security/py-sslyze: Remove expired port

2024-03-31 security/py-sslyze: It does not support OpenSSL 3.0+

6 files changed, 1 insertions, 269 deletions

diff --git a/MOVED b/MOVED
index 97bc6d857a7f..60c5b7c61188 100644
--- a/MOVED
+++ b/MOVED
@@ -3117,3 +3117,4 @@ archivers/xar||2024-04-01|Has expired: Last release was in 2012 and upstream is
 editors/morla||2024-04-01|Has expired: Project is unmaintained and last upstream release was in 2011
 java/netcomponents||2024-04-01|Has expired: Last upstream release was in 2000 and upstream unmaintained consider using net/apache-commons-net
 devel/upslug||2024-04-01|Has expired: Utility for a NAS released in 2004 and discontinued in 2008
+security/py-sslyze||2024-04-01|Has expired: It does not support OpenSSL 3.0+
diff --git a/security/Makefile b/security/Makefile
index 016d29472fc8..ac6861a33fcf 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -1041,7 +1041,6 @@
     SUBDIR += py-spake2
     SUBDIR += py-ssh-audit
     SUBDIR += py-sshpubkeys
-    SUBDIR += py-sslyze
     SUBDIR += py-stem
     SUBDIR += py-stix
     SUBDIR += py-stix2
diff --git a/security/py-sslyze/Makefile b/security/py-sslyze/Makefile
deleted file mode 100644
index 711ee5099b5f..000000000000
--- a/security/py-sslyze/Makefile
+++ /dev/null
@@ -1,30 +0,0 @@
-PORTNAME=	sslyze
-PORTVERSION=	5.2.0
-CATEGORIES=	security python
-MASTER_SITES=	PYPI
-PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
-
-MAINTAINER=	sunpoet@FreeBSD.org
-COMMENT=	Fast and powerful SSL/TLS scanning library
-WWW=		https://github.com/nabla-c0d3/sslyze
-
-LICENSE=	AGPLv3
-LICENSE_FILE=	${WRKSRC}/LICENSE.txt
-
-DEPRECATED=	It does not support OpenSSL 3.0+
-EXPIRATION_DATE=2024-03-31
-
-RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}nassl>=5.1<6:security/py-nassl@${PY_FLAVOR} \
-		${PYTHON_PKGNAMEPREFIX}pydantic>=1.10<2.4,1:devel/py-pydantic@${PY_FLAVOR} \
-		${PYTHON_PKGNAMEPREFIX}openssl>=23,1<24,1:security/py-openssl@${PY_FLAVOR} \
-		${PYTHON_PKGNAMEPREFIX}tls-parser>=2<3:security/py-tls-parser@${PY_FLAVOR}
-
-USES=		python
-USE_PYTHON=	autoplist concurrent cryptography distutils
-
-NO_ARCH=	yes
-
-post-patch:
-	@${RM} ${WRKSRC}/sslyze/plugins/openssl_cipher_suites/_tls12_workaround.py
-
-.include <bsd.port.mk>
diff --git a/security/py-sslyze/distinfo b/security/py-sslyze/distinfo
deleted file mode 100644
index a0335a6f28ef..000000000000
--- a/security/py-sslyze/distinfo
+++ /dev/null
@@ -1,3 +0,0 @@
-TIMESTAMP = 1696001402
-SHA256 (sslyze-5.2.0.tar.gz) = 15ecb471b251dfbd003ba81a57d36865a93f18b74c7e7883a00d8bbddd365e03
-SIZE (sslyze-5.2.0.tar.gz) = 968952
diff --git a/security/py-sslyze/files/patch-openssl b/security/py-sslyze/files/patch-openssl
deleted file mode 100644
index 3ed62497d78c..000000000000
--- a/security/py-sslyze/files/patch-openssl
+++ /dev/null
@@ -1,229 +0,0 @@
---- sslyze/connection_helpers/tls_connection.py.orig	2023-01-16 21:45:34 UTC
-+++ sslyze/connection_helpers/tls_connection.py
-@@ -2,8 +2,6 @@ import socket
- from pathlib import Path
- from typing import Optional, TYPE_CHECKING
- 
--from nassl.legacy_ssl_client import LegacySslClient
--
- from sslyze.server_setting import (
-     ServerNetworkLocation,
-     ServerNetworkConfiguration,
-@@ -172,7 +170,7 @@ class SslConnection:
-         ):
-             raise ValueError("Cannot use modern OpenSSL with SSL 2.0 or 3.0")
- 
--        ssl_client_cls = LegacySslClient if final_should_use_legacy_openssl else SslClient
-+        ssl_client_cls = SslClient
- 
-         if network_configuration.tls_client_auth_credentials:
-             # A client certificate and private key were provided
