New port: security/testssl.sh

testssl.sh is a command line tool which checks a server's service on
any port for the support of TLS/SSL ciphers, protocols as well as some
cryptographic flaws.  Key features:

- Clear output: you can tell easily whether anything is good or bad
- Flexibility: You can test any SSL/TLS enabled and STARTTLS service,
  not only webservers at port 443
- Toolbox: Several command line options help you to run YOUR test and
  configure YOUR output
- Reliability: features are tested thoroughly
- Verbosity: If a particular check cannot be performed because of a
  missing capability on your client side, you'll get a warning
- Privacy: It's only you who sees the result, not a third party

WWW: https://github.com/drwetter/testssl.sh

Approved by:	mat (mentor)
Differential Revision:	https://reviews.freebsd.org/D11406

4 files changed, 114 insertions, 0 deletions

diff --git a/security/testssl.sh/Makefile b/security/testssl.sh/Makefile
new file mode 100644
index 000000000000..efdfb7497c38
--- /dev/null
+++ b/security/testssl.sh/Makefile
@@ -0,0 +1,74 @@
+# $FreeBSD$
+
+PORTNAME=	testssl.sh
+PORTVERSION=	2.8
+CATEGORIES=	security
+
+MAINTAINER=	tobik@FreeBSD.org
+COMMENT=	Test TLS/SSL encryption anywhere on any port
+
+LICENSE=	GPLv2
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+RUN_DEPENDS=	bash:shells/bash
+
+USES=		perl5 shebangfix ssl:build
+USE_GITHUB=	yes
+GH_ACCOUNT=	drwetter
+GH_TUPLE=	drwetter:openssl-pm-snapshot:a9396aaef81d5c1ed714fc625b593522d25914b1:openssl
+USE_PERL5=	build
+
+SHEBANG_FILES=	testssl.sh utils/*
+
+# We deliberately want to build an OpenSSL binary with the most
+# insecure and obsolete ciphers available for testing purposes!  See
+# ${WRKSRC_testssl}/bin/Readme.md and utils/make-openssl.sh for more
+# details.
+HAS_CONFIGURE=	yes
+CONFIGURE_ARGS=	--openssldir=${OPENSSLDIR} \
+		enable-zlib \
+		enable-ssl2 \
+		enable-ssl3 \
+		enable-ssl-trace \
+		enable-rc5 \
+		enable-rc2 \
+		enable-gost \
+		enable-cms \
+		enable-md2 \
+		enable-mdc2 \
+		enable-ec \
+		enable-ec2m \
+		enable-ecdh \
+		enable-ecdsa \
+		enable-seed \
+		enable-camellia \
+		enable-idea \
+		enable-rfc3779 \
+		enable-ec_nistp_64_gcc_128 \
+		experimental-jpake \
+		-DOPENSSL_USE_IPV6
+CONFIGURE_ENV=	PERL="${PERL}"
+CONFIGURE_SCRIPT=	config
+
+BUILD_WRKSRC=		${WRKSRC_openssl}
+CONFIGURE_WRKSRC=	${WRKSRC_openssl}
+
+# The build randomly fails sometimes when building in parallel for
+# unknown reasons.
+MAKE_JOBS_UNSAFE=	yes
+
+post-patch:
+	@${REINPLACE_CMD} -e '/elif test_openssl_suffix/d' \
+		-e 's@:    \# 5. we tried.*$$@else OPENSSL="${PREFIX}/libexec/openssl.testssl.sh"@' \
+		-e 's@$${TESTSSL_INSTALL_DIR:-""}@$${TESTSSL_INSTALL_DIR:-"${DATADIR}"}@' \
+		-e '/^check_bsd_mount$$/d' \
+		${WRKSRC}/testssl.sh
