git: 08e63e0b91e6 - main - security/py-sslyze: Remove expired port
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Apr 2024 11:38:32 UTC
The branch main has been updated by rene:
URL: https://cgit.FreeBSD.org/ports/commit/?id=08e63e0b91e6a6d2fc600858fed622dac3096e65
commit 08e63e0b91e6a6d2fc600858fed622dac3096e65
Author: Rene Ladan <rene@FreeBSD.org>
AuthorDate: 2024-04-01 11:38:09 +0000
Commit: Rene Ladan <rene@FreeBSD.org>
CommitDate: 2024-04-01 11:38:09 +0000
security/py-sslyze: Remove expired port
2024-03-31 security/py-sslyze: It does not support OpenSSL 3.0+
---
MOVED | 1 +
security/Makefile | 1 -
security/py-sslyze/Makefile | 30 -----
security/py-sslyze/distinfo | 3 -
security/py-sslyze/files/patch-openssl | 229 ---------------------------------
security/py-sslyze/pkg-descr | 6 -
6 files changed, 1 insertion(+), 269 deletions(-)
diff --git a/MOVED b/MOVED
index 97bc6d857a7f..60c5b7c61188 100644
--- a/MOVED
+++ b/MOVED
@@ -3117,3 +3117,4 @@ archivers/xar||2024-04-01|Has expired: Last release was in 2012 and upstream is
editors/morla||2024-04-01|Has expired: Project is unmaintained and last upstream release was in 2011
java/netcomponents||2024-04-01|Has expired: Last upstream release was in 2000 and upstream unmaintained consider using net/apache-commons-net
devel/upslug||2024-04-01|Has expired: Utility for a NAS released in 2004 and discontinued in 2008
+security/py-sslyze||2024-04-01|Has expired: It does not support OpenSSL 3.0+
diff --git a/security/Makefile b/security/Makefile
index 016d29472fc8..ac6861a33fcf 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -1041,7 +1041,6 @@
SUBDIR += py-spake2
SUBDIR += py-ssh-audit
SUBDIR += py-sshpubkeys
- SUBDIR += py-sslyze
SUBDIR += py-stem
SUBDIR += py-stix
SUBDIR += py-stix2
diff --git a/security/py-sslyze/Makefile b/security/py-sslyze/Makefile
deleted file mode 100644
index 711ee5099b5f..000000000000
--- a/security/py-sslyze/Makefile
+++ /dev/null
@@ -1,30 +0,0 @@
-PORTNAME= sslyze
-PORTVERSION= 5.2.0
-CATEGORIES= security python
-MASTER_SITES= PYPI
-PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
-
-MAINTAINER= sunpoet@FreeBSD.org
-COMMENT= Fast and powerful SSL/TLS scanning library
-WWW= https://github.com/nabla-c0d3/sslyze
-
-LICENSE= AGPLv3
-LICENSE_FILE= ${WRKSRC}/LICENSE.txt
-
-DEPRECATED= It does not support OpenSSL 3.0+
-EXPIRATION_DATE=2024-03-31
-
-RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}nassl>=5.1<6:security/py-nassl@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}pydantic>=1.10<2.4,1:devel/py-pydantic@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}openssl>=23,1<24,1:security/py-openssl@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}tls-parser>=2<3:security/py-tls-parser@${PY_FLAVOR}
-
-USES= python
-USE_PYTHON= autoplist concurrent cryptography distutils
-
-NO_ARCH= yes
-
-post-patch:
- @${RM} ${WRKSRC}/sslyze/plugins/openssl_cipher_suites/_tls12_workaround.py
-
-.include <bsd.port.mk>
diff --git a/security/py-sslyze/distinfo b/security/py-sslyze/distinfo
deleted file mode 100644
index a0335a6f28ef..000000000000
--- a/security/py-sslyze/distinfo
+++ /dev/null
@@ -1,3 +0,0 @@
-TIMESTAMP = 1696001402
-SHA256 (sslyze-5.2.0.tar.gz) = 15ecb471b251dfbd003ba81a57d36865a93f18b74c7e7883a00d8bbddd365e03
-SIZE (sslyze-5.2.0.tar.gz) = 968952
diff --git a/security/py-sslyze/files/patch-openssl b/security/py-sslyze/files/patch-openssl
deleted file mode 100644
index 3ed62497d78c..000000000000
--- a/security/py-sslyze/files/patch-openssl
+++ /dev/null
@@ -1,229 +0,0 @@
---- sslyze/connection_helpers/tls_connection.py.orig 2023-01-16 21:45:34 UTC
-+++ sslyze/connection_helpers/tls_connection.py
-@@ -2,8 +2,6 @@ import socket
- from pathlib import Path
- from typing import Optional, TYPE_CHECKING
-
--from nassl.legacy_ssl_client import LegacySslClient
--
- from sslyze.server_setting import (
- ServerNetworkLocation,
