI68lOKR7y72FlaPk490JXjaQ6XZP2M6E4YuGKF2df80JOcaKb8ptfia8lysnk2 yUb2LDa7nFKix/wcqP6EWJQOsysn9BPSmOSbhjZoSol+Dq0IGPo/rmHVNKt3drO7h7Ipkg wyZwX3H6i3TlDVwWjy9FQ7HSl9Qdv5jkGka0tS7YpMFYhCDAfMrSICGHN/eqAA2fiKwawo r4AP7qcn/I5J3ji5b1eycoMRP6uW1o4RhjU4DJ+7BTQIqmz/VqY4tVdDtOD8aAKdV3jB/F uKcm7+dvlDwonUE/yv79EUjB2rFCsEFVFmJHgMLrwvZkdvCl9GpGhMmtG4KsLA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4V7TY41sdFz1Jsd; Mon, 1 Apr 2024 11:38:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 431BcWZl044868; Mon, 1 Apr 2024 11:38:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 431BcWNb044865; Mon, 1 Apr 2024 11:38:32 GMT (envelope-from git) Date: Mon, 1 Apr 2024 11:38:32 GMT Message-Id: <202404011138.431BcWNb044865@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Rene Ladan Subject: git: 08e63e0b91e6 - main - security/py-sslyze: Remove expired port List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rene X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 08e63e0b91e6a6d2fc600858fed622dac3096e65 Auto-Submitted: auto-generated The branch main has been updated by rene: URL: https://cgit.FreeBSD.org/ports/commit/?id=08e63e0b91e6a6d2fc600858fed622dac3096e65 commit 08e63e0b91e6a6d2fc600858fed622dac3096e65 Author: Rene Ladan AuthorDate: 2024-04-01 11:38:09 +0000 Commit: Rene Ladan CommitDate: 2024-04-01 11:38:09 +0000 security/py-sslyze: Remove expired port 2024-03-31 security/py-sslyze: It does not support OpenSSL 3.0+ --- MOVED | 1 + security/Makefile | 1 - security/py-sslyze/Makefile | 30 ----- security/py-sslyze/distinfo | 3 - security/py-sslyze/files/patch-openssl | 229 --------------------------------- security/py-sslyze/pkg-descr | 6 - 6 files changed, 1 insertion(+), 269 deletions(-) diff --git a/MOVED b/MOVED index 97bc6d857a7f..60c5b7c61188 100644 --- a/MOVED +++ b/MOVED @@ -3117,3 +3117,4 @@ archivers/xar||2024-04-01|Has expired: Last release was in 2012 and upstream is editors/morla||2024-04-01|Has expired: Project is unmaintained and last upstream release was in 2011 java/netcomponents||2024-04-01|Has expired: Last upstream release was in 2000 and upstream unmaintained consider using net/apache-commons-net devel/upslug||2024-04-01|Has expired: Utility for a NAS released in 2004 and discontinued in 2008 +security/py-sslyze||2024-04-01|Has expired: It does not support OpenSSL 3.0+ diff --git a/security/Makefile b/security/Makefile index 016d29472fc8..ac6861a33fcf 100644 --- a/security/Makefile +++ b/security/Makefile @@ -1041,7 +1041,6 @@ SUBDIR += py-spake2 SUBDIR += py-ssh-audit SUBDIR += py-sshpubkeys - SUBDIR += py-sslyze SUBDIR += py-stem SUBDIR += py-stix SUBDIR += py-stix2 diff --git a/security/py-sslyze/Makefile b/security/py-sslyze/Makefile deleted file mode 100644 index 711ee5099b5f..000000000000 --- a/security/py-sslyze/Makefile +++ /dev/null @@ -1,30 +0,0 @@ -PORTNAME= sslyze -PORTVERSION= 5.2.0 -CATEGORIES= security python -MASTER_SITES= PYPI -PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} - -MAINTAINER= sunpoet@FreeBSD.org -COMMENT= Fast and powerful SSL/TLS scanning library -WWW= https://github.com/nabla-c0d3/sslyze - -LICENSE= AGPLv3 -LICENSE_FILE= ${WRKSRC}/LICENSE.txt - -DEPRECATED= It does not support OpenSSL 3.0+ -EXPIRATION_DATE=2024-03-31 - -RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}nassl>=5.1<6:security/py-nassl@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}pydantic>=1.10<2.4,1:devel/py-pydantic@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}openssl>=23,1<24,1:security/py-openssl@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}tls-parser>=2<3:security/py-tls-parser@${PY_FLAVOR} - -USES= python -USE_PYTHON= autoplist concurrent cryptography distutils - -NO_ARCH= yes - -post-patch: - @${RM} ${WRKSRC}/sslyze/plugins/openssl_cipher_suites/_tls12_workaround.py - -.include diff --git a/security/py-sslyze/distinfo