security/testssl.sh: Update to 3.2.0

The improvements are extensive, but operation remains the same.

Changes: https://github.com/testssl/testssl.sh/blob/3.2/CHANGELOG.md

security/testssl.sh/Makefile

@@ -1,6 +1,6 @@
 PORTNAME=	testssl.sh
 DISTVERSIONPREFIX=	v
-DISTVERSION=	3.0.9
+DISTVERSION=	3.2.0
 CATEGORIES=	security
 
 MAINTAINER=	adamw@FreeBSD.org
@@ -14,11 +14,12 @@ RUN_DEPENDS=	openssl-unsafe>=1.0.1:security/openssl-unsafe \
 		bash:shells/bash
 TEST_DEPENDS=	p5-JSON>=0:converters/p5-JSON
 
-USES=		perl5 shebangfix
+USES=		perl5 shebangfix ssl
 USE_GITHUB=	yes
 GH_ACCOUNT=	testssl
 
 SHEBANG_FILES=	testssl.sh utils/*
+SUB_LIST+=	OPENSSLBASE="${OPENSSLBASE}"
 
 USE_PERL5=	test
 TEST_ENV=	TESTSSL_INSTALL_DIR=${WRKSRC}
@@ -41,4 +42,5 @@ do-test:
 # run.
 	cd ${WRKSRC} && ${SETENV} ${TEST_ENV} prove -v t/51_badssl.com.t
 
-.include <bsd.port.mk>
+.include <bsd.port.pre.mk>
+.include <bsd.port.post.mk>

security/testssl.sh/distinfo

@@ -1,3 +1,3 @@
-TIMESTAMP = 1737732228
-SHA256 (testssl-testssl.sh-v3.0.9_GH0.tar.gz) = 75ecbe4470e74f9ad17f4c4ac733be123b0f67d676ed24cc2b30adb41561e05f
-SIZE (testssl-testssl.sh-v3.0.9_GH0.tar.gz) = 9381651
+TIMESTAMP = 1745404098
+SHA256 (testssl-testssl.sh-v3.2.0_GH0.tar.gz) = f3969c152c0fe99a2a90e8c8675ab677d77608ac77c957a95497387c36363c32
+SIZE (testssl-testssl.sh-v3.2.0_GH0.tar.gz) = 6976478

security/testssl.sh/files/patch-testssl.sh

@@ -1,25 +1,26 @@
---- testssl.sh.orig	2022-02-19 20:34:21 UTC
+--- testssl.sh.orig	2025-04-23 10:29:50 UTC
 +++ testssl.sh
-@@ -132,7 +132,7 @@ declare -r RUN_DIR="$(dirname "$0")"
- declare -r SYSTEM="$(uname -s)"
- declare -r SYSTEMREV="$(uname -r)"
- SYSTEM2=""                                        # currently only being used for WSL = bash on windows
+@@ -193,7 +193,7 @@ ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}"  # single file 
+ 
+ ########### Tuning vars which cannot be set by a cmd line switch. Use instead e.g "HEADER_MAXSLEEP=10 ./testssl.sh <your_args_here>"
+ #
 -TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-""}"  # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
 +TESTSSL_INSTALL_DIR="${TESTSSL_INSTALL_DIR:-"%%DATADIR%%"}"  # If you run testssl.sh and it doesn't find it necessary file automagically set TESTSSL_INSTALL_DIR
- CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}"          # You can have your stores some place else
- ADDITIONAL_CA_FILES="${ADDITIONAL_CA_FILES:-""}"  # single file with a CA in PEM format or comma separated lists of them
+ CA_BUNDLES_PATH="${CA_BUNDLES_PATH:-""}"          # You can have your CA stores some place else
+ EXPERIMENTAL=${EXPERIMENTAL:-false}     # a development hook which allows us to disable code
+ PROXY_WAIT=${PROXY_WAIT:-20}            # waiting at max 20 seconds for socket reply through proxy
+@@ -244,8 +244,8 @@ TLS_DATA_FILE=""                        # mandatory fi
+ PRINTF=""                               # which external printf to use. Empty presets the internal one, see #1130
  CIPHERS_BY_STRENGTH_FILE=""
-@@ -187,6 +187,9 @@ TERM_CURRPOS=0                                        
- ########### Defining (and presetting) variables which can be changed
- #
- # Following variables make use of $ENV and can be used like "OPENSSL=<myprivate_path_to_openssl> ./testssl.sh <URI>"
-+if [[ -z "$OPENSSL" ]]; then
-+     OPENSSL="%%PREFIX%%/openssl-unsafe/bin/openssl"
-+fi
- declare -x OPENSSL
- OPENSSL_TIMEOUT=${OPENSSL_TIMEOUT:-""}  # Default connect timeout with openssl before we call the server side unreachable
- CONNECT_TIMEOUT=${CONNECT_TIMEOUT:-""}  # Default connect timeout with sockets before we call the server side unreachable
-@@ -20345,7 +20348,6 @@ lets_roll() {
+ TLS_DATA_FILE=""                        # mandatory file for socket-based handshakes
+-OPENSSL=""                              # ~/bin/openssl.$(uname).$(uname -m) if you run this from GitHub. Linux otherwise probably /usr/bin/openssl
+-OPENSSL2=${OPENSSL2:-/usr/bin/openssl}  # This will be openssl version >=1.1.1 (auto determined) as opposed to openssl-bad (OPENSSL)
++OPENSSL="%%PREFIX%%/openssl-unsafe/bin/openssl"                              # ~/bin/openssl.$(uname).$(uname -m) if you run this from GitHub. Linux otherwise probably /usr/bin/openssl
++OPENSSL2=${OPENSSL2:-"%%OPENSSLBASE%%/bin/openssl"}  # This will be openssl version >=1.1.1 (auto determined) as opposed to openssl-bad (OPENSSL)
+ OPENSSL2_HAS_TLS_1_3=false              # If we run with supplied binary AND $OPENSSL2 supports TLS 1.3 this will be set to true
+ OPENSSL2_HAS_CHACHA20=false
+ OPENSSL2_HAS_AES128_GCM=false
+@@ -24940,7 +24940,6 @@ lets_roll() {
       mybanner
       check_proxy
       check4openssl_oldfarts

security/testssl.sh/pkg-plist

@@ -7,6 +7,7 @@ share/man/man1/testssl.1.gz
 %%DATADIR%%/etc/Microsoft.pem
 %%DATADIR%%/etc/Mozilla.pem
 %%DATADIR%%/etc/README.md
+%%DATADIR%%/etc/SSLSocketClient.java
 %%DATADIR%%/etc/ca_hashes.txt
 %%DATADIR%%/etc/cipher-mapping.txt
 %%DATADIR%%/etc/client-simulation.txt
@@ -28,6 +29,7 @@ share/man/man1/testssl.1.gz
 %%DATADIR%%/utils/gmap2testssl.sh
 %%DATADIR%%/utils/heartbleed.bash
 %%DATADIR%%/utils/hexstream2cipher.sh
+%%DATADIR%%/utils/hexstream2curves.sh
 %%DATADIR%%/utils/make-openssl.sh
 %%DATADIR%%/utils/make-openssl111.sh
 %%DATADIR%%/utils/parse_client_ciphers.pl