import CS nmap-7.92-3.el9
This commit is contained in:
parent
9b6e6fc513
commit
a43039a6d3
40
SOURCES/nmap-ems-ssl-enum-ciphers.patch
Normal file
40
SOURCES/nmap-ems-ssl-enum-ciphers.patch
Normal file
@ -0,0 +1,40 @@
|
||||
commit fc5fc2a26877e241bf9f175832cc89f5ec1e6925
|
||||
Author: Clemens Lang <cllang@redhat.com>
|
||||
Date: Mon Oct 16 13:44:40 2023 +0200
|
||||
|
||||
Support EMS in ssl-enum-ciphers
|
||||
|
||||
The FIPS 140-3 Implementation Guidelines in section D.Q require
|
||||
FIPS-certified cryptographic modules to use the RFC 7627 Extended Master
|
||||
Secret for modules submitted after May 16th, 2023:
|
||||
|
||||
> [a] new validation, […] submitted more than one year after [May 2022]
|
||||
> shall use the extended master secret in the TLS 1.2 KDF.
|
||||
|
||||
ssl-enum-ciphers was not sending this extension, causing some servers to
|
||||
abort the handshake. This lead to no support for TLS 1.2 being reported,
|
||||
even though support was available with the extended master secret. Add
|
||||
the EMS extension to the set of base extensions that are always sent to
|
||||
avoid this situation.
|
||||
|
||||
Servers that do not support EMS should just ignore this extension
|
||||
silently.
|
||||
|
||||
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
|
||||
diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
|
||||
index 881b6bdcb..bd441120c 100644
|
||||
--- a/scripts/ssl-enum-ciphers.nse
|
||||
+++ b/scripts/ssl-enum-ciphers.nse
|
||||
@@ -528,6 +528,11 @@ local function base_extensions(host)
|
||||
["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"]({"uncompressed"}),
|
||||
-- Enable SNI if a server name is available
|
||||
["server_name"] = tlsname and tls.EXTENSION_HELPERS["server_name"](tlsname),
|
||||
+ -- Enable the Extended Master Secret extension, since FIPS 140-3 IG section
|
||||
+ -- D.Q now requires it for servers in FIPS mode and some vendors may reject
|
||||
+ -- handshakes without it. Not sending the extension would show those
|
||||
+ -- servers as not supporting TLS 1.2 at all.
|
||||
+ ["extended_master_secret"] = "",
|
||||
}
|
||||
end
|
||||
|
@ -7,7 +7,7 @@ Name: nmap
|
||||
Epoch: 3
|
||||
Version: 7.92
|
||||
#global prerelease TEST5
|
||||
Release: 1%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: Network exploration tool and security scanner
|
||||
URL: http://nmap.org/
|
||||
# Uses combination of licenses based on GPL license, but with extra modification
|
||||
@ -30,6 +30,8 @@ Patch3: ncat_reg_stdin.diff
|
||||
Patch4: nmap-6.25-displayerror.patch
|
||||
# https://github.com/nmap/nmap/pull/2247
|
||||
Patch5: nmap_resolve_config.patch
|
||||
# https://github.com/nmap/nmap/pull/2724
|
||||
Patch6: nmap-ems-ssl-enum-ciphers.patch
|
||||
|
||||
BuildRequires: automake make
|
||||
BuildRequires: autoconf
|
||||
@ -47,8 +49,8 @@ BuildRequires: zlib-devel
|
||||
BuildRequires: gnupg2
|
||||
Requires: %{name}-ncat = %{epoch}:%{version}-%{release}
|
||||
|
||||
Obsoletes: nmap-frontend
|
||||
Obsoletes: nmap-ndiff
|
||||
Obsoletes: nmap-frontend < 7.70-1
|
||||
Obsoletes: nmap-ndiff < 7.70-1
|
||||
|
||||
%define pixmap_srcdir zenmap/share/pixmaps
|
||||
|
||||
@ -152,6 +154,12 @@ fi
|
||||
%{_mandir}/man1/ncat.1.gz
|
||||
|
||||
%changelog
|
||||
* Wed Jul 10 2024 František Hrdina <fhrdina@redhat.com> - 3:7.92-3
|
||||
- Update fmf plans and gating
|
||||
|
||||
* Tue Jul 09 2024 Martin Osvald <mosvald@redhat.com> - 3:7.92-2
|
||||
- Support EMS in ssl-enum-ciphers
|
||||
|
||||
* Tue Mar 21 2023 Martin Osvald <mosvald@redhat.com> - 3:7.92-1
|
||||
- New version 7.92
|
||||
- Resolves: #2180330 - Rebase nmap for TLS v1.3 support
|
||||
|
Loading…
Reference in New Issue
Block a user