b/security/py-sslyze/distinfo deleted file mode 100644 index a0335a6f28ef..000000000000 --- a/security/py-sslyze/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1696001402 -SHA256 (sslyze-5.2.0.tar.gz) = 15ecb471b251dfbd003ba81a57d36865a93f18b74c7e7883a00d8bbddd365e03 -SIZE (sslyze-5.2.0.tar.gz) = 968952 diff --git a/security/py-sslyze/files/patch-openssl b/security/py-sslyze/files/patch-openssl deleted file mode 100644 index 3ed62497d78c..000000000000 --- a/security/py-sslyze/files/patch-openssl +++ /dev/null @@ -1,229 +0,0 @@ ---- sslyze/connection_helpers/tls_connection.py.orig 2023-01-16 21:45:34 UTC -+++ sslyze/connection_helpers/tls_connection.py -@@ -2,8 +2,6 @@ import socket - from pathlib import Path - from typing import Optional, TYPE_CHECKING - --from nassl.legacy_ssl_client import LegacySslClient -- - from sslyze.server_setting import ( - ServerNetworkLocation, - ServerNetworkConfiguration, -@@ -172,7 +170,7 @@ class SslConnection: - ): - raise ValueError("Cannot use modern OpenSSL with SSL 2.0 or 3.0") - -- ssl_client_cls = LegacySslClient if final_should_use_legacy_openssl else SslClient -+ ssl_client_cls = SslClient - - if network_configuration.tls_client_auth_credentials: - # A client certificate and private key were provided ---- sslyze/mozilla_tls_profile/mozilla_config_checker.py.orig 2023-01-16 21:45:34 UTC -+++ sslyze/mozilla_tls_profile/mozilla_config_checker.py -@@ -79,10 +79,6 @@ class ServerScanResultIncomplete(Exception): - - - SCAN_COMMANDS_NEEDED_BY_MOZILLA_CHECKER: Set[ScanCommand] = { -- ScanCommand.SSL_2_0_CIPHER_SUITES, -- ScanCommand.SSL_3_0_CIPHER_SUITES, -- ScanCommand.TLS_1_0_CIPHER_SUITES, -- ScanCommand.TLS_1_1_CIPHER_SUITES, - ScanCommand.TLS_1_2_CIPHER_SUITES, - ScanCommand.TLS_1_3_CIPHER_SUITES, - ScanCommand.HEARTBLEED, -@@ -223,10 +219,6 @@ def _check_tls_versions_and_ciphers( - smallest_ecdh_param_size = 100000 - smallest_dh_param_size = 100000 - for field_name, tls_version_name in [ -- ("ssl_2_0_cipher_suites", "SSLv2"), -- ("ssl_3_0_cipher_suites", "SSLv3"), -- ("tls_1_0_cipher_suites", "TLSv1"), -- ("tls_1_1_cipher_suites", "TLSv1.1"), - ("tls_1_2_cipher_suites", "TLSv1.2"), - ("tls_1_3_cipher_suites", "TLSv1.3"), - ]: ---- sslyze/plugins/compression_plugin.py.orig 2023-01-18 18:58:11 UTC -+++ sslyze/plugins/compression_plugin.py -@@ -1,6 +1,6 @@ - from dataclasses import dataclass - --from nassl.legacy_ssl_client import LegacySslClient -+from nassl.ssl_client import SslClient - from nassl.ssl_client import ClientCertificateRequested - - from sslyze.json.pydantic_utils import BaseModelWithOrmModeAndForbid -@@ -89,9 +89,9 @@ def _test_compression_support(server_info: ServerConne - - ssl_connection = server_info.get_preconfigured_tls_connection( - override_tls_version=tls_version_to_use, -- should_use_legacy_openssl=True, # Only the legacy SSL client has methods to check for compression support -+ should_use_legacy_openssl=False, - ) -- if not isinstance(ssl_connection.ssl_client, LegacySslClient): -+ if not isinstance(ssl_connection.ssl_client, SslClient): - raise RuntimeError("Should never happen") - - # Make sure OpenSSL was built with support for compression to avoid false negatives ---- sslyze/plugins/fallback_scsv_plugin.py.orig 2023-01-18 18:58:11 UTC -+++ sslyze/plugins/fallback_scsv_plugin.py -@@ -2,7 +2,6 @@ from dataclasses import dataclass - from typing import List, Optional - - from nassl import _nassl --from nassl.legacy_ssl_client import LegacySslClient - - from sslyze.json.pydantic_utils import BaseModelWithOrmModeAndForbid - from sslyze.json.scan_attempt_json import ScanCommandAttemptAsJson ---- sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py.orig 2022-05-14 09:12:21 UTC -+++ sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py -@@ -2,7 +2,6 @@ from dataclasses import dataclass - from typing import Optional, Union - - from