- ServerNetworkConfiguration,
-@@ -172,7 +170,7 @@ class SslConnection:
- ):
- raise ValueError("Cannot use modern OpenSSL with SSL 2.0 or 3.0")
-
-- ssl_client_cls = LegacySslClient if final_should_use_legacy_openssl else SslClient
-+ ssl_client_cls = SslClient
-
- if network_configuration.tls_client_auth_credentials:
- # A client certificate and private key were provided
---- sslyze/mozilla_tls_profile/mozilla_config_checker.py.orig 2023-01-16 21:45:34 UTC
-+++ sslyze/mozilla_tls_profile/mozilla_config_checker.py
-@@ -79,10 +79,6 @@ class ServerScanResultIncomplete(Exception):
-
-
- SCAN_COMMANDS_NEEDED_BY_MOZILLA_CHECKER: Set[ScanCommand] = {
-- ScanCommand.SSL_2_0_CIPHER_SUITES,
-- ScanCommand.SSL_3_0_CIPHER_SUITES,
-- ScanCommand.TLS_1_0_CIPHER_SUITES,
-- ScanCommand.TLS_1_1_CIPHER_SUITES,
- ScanCommand.TLS_1_2_CIPHER_SUITES,
- ScanCommand.TLS_1_3_CIPHER_SUITES,
- ScanCommand.HEARTBLEED,
-@@ -223,10 +219,6 @@ def _check_tls_versions_and_ciphers(
- smallest_ecdh_param_size = 100000
- smallest_dh_param_size = 100000
- for field_name, tls_version_name in [
-- ("ssl_2_0_cipher_suites", "SSLv2"),
-- ("ssl_3_0_cipher_suites", "SSLv3"),
-- ("tls_1_0_cipher_suites", "TLSv1"),
-- ("tls_1_1_cipher_suites", "TLSv1.1"),
- ("tls_1_2_cipher_suites", "TLSv1.2"),
- ("tls_1_3_cipher_suites", "TLSv1.3"),
- ]:
---- sslyze/plugins/compression_plugin.py.orig 2023-01-18 18:58:11 UTC
-+++ sslyze/plugins/compression_plugin.py
-@@ -1,6 +1,6 @@
- from dataclasses import dataclass
-
--from nassl.legacy_ssl_client import LegacySslClient
-+from nassl.ssl_client import SslClient
- from nassl.ssl_client import ClientCertificateRequested
-
- from sslyze.json.pydantic_utils import BaseModelWithOrmModeAndForbid
-@@ -89,9 +89,9 @@ def _test_compression_support(server_info: ServerConne
-
- ssl_connection = server_info.get_preconfigured_tls_connection(
- override_tls_version=tls_version_to_use,
-- should_use_legacy_openssl=True, # Only the legacy SSL client has methods to check for compression support
-+ should_use_legacy_openssl=False,
- )
-- if not isinstance(ssl_connection.ssl_client, LegacySslClient):
-+ if not isinstance(ssl_connection.ssl_client, SslClient):
- raise RuntimeError("Should never happen")
-
- # Make sure OpenSSL was built with support for compression to avoid false negatives
---- sslyze/plugins/fallback_scsv_plugin.py.orig 2023-01-18 18:58:11 UTC
-+++ sslyze/plugins/fallback_scsv_plugin.py
-@@ -2,7 +2,6 @@ from dataclasses import dataclass
- from typing import List, Optional
-
- from nassl import _nassl
--from nassl.legacy_ssl_client import LegacySslClient
-
- from sslyze.json.pydantic_utils import BaseModelWithOrmModeAndForbid
- from sslyze.json.scan_attempt_json import ScanCommandAttemptAsJson
---- sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py.orig 2022-05-14 09:12:21 UTC
-+++ sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py
-@@ -2,7 +2,6 @@ from dataclasses import dataclass
- from typing import Optional, Union
-
- from nassl.ephemeral_key_info import EphemeralKeyInfo
--from nassl.legacy_ssl_client import LegacySslClient
- from nassl.ssl_client import ClientCertificateRequested, SslClient, BaseSslClient
-
- from sslyze.errors import (
-@@ -12,7 +11,6 @@ from sslyze.errors import (
- )
- from sslyze.plugins.openssl_cipher_suites.cipher_suites import CipherSuite
- from sslyze.server_connectivity import ServerConnectivityInfo, TlsVersionEnum
--from sslyze.plugins.openssl_cipher_suites._tls12_workaround import WorkaroundForTls12ForCipherSuites
-
-
- @dataclass(frozen=True)
-@@ -36,15 +34,10 @@ def connect_with_cipher_suite(
- server_connectivity_info: ServerConnectivityInfo, tls_version: TlsVersionEnum, cipher_suite: CipherSuite
- ) -> Union[CipherSuiteAcceptedByServer, CipherSuiteRejectedByServer]:
- """Initiates a SSL handshake with the server using the SSL version and the cipher suite specified."""