---- sslyze/mozilla_tls_profile/mozilla_config_checker.py.orig	2023-01-16 21:45:34 UTC
-+++ sslyze/mozilla_tls_profile/mozilla_config_checker.py
-@@ -79,10 +79,6 @@ class ServerScanResultIncomplete(Exception):
- 
- 
- SCAN_COMMANDS_NEEDED_BY_MOZILLA_CHECKER: Set[ScanCommand] = {
--    ScanCommand.SSL_2_0_CIPHER_SUITES,
--    ScanCommand.SSL_3_0_CIPHER_SUITES,
--    ScanCommand.TLS_1_0_CIPHER_SUITES,
--    ScanCommand.TLS_1_1_CIPHER_SUITES,
-     ScanCommand.TLS_1_2_CIPHER_SUITES,
-     ScanCommand.TLS_1_3_CIPHER_SUITES,
-     ScanCommand.HEARTBLEED,
-@@ -223,10 +219,6 @@ def _check_tls_versions_and_ciphers(
-     smallest_ecdh_param_size = 100000
-     smallest_dh_param_size = 100000
-     for field_name, tls_version_name in [
--        ("ssl_2_0_cipher_suites", "SSLv2"),
--        ("ssl_3_0_cipher_suites", "SSLv3"),
--        ("tls_1_0_cipher_suites", "TLSv1"),
--        ("tls_1_1_cipher_suites", "TLSv1.1"),
-         ("tls_1_2_cipher_suites", "TLSv1.2"),
-         ("tls_1_3_cipher_suites", "TLSv1.3"),
-     ]:
---- sslyze/plugins/compression_plugin.py.orig	2023-01-18 18:58:11 UTC
-+++ sslyze/plugins/compression_plugin.py
-@@ -1,6 +1,6 @@
- from dataclasses import dataclass
- 
--from nassl.legacy_ssl_client import LegacySslClient
-+from nassl.ssl_client import SslClient
- from nassl.ssl_client import ClientCertificateRequested
- 
- from sslyze.json.pydantic_utils import BaseModelWithOrmModeAndForbid
-@@ -89,9 +89,9 @@ def _test_compression_support(server_info: ServerConne
- 
-     ssl_connection = server_info.get_preconfigured_tls_connection(
-         override_tls_version=tls_version_to_use,
--        should_use_legacy_openssl=True,  # Only the legacy SSL client has methods to check for compression support
-+        should_use_legacy_openssl=False,
-     )
--    if not isinstance(ssl_connection.ssl_client, LegacySslClient):
-+    if not isinstance(ssl_connection.ssl_client, SslClient):
-         raise RuntimeError("Should never happen")
- 
-     # Make sure OpenSSL was built with support for compression to avoid false negatives
---- sslyze/plugins/fallback_scsv_plugin.py.orig	2023-01-18 18:58:11 UTC
-+++ sslyze/plugins/fallback_scsv_plugin.py
-@@ -2,7 +2,6 @@ from dataclasses import dataclass
- from typing import List, Optional
- 
- from nassl import _nassl
--from nassl.legacy_ssl_client import LegacySslClient
- 
- from sslyze.json.pydantic_utils import BaseModelWithOrmModeAndForbid
- from sslyze.json.scan_attempt_json import ScanCommandAttemptAsJson
---- sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py.orig	2022-05-14 09:12:21 UTC
-+++ sslyze/plugins/openssl_cipher_suites/_test_cipher_suite.py
-@@ -2,7 +2,6 @@ from dataclasses import dataclass
- from typing import Optional, Union
- 
- from nassl.ephemeral_key_info import EphemeralKeyInfo
--from nassl.legacy_ssl_client import LegacySslClient
- from nassl.ssl_client import ClientCertificateRequested, SslClient, BaseSslClient
- 
- from sslyze.errors import (
-@@ -12,7 +11,6 @@ from sslyze.errors import (
- )
- from sslyze.plugins.openssl_cipher_suites.cipher_suites import CipherSuite
- from sslyze.server_connectivity import ServerConnectivityInfo, TlsVersionEnum
--from sslyze.plugins.openssl_cipher_suites._tls12_workaround import WorkaroundForTls12ForCipherSuites
- 
- 
- @dataclass(frozen=True)
-@@ -36,15 +34,10 @@ def connect_with_cipher_suite(
-     server_connectivity_info: ServerConnectivityInfo, tls_version: TlsVersionEnum, cipher_suite: CipherSuite
- ) -> Union[CipherSuiteAcceptedByServer, CipherSuiteRejectedByServer]:
-     """Initiates a SSL handshake with the server using the SSL version and the cipher suite specified."""