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKSRC_openssl}/apps/openssl ${STAGEDIR}${PREFIX}/libexec/openssl.testssl.sh
+	${INSTALL_SCRIPT} ${WRKSRC}/testssl.sh ${STAGEDIR}${PREFIX}/bin
+	@${MKDIR} ${STAGEDIR}${DATADIR}/etc ${STAGEDIR}${DATADIR}/utils
+	@cd ${WRKSRC}/etc && ${COPYTREE_SHARE} . ${STAGEDIR}${DATADIR}/etc
+	@cd ${WRKSRC}/utils && ${COPYTREE_SHARE} . ${STAGEDIR}${DATADIR}/utils
+
+.include <bsd.port.mk>
diff --git a/security/testssl.sh/distinfo b/security/testssl.sh/distinfo
new file mode 100644
index 000000000000..21e452cdd495
--- /dev/null
+++ b/security/testssl.sh/distinfo
@@ -0,0 +1,5 @@
+TIMESTAMP = 1498752135
+SHA256 (drwetter-testssl.sh-2.8_GH0.tar.gz) = 76c1b21fcbaa4e625b77c9a9c7a137a2272cd84d07911fb213101aa6b9ce8cfa
+SIZE (drwetter-testssl.sh-2.8_GH0.tar.gz) = 8529555
+SHA256 (drwetter-openssl-pm-snapshot-a9396aaef81d5c1ed714fc625b593522d25914b1_GH0.tar.gz) = 798230c8dc8d7723fff5f6687b1150a3165254eb65c4f6875b7b6b66a53f9c47
+SIZE (drwetter-openssl-pm-snapshot-a9396aaef81d5c1ed714fc625b593522d25914b1_GH0.tar.gz) = 5491000
diff --git a/security/testssl.sh/pkg-descr b/security/testssl.sh/pkg-descr
new file mode 100644
index 000000000000..021890c4174b
--- /dev/null
+++ b/security/testssl.sh/pkg-descr
@@ -0,0 +1,15 @@
+testssl.sh is a command line tool which checks a server's service on
+any port for the support of TLS/SSL ciphers, protocols as well as some
+cryptographic flaws.  Key features:
+
+- Clear output: you can tell easily whether anything is good or bad
+- Flexibility: You can test any SSL/TLS enabled and STARTTLS service,
+  not only webservers at port 443
+- Toolbox: Several command line options help you to run YOUR test and
+  configure YOUR output
+- Reliability: features are tested thoroughly
+- Verbosity: If a particular check cannot be performed because of a
+  missing capability on your client side, you'll get a warning
+- Privacy: It's only you who sees the result, not a third party
+
+WWW: https://github.com/drwetter/testssl.sh
diff --git a/security/testssl.sh/pkg-plist b/security/testssl.sh/pkg-plist
new file mode 100644
index 000000000000..04fbae1b842b
--- /dev/null
+++ b/security/testssl.sh/pkg-plist
@@ -0,0 +1,20 @@
+bin/testssl.sh
+libexec/openssl.testssl.sh
+%%DATADIR%%/etc/Apple.pem
+%%DATADIR%%/etc/Linux.pem
+%%DATADIR%%/etc/Microsoft.pem
+%%DATADIR%%/etc/Mozilla.pem
+%%DATADIR%%/etc/README.md
+%%DATADIR%%/etc/ca_hashes.txt
+%%DATADIR%%/etc/curves.txt
+%%DATADIR%%/etc/mapping-rfc.txt
+%%DATADIR%%/etc/mapping.txt
+%%DATADIR%%/utils/ccs-injection.bash
+%%DATADIR%%/utils/checkcert.sh
+%%DATADIR%%/utils/create_ca_hashes.sh
+%%DATADIR%%/utils/curves.bash
+%%DATADIR%%/utils/heartbleed.bash
+%%DATADIR%%/utils/make-openssl.sh
+%%DATADIR%%/utils/parse_client_ciphers.pl
+%%DATADIR%%/utils/prototype.ssl2proto-check.bash
+%%DATADIR%%/utils/prototype.tls-protocol-checker.bash