-- requires_legacy_openssl = True
-- if tls_version == TlsVersionEnum.TLS_1_2:
-- # For TLS 1.2, we need to pick the right version of OpenSSL depending on which cipher suite
-- requires_legacy_openssl = WorkaroundForTls12ForCipherSuites.requires_legacy_openssl(cipher_suite.openssl_name)
-- elif tls_version == TlsVersionEnum.TLS_1_3:
-- requires_legacy_openssl = False
-+ requires_legacy_openssl = False
-
- ssl_connection = server_connectivity_info.get_preconfigured_tls_connection(
-- override_tls_version=tls_version, should_use_legacy_openssl=requires_legacy_openssl
-+ override_tls_version=tls_version, should_use_legacy_openssl=False
- )
- _set_cipher_suite_string(tls_version, cipher_suite.openssl_name, ssl_connection.ssl_client)
-
---- sslyze/plugins/openssl_cipher_suites/cipher_suites.py.orig 2022-05-14 09:12:21 UTC
-+++ sslyze/plugins/openssl_cipher_suites/cipher_suites.py
-@@ -3,7 +3,6 @@ from typing import Dict, Set
-
- from dataclasses import dataclass
-
--from nassl.legacy_ssl_client import LegacySslClient
- from nassl.ssl_client import OpenSslVersionEnum, SslClient
-
- from sslyze.server_connectivity import TlsVersionEnum
-@@ -571,44 +570,14 @@ _TLS_1_3_CIPHER_SUITES = [
- ]
-
-
--def _parse_all_cipher_suites_with_legacy_openssl(tls_version: TlsVersionEnum) -> Set[str]:
-- ssl_client = LegacySslClient(ssl_version=OpenSslVersionEnum(tls_version.value))
-- # Disable SRP and PSK cipher suites as they need a special setup in the client and are never used
-- ssl_client.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP")
-- return set(ssl_client.get_cipher_list())
--
--
- def _parse_all_cipher_suites() -> Dict[TlsVersionEnum, Set[CipherSuite]]:
- tls_version_to_cipher_suites: Dict[TlsVersionEnum, Set[CipherSuite]] = {}
-
-- for tls_version in [
-- TlsVersionEnum.SSL_2_0,
-- TlsVersionEnum.SSL_3_0,
-- TlsVersionEnum.TLS_1_0,
-- TlsVersionEnum.TLS_1_1,
-- ]:
-- openssl_cipher_strings = _parse_all_cipher_suites_with_legacy_openssl(tls_version)
-- tls_version_to_cipher_suites[tls_version] = set()
-- for cipher_suite_openssl_name in openssl_cipher_strings:
-- cipher_suite_rfc_name = _OPENSSL_TO_RFC_NAMES_MAPPING[tls_version][cipher_suite_openssl_name]
-- tls_version_to_cipher_suites[tls_version].add(
-- CipherSuite(
-- name=cipher_suite_rfc_name,
-- openssl_name=cipher_suite_openssl_name,
-- is_anonymous=True if "anon" in cipher_suite_rfc_name else False,
-- key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_rfc_name],
-- )
-- )
--
-- # For TLS 1.2, we have to use both the legacy and modern OpenSSL to cover all cipher suites
-- cipher_suites_from_legacy_openssl = _parse_all_cipher_suites_with_legacy_openssl(TlsVersionEnum.TLS_1_2)
--
- ssl_client_modern = SslClient(ssl_version=OpenSslVersionEnum(TlsVersionEnum.TLS_1_2.value))
- ssl_client_modern.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP")
- cipher_suites_from_modern_openssl = set(ssl_client_modern.get_cipher_list())
-
-- # Combine the two sets of cipher suites
-- openssl_cipher_strings = cipher_suites_from_legacy_openssl.union(cipher_suites_from_modern_openssl)
-+ openssl_cipher_strings = cipher_suites_from_modern_openssl
- tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_2] = set()
- for cipher_suite_openssl_name in openssl_cipher_strings:
- # Ignore TLS 1.3 cipher suites
---- sslyze/plugins/scan_commands.py.orig 2022-03-12 09:56:30 UTC
-+++ sslyze/plugins/scan_commands.py