--    requires_legacy_openssl = True
--    if tls_version == TlsVersionEnum.TLS_1_2:
--        # For TLS 1.2, we need to pick the right version of OpenSSL depending on which cipher suite
--        requires_legacy_openssl = WorkaroundForTls12ForCipherSuites.requires_legacy_openssl(cipher_suite.openssl_name)
--    elif tls_version == TlsVersionEnum.TLS_1_3:
--        requires_legacy_openssl = False
-+    requires_legacy_openssl = False
- 
-     ssl_connection = server_connectivity_info.get_preconfigured_tls_connection(
--        override_tls_version=tls_version, should_use_legacy_openssl=requires_legacy_openssl
-+        override_tls_version=tls_version, should_use_legacy_openssl=False
-     )
-     _set_cipher_suite_string(tls_version, cipher_suite.openssl_name, ssl_connection.ssl_client)
- 
---- sslyze/plugins/openssl_cipher_suites/cipher_suites.py.orig	2022-05-14 09:12:21 UTC
-+++ sslyze/plugins/openssl_cipher_suites/cipher_suites.py
-@@ -3,7 +3,6 @@ from typing import Dict, Set
- 
- from dataclasses import dataclass
- 
--from nassl.legacy_ssl_client import LegacySslClient
- from nassl.ssl_client import OpenSslVersionEnum, SslClient
- 
- from sslyze.server_connectivity import TlsVersionEnum
-@@ -571,44 +570,14 @@ _TLS_1_3_CIPHER_SUITES = [
- ]
- 
- 
--def _parse_all_cipher_suites_with_legacy_openssl(tls_version: TlsVersionEnum) -> Set[str]:
--    ssl_client = LegacySslClient(ssl_version=OpenSslVersionEnum(tls_version.value))
--    # Disable SRP and PSK cipher suites as they need a special setup in the client and are never used
--    ssl_client.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP")
--    return set(ssl_client.get_cipher_list())
--
--
- def _parse_all_cipher_suites() -> Dict[TlsVersionEnum, Set[CipherSuite]]:
-     tls_version_to_cipher_suites: Dict[TlsVersionEnum, Set[CipherSuite]] = {}
- 
--    for tls_version in [
--        TlsVersionEnum.SSL_2_0,
--        TlsVersionEnum.SSL_3_0,
--        TlsVersionEnum.TLS_1_0,
--        TlsVersionEnum.TLS_1_1,
--    ]:
--        openssl_cipher_strings = _parse_all_cipher_suites_with_legacy_openssl(tls_version)
--        tls_version_to_cipher_suites[tls_version] = set()
--        for cipher_suite_openssl_name in openssl_cipher_strings:
--            cipher_suite_rfc_name = _OPENSSL_TO_RFC_NAMES_MAPPING[tls_version][cipher_suite_openssl_name]
--            tls_version_to_cipher_suites[tls_version].add(
--                CipherSuite(
--                    name=cipher_suite_rfc_name,
--                    openssl_name=cipher_suite_openssl_name,
--                    is_anonymous=True if "anon" in cipher_suite_rfc_name else False,
--                    key_size=_RFC_NAME_TO_KEY_SIZE_MAPPING[cipher_suite_rfc_name],
--                )
--            )
--
--    # For TLS 1.2, we have to use both the legacy and modern OpenSSL to cover all cipher suites
--    cipher_suites_from_legacy_openssl = _parse_all_cipher_suites_with_legacy_openssl(TlsVersionEnum.TLS_1_2)
--
-     ssl_client_modern = SslClient(ssl_version=OpenSslVersionEnum(TlsVersionEnum.TLS_1_2.value))
-     ssl_client_modern.set_cipher_list("ALL:COMPLEMENTOFALL:-PSK:-SRP")
-     cipher_suites_from_modern_openssl = set(ssl_client_modern.get_cipher_list())
- 
--    # Combine the two sets of cipher suites
--    openssl_cipher_strings = cipher_suites_from_legacy_openssl.union(cipher_suites_from_modern_openssl)
-+    openssl_cipher_strings = cipher_suites_from_modern_openssl
-     tls_version_to_cipher_suites[TlsVersionEnum.TLS_1_2] = set()
-     for cipher_suite_openssl_name in openssl_cipher_strings:
-         # Ignore TLS 1.3 cipher suites
