2 changed files with 3 additions and 51 deletions
--- a/SOURCES/nmap-ems-ssl-enum-ciphers.patch
+++ b/SOURCES/nmap-ems-ssl-enum-ciphers.patch
@ -1,40 +0,0 @@
 commit fc5fc2a26877e241bf9f175832cc89f5ec1e6925
 Author: Clemens Lang <cllang@redhat.com>
 Date:   Mon Oct 16 13:44:40 2023 +0200
    Support EMS in ssl-enum-ciphers
    The FIPS 140-3 Implementation Guidelines in section D.Q require
    FIPS-certified cryptographic modules to use the RFC 7627 Extended Master
    Secret for modules submitted after May 16th, 2023:
    > [a] new validation, […] submitted more than one year after [May 2022]
    > shall use the extended master secret in the TLS 1.2 KDF.
    ssl-enum-ciphers was not sending this extension, causing some servers to
    abort the handshake. This lead to no support for TLS 1.2 being reported,
    even though support was available with the extended master secret. Add
    the EMS extension to the set of base extensions that are always sent to
    avoid this situation.
    Servers that do not support EMS should just ignore this extension
    silently.
    Signed-off-by: Clemens Lang <cllang@redhat.com>
 diff --git a/scripts/ssl-enum-ciphers.nse b/scripts/ssl-enum-ciphers.nse
 index 881b6bdcb..bd441120c 100644
 --- a/scripts/ssl-enum-ciphers.nse
 +++ b/scripts/ssl-enum-ciphers.nse
@@ -528,6 +528,11 @@ local function base_extensions(host)
     ["ec_point_formats"] = tls.EXTENSION_HELPERS["ec_point_formats"]({"uncompressed"}),
     -- Enable SNI if a server name is available
     ["server_name"] = tlsname and tls.EXTENSION_HELPERS["server_name"](tlsname),
 +    -- Enable the Extended Master Secret extension, since FIPS 140-3 IG section
 +    -- D.Q now requires it for servers in FIPS mode and some vendors may reject
 +    -- handshakes without it. Not sending the extension would show those
 +    -- servers as not supporting TLS 1.2 at all.
 +    ["extended_master_secret"] = "",
   }
 end
--- a/SPECS/nmap.spec
+++ b/SPECS/nmap.spec
@ -7,7 +7,7 @@ Name: nmap
 Epoch: 3
 Version: 7.92
 #global prerelease TEST5
-Release: 3%{?dist}
+Release: 1%{?dist}
 Summary: Network exploration tool and security scanner
 URL: http://nmap.org/
 # Uses combination of licenses based on GPL license, but with extra modification
@ -30,8 +30,6 @@ Patch3: ncat_reg_stdin.diff
 Patch4: nmap-6.25-displayerror.patch
 # https://github.com/nmap/nmap/pull/2247
 Patch5: nmap_resolve_config.patch
 # https://github.com/nmap/nmap/pull/2724
 Patch6: nmap-ems-ssl-enum-ciphers.patch
 BuildRequires: automake make
 BuildRequires: autoconf
@ -49,8 +47,8 @@ BuildRequires: zlib-devel
 BuildRequires: gnupg2
 Requires: %{name}-ncat = %{epoch}:%{version}-%{release}
-Obsoletes: nmap-frontend < 7.70-1
+Obsoletes: nmap-frontend
-Obsoletes: nmap-ndiff < 7.70-1
+Obsoletes: nmap-ndiff
 %define pixmap_srcdir zenmap/share/pixmaps
@ -154,12 +152,6 @@ fi
 %{_mandir}/man1/ncat.1.gz
 %changelog
 * Wed Jul 10 2024 František Hrdina <fhrdina@redhat.com> - 3:7.92-3
 - Update fmf plans and gating
 * Tue Jul 09 2024 Martin Osvald <mosvald@redhat.com> - 3:7.92-2
 - Support EMS in ssl-enum-ciphers
 * Tue Mar 21 2023 Martin Osvald <mosvald@redhat.com> - 3:7.92-1
 - New version 7.92
 - Resolves: #2180330 - Rebase nmap for TLS v1.3 support