-@@ -12,12 +12,8 @@ from sslyze.plugins.heartbleed_plugin import Heartblee
- from sslyze.plugins.http_headers_plugin import HttpHeadersImplementation
- from sslyze.plugins.openssl_ccs_injection_plugin import OpenSslCcsInjectionImplementation
- from sslyze.plugins.openssl_cipher_suites.implementation import (
-- Sslv20ScanImplementation,
-- Sslv30ScanImplementation,
-- Tlsv10ScanImplementation,
- Tlsv13ScanImplementation,
- Tlsv12ScanImplementation,
-- Tlsv11ScanImplementation,
- )
- from sslyze.plugins.robot.implementation import RobotImplementation
- from sslyze.plugins.session_renegotiation_plugin import SessionRenegotiationImplementation
-@@ -60,10 +56,6 @@ class ScanCommandsRepository:
- _IMPLEMENTATION_CLASSES: Dict[ScanCommand, Type["ScanCommandImplementation"]] = {
- ScanCommand.CERTIFICATE_INFO: CertificateInfoImplementation,
- ScanCommand.SESSION_RESUMPTION: SessionResumptionSupportImplementation,
-- ScanCommand.SSL_2_0_CIPHER_SUITES: Sslv20ScanImplementation,
-- ScanCommand.SSL_3_0_CIPHER_SUITES: Sslv30ScanImplementation,
-- ScanCommand.TLS_1_0_CIPHER_SUITES: Tlsv10ScanImplementation,
-- ScanCommand.TLS_1_1_CIPHER_SUITES: Tlsv11ScanImplementation,
- ScanCommand.TLS_1_2_CIPHER_SUITES: Tlsv12ScanImplementation,
- ScanCommand.TLS_1_3_CIPHER_SUITES: Tlsv13ScanImplementation,
- ScanCommand.TLS_COMPRESSION: CompressionImplementation,
---- sslyze/plugins/session_renegotiation_plugin.py.orig 2023-01-18 18:58:11 UTC
-+++ sslyze/plugins/session_renegotiation_plugin.py
-@@ -4,7 +4,7 @@ from enum import Enum
- from typing import List, Optional, Tuple
-
- from nassl._nassl import OpenSSLError
--from nassl.legacy_ssl_client import LegacySslClient
-+from nassl.ssl_client import SslClient
-
- from sslyze.json.pydantic_utils import BaseModelWithOrmModeAndForbid
- from sslyze.json.scan_attempt_json import ScanCommandAttemptAsJson
-@@ -125,9 +125,9 @@ def _test_secure_renegotiation(server_info: ServerConn
-
- ssl_connection = server_info.get_preconfigured_tls_connection(
- override_tls_version=tls_version_to_use,
-- should_use_legacy_openssl=True, # Only the legacy SSL client has methods to check for secure reneg
-+ should_use_legacy_openssl=False,
- )
-- if not isinstance(ssl_connection.ssl_client, LegacySslClient):
-+ if not isinstance(ssl_connection.ssl_client, SslClient):
- raise RuntimeError("Should never happen")
-
- try:
-@@ -160,9 +160,9 @@ def _test_client_renegotiation(server_info: ServerConn
-
- ssl_connection = server_info.get_preconfigured_tls_connection(
- override_tls_version=tls_version_to_use,
-- should_use_legacy_openssl=True, # Only the legacy SSL client has methods to trigger a reneg
-+ should_use_legacy_openssl=False,
- )
-- if not isinstance(ssl_connection.ssl_client, LegacySslClient):
-+ if not isinstance(ssl_connection.ssl_client, SslClient):
- raise RuntimeError("Should never happen")
-
- try:
diff --git a/security/py-sslyze/pkg-descr b/security/py-sslyze/pkg-descr
deleted file mode 100644
index 1c6bb8e5e9c1..000000000000
--- a/security/py-sslyze/pkg-descr
+++ /dev/null
@@ -1,6 +0,0 @@
-SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.
-
-SSLyze can analyze the SSL/TLS configuration of a server by connecting to it, in
-order to ensure that it uses strong encryption settings (certificate, cipher
-suites, elliptic curves, etc.), and that it is not vulnerable to known TLS
-attacks (Heartbleed, ROBOT, OpenSSL CCS injection, etc.).