nassl.ephemeral_key_info import EphemeralKeyInfo --from nassl.legacy_ssl_client import LegacySslClient - from nassl.ssl_client import ClientCertificateRequested, SslClient, BaseSslClient - - from sslyze.errors import ( -@@ -12,7 +11,6 @@ from sslyze.errors import ( - ) - from sslyze.plugins.openssl_cipher_suites.cipher_suites import CipherSuite - from sslyze.server_connectivity import ServerConnectivityInfo, TlsVersionEnum --from sslyze.plugins.openssl_cipher_suites._tls12_workaround import WorkaroundForTls12ForCipherSuites - - - @dataclass(frozen=True) -@@ -36,15 +34,10 @@ def connect_with_cipher_suite( - server_connectivity_info: ServerConnectivityInfo, tls_version: TlsVersionEnum, cipher_suite: CipherSuite - ) -> Union[CipherSuiteAcceptedByServer, CipherSuiteRejectedByServer]: - """Initiates a SSL handshake with the server using the SSL version and the cipher suite specified.""" -- requires_legacy_openssl = True -- if tls_version == TlsVersionEnum.TLS_1_2: -- # For TLS 1.2, we need to pick the right version of OpenSSL depending on which cipher suite -- requires_legacy_openssl = WorkaroundForTls12ForCipherSuites.requires_legacy_openssl(cipher_suite.openssl_name) -- elif tls_version == TlsVersionEnum.TLS_1_3: -- requires_legacy_openssl = False -+ requires_legacy_openssl = False - - ssl_connection = server_connectivity_info.get_preconfigured_tls_connection( -- override_tls_version=tls_version, should_use_legacy_openssl=requires_legacy_openssl -+ override_tls_version=tls_version, should_use_legacy_openssl=False - ) - _set_cipher_suite_string(tls_version, cipher_suite.openssl_name, ssl_connection.ssl_client) - ---- sslyze/plugins/openssl_cipher_suites/cipher_suites.py.orig 2022-05-14 09:12:21 UTC -+++ sslyze/plugins/openssl_cipher_suites/cipher_suites.py -@@ -3,7 +3,6 @@ from typing import Dict, Set - - from dataclasses import dataclass - --from nassl.legacy_ssl_client import LegacySslClient - from nassl.ssl_client import OpenSslVersionEnum, SslClient - - from sslyze.server_connectivity import TlsVersionEnum -@@ -571,44 +570,14 @@ _TLS_1_3_CIPHER_SUITES = [ - ] - - --def _parse_all_cipher_suites_with_legacy_openssl(tls_version: TlsVersionEnum) -> Set[str]: -- ssl_client = LegacySslClient(ssl_version=OpenSslVersionEnum(tls_version.value)) -- # Disable SRP and PSK cipher suites as they need a special setup in the client and are never used -- ssl_client.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP") -- return set(ssl_client.get_cipher_list()) -- -- - def _parse_all_cipher_suites() -> Dict[TlsVersionEnum, Set[CipherSuite]]: - tls_version_to_cipher_suites: Dict[TlsVersionEnum, Set[CipherSuite]] = {} - -- for tls_version in [ -- TlsVersionEnum.SSL_2_0, -- TlsVersionEnum.SSL_3_0, -- TlsVersionEnum.TLS_1_0, -- TlsVersionEnum.TLS_1_1, -- ]: -- openssl_cipher_strings = _parse_all_cipher_suites_with_legacy_openssl(tls_version) -- tls_version_to_cipher_suites[tls_version] = set() -- for cipher_suite_openssl_name in openssl_cipher_strings: -- cipher_suite_rfc_name = _OPENSSL_TO_RFC_NAMES_MAPPING[tls_version][cipher_suite_openssl_name] -- tls_version_to_cipher_suites[tls_version].add( -- CipherSuite( -- name=cipher_suite_rfc_name, -- openssl_name=cipher_suite_openssl_name, -- is_anonymous=True if "anon" in cipher_suite_rfc_name else False, -- key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_rfc_name], -- ) -- ) -- -- # For TLS 1.2, we have to use both the legacy and modern OpenSSL to cover all cipher suites -- cipher_suites_from_legacy_openssl = _parse_all_cipher_suites_with_legacy_openssl(TlsVersionEnum.TLS_1_2) -- - ssl_client_modern = SslClient(ssl_version=OpenSslVersionEnum(TlsVersionEnum.TLS_1_2.value)) - ssl_client_modern.