---- sslyze/plugins/scan_commands.py.orig	2022-03-12 09:56:30 UTC
-+++ sslyze/plugins/scan_commands.py
-@@ -12,12 +12,8 @@ from sslyze.plugins.heartbleed_plugin import Heartblee
- from sslyze.plugins.http_headers_plugin import HttpHeadersImplementation
- from sslyze.plugins.openssl_ccs_injection_plugin import OpenSslCcsInjectionImplementation
- from sslyze.plugins.openssl_cipher_suites.implementation import (
--    Sslv20ScanImplementation,
--    Sslv30ScanImplementation,
--    Tlsv10ScanImplementation,
-     Tlsv13ScanImplementation,
-     Tlsv12ScanImplementation,
--    Tlsv11ScanImplementation,
- )
- from sslyze.plugins.robot.implementation import RobotImplementation
- from sslyze.plugins.session_renegotiation_plugin import SessionRenegotiationImplementation
-@@ -60,10 +56,6 @@ class ScanCommandsRepository:
- _IMPLEMENTATION_CLASSES: Dict[ScanCommand, Type["ScanCommandImplementation"]] = {
-     ScanCommand.CERTIFICATE_INFO: CertificateInfoImplementation,
-     ScanCommand.SESSION_RESUMPTION: SessionResumptionSupportImplementation,
--    ScanCommand.SSL_2_0_CIPHER_SUITES: Sslv20ScanImplementation,
--    ScanCommand.SSL_3_0_CIPHER_SUITES: Sslv30ScanImplementation,
--    ScanCommand.TLS_1_0_CIPHER_SUITES: Tlsv10ScanImplementation,
--    ScanCommand.TLS_1_1_CIPHER_SUITES: Tlsv11ScanImplementation,
-     ScanCommand.TLS_1_2_CIPHER_SUITES: Tlsv12ScanImplementation,
-     ScanCommand.TLS_1_3_CIPHER_SUITES: Tlsv13ScanImplementation,
-     ScanCommand.TLS_COMPRESSION: CompressionImplementation,
---- sslyze/plugins/session_renegotiation_plugin.py.orig	2023-01-18 18:58:11 UTC
-+++ sslyze/plugins/session_renegotiation_plugin.py
-@@ -4,7 +4,7 @@ from enum import Enum
- from typing import List, Optional, Tuple
- 
- from nassl._nassl import OpenSSLError
--from nassl.legacy_ssl_client import LegacySslClient
-+from nassl.ssl_client import SslClient
- 
- from sslyze.json.pydantic_utils import BaseModelWithOrmModeAndForbid
- from sslyze.json.scan_attempt_json import ScanCommandAttemptAsJson
-@@ -125,9 +125,9 @@ def _test_secure_renegotiation(server_info: ServerConn
- 
-     ssl_connection = server_info.get_preconfigured_tls_connection(
-         override_tls_version=tls_version_to_use,
--        should_use_legacy_openssl=True,  # Only the legacy SSL client has methods to check for secure reneg
-+        should_use_legacy_openssl=False,
-     )
--    if not isinstance(ssl_connection.ssl_client, LegacySslClient):
-+    if not isinstance(ssl_connection.ssl_client, SslClient):
-         raise RuntimeError("Should never happen")
- 
-     try:
-@@ -160,9 +160,9 @@ def _test_client_renegotiation(server_info: ServerConn
- 
-     ssl_connection = server_info.get_preconfigured_tls_connection(
-         override_tls_version=tls_version_to_use,
--        should_use_legacy_openssl=True,  # Only the legacy SSL client has methods to trigger a reneg
-+        should_use_legacy_openssl=False,
-     )
--    if not isinstance(ssl_connection.ssl_client, LegacySslClient):
-+    if not isinstance(ssl_connection.ssl_client, SslClient):
-         raise RuntimeError("Should never happen")
- 
-     try:
diff --git a/security/py-sslyze/pkg-descr b/security/py-sslyze/pkg-descr
deleted file mode 100644
index 1c6bb8e5e9c1..000000000000
--- a/security/py-sslyze/pkg-descr
+++ /dev/null
@@ -1,6 +0,0 @@
-SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.
-
-SSLyze can analyze the SSL/TLS configuration of a server by connecting to it, in
-order to ensure that it uses strong encryption settings (certificate, cipher
-suites, elliptic curves, etc.), and that it is not vulnerable to known TLS
-attacks (Heartbleed, ROBOT, OpenSSL CCS injection, etc.).