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP") - cipher_suites_from_modern_openssl = set(ssl_client_modern.get_cipher_list()) - -- # Combine the two sets of cipher suites -- openssl_cipher_strings = cipher_suites_from_legacy_openssl.union(cipher_suites_from_modern_openssl) -+ openssl_cipher_strings = cipher_suites_from_modern_openssl - tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_2] = set() - for cipher_suite_openssl_name in openssl_cipher_strings: - # Ignore TLS 1.3 cipher suites ---- sslyze/plugins/scan_commands.py.orig 2022-03-12 09:56:30 UTC -+++ sslyze/plugins/scan_commands.py -@@ -12,12 +12,8 @@ from sslyze.plugins.heartbleed_plugin import Heartblee - from sslyze.plugins.http_headers_plugin import HttpHeadersImplementation - from sslyze.plugins.openssl_ccs_injection_plugin import OpenSslCcsInjectionImplementation - from sslyze.plugins.openssl_cipher_suites.implementation import ( -- Sslv20ScanImplementation, -- Sslv30ScanImplementation, -- Tlsv10ScanImplementation, - Tlsv13ScanImplementation, - Tlsv12ScanImplementation, -- Tlsv11ScanImplementation, - ) - from sslyze.plugins.robot.implementation import RobotImplementation - from sslyze.plugins.session_renegotiation_plugin import SessionRenegotiationImplementation -@@ -60,10 +56,6 @@ class ScanCommandsRepository: - _IMPLEMENTATION_CLASSES: Dict[ScanCommand, Type["ScanCommandImplementation"]] = { - ScanCommand.CERTIFICATE_INFO: CertificateInfoImplementation, - ScanCommand.SESSION_RESUMPTION: SessionResumptionSupportImplementation, -- ScanCommand.SSL_2_0_CIPHER_SUITES: Sslv20ScanImplementation, -- ScanCommand.SSL_3_0_CIPHER_SUITES: Sslv30ScanImplementation, -- ScanCommand.TLS_1_0_CIPHER_SUITES: Tlsv10ScanImplementation, -- ScanCommand.TLS_1_1_CIPHER_SUITES: Tlsv11ScanImplementation, - ScanCommand.TLS_1_2_CIPHER_SUITES: Tlsv12ScanImplementation, - ScanCommand.TLS_1_3_CIPHER_SUITES: Tlsv13ScanImplementation, - ScanCommand.TLS_COMPRESSION: CompressionImplementation, ---- sslyze/plugins/session_renegotiation_plugin.py.orig 2023-01-18 18:58:11 UTC -+++ sslyze/plugins/session_renegotiation_plugin.py -@@ -4,7 +4,7 @@ from enum import Enum - from typing import List, Optional, Tuple - - from nassl._nassl import OpenSSLError --from nassl.legacy_ssl_client import LegacySslClient -+from nassl.ssl_client import SslClient - - from sslyze.json.pydantic_utils import BaseModelWithOrmModeAndForbid - from sslyze.json.scan_attempt_json import ScanCommandAttemptAsJson -@@ -125,9 +125,9 @@ def _test_secure_renegotiation(server_info: ServerConn - - ssl_connection = server_info.get_preconfigured_tls_connection( - override_tls_version=tls_version_to_use, -- should_use_legacy_openssl=True, # Only the legacy SSL client has methods to check for secure reneg -+ should_use_legacy_openssl=False, - ) -- if not isinstance(ssl_connection.ssl_client, LegacySslClient): -+ if not isinstance(ssl_connection.ssl_client, SslClient): - raise RuntimeError("Should never happen") - - try: -@@ -160,9 +160,9 @@ def _test_client_renegotiation(server_info: ServerConn - - ssl_connection = server_info.get_preconfigured_tls_connection( - override_tls_version=tls_version_to_use, -- should_use_legacy_openssl=True, # Only the legacy SSL client has methods to trigger a reneg -+ should_use_legacy_openssl=False, - ) -- if not isinstance(ssl_connection.ssl_client, LegacySslClient): -+ if not isinstance(ssl_connection.ssl_client, SslClient): - raise RuntimeError("Should never happen") - - try: diff --git a/security/py-sslyze/pkg-descr b/security/py-sslyze/pkg-descr deleted file mode 100644 index 1c6bb8e5e9c1..000000000000 --- a/security/py-sslyze/pkg-descr +++ /dev/null @@ -1,6 +0,0 @@ -SSLyze is a fast and powerful SSL/TLS scanning tool and Python library. - -SSLyze can analyze the SSL/TLS configuration of a server by connecting to it, in -order to ensure that it uses strong encryption settings (certificate, cipher -suites, elliptic curves, etc.), and that it is not vulnerable to known TLS -attacks (Heartbleed, ROBOT, OpenSSL CCS injection, etc.).