New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
python3Packages.tlsprofiler: init at 1.0 #91380
Conversation
buildPythonPackage rec { | ||
pname = "tlsprofiler"; | ||
version = "1.0"; | ||
|
||
src = fetchFromGitHub { | ||
owner = "danielfett"; | ||
repo = pname; | ||
rev = "c4a9cdcf951343ef6cf670df9351c197c6aaab80"; | ||
sha256 = "1ng9ba1w6x9x86cngxx9p4dfjzkf3nn0w4ibn1kmwnf2rgdl6clw"; | ||
}; | ||
|
||
patches = [ ./tlsprofiler-setup-requirements.patch ]; | ||
|
||
# Tests require Docker to set up web servers which serve a specific profile | ||
doCheck = false; | ||
|
||
propagatedBuildInputs = [ requests cryptography nasslTlsprofiler sslyzeTlsprofiler ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you just care about the application, you can pin packages like this, but we try to discourage introducing different version of available packages, as it incoherent package sets (python can only import one version of a library, so depending on which one is listed first, it will break the other)
for a package with pinned dependencies, you can look at aws-cli
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your review. I agree with your assessment that pinning these versions should be avoided; particularly, as it isn't unlikely that someone who uses tlsprofiler
in their Python project might also use sslyze
. I'd propose the following strategy:
- Ask the authors of TLS Profiler if they think it is possible to make some efforts to merge their fork of Nassl/SSLyze with upstream. To that end, I've created an issue: Port Nassl/SSLyze to upstream danielfett/tlsprofiler#6. If this works out, we could include a modified version of this PR without further problems, I guess.
- If this won't happen for any reason, I'll modify the PR to include the application only (similar to
awscli
).
I marked this as stale due to inactivity. → More info |
} | ||
); | ||
sslyzeTlsprofiler = (sslyze.override { nassl = nasslTlsprofiler; }).overrideAttrs ( | ||
oldAttrs: rec { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is rec
needed?
diff --git a/requirements.txt b/requirements.txt | ||
index a783532..34aa149 100644 | ||
--- a/requirements.txt | ||
+++ b/requirements.txt | ||
@@ -1,4 +1,2 @@ | ||
--e git+https://github.com/fabian-hk/sslyze.git@tls_profiler#egg=sslyze | ||
-# -e git+https://github.com/fabian-hk/nassl.git@tls_profiler#egg=nassl | ||
requests | ||
cryptography>=2.8 | ||
diff --git a/setup.py b/setup.py | ||
index e9289df..262c521 100644 | ||
--- a/setup.py | ||
+++ b/setup.py | ||
@@ -22,6 +22,7 @@ setup( | ||
python_requires='>=3.6', | ||
install_requires=[ | ||
'requests', | ||
- 'sslyze @ git+https://github.com/fabian-hk/sslyze.git@tls_profiler#egg=sslyze', | ||
+ 'sslyze', | ||
+ 'cryptography', | ||
], | ||
) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this patch would be easier with just two substituteInPlace's.
|
||
# Also make `run.py` available as `tlsprofiler` application | ||
postInstall = '' | ||
sed -i '1s|^|#!/usr/bin/env python3\n|' run.py |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this necessary?
|
||
patches = [ | ||
# Apply upstream patch to update expired cert chain | ||
./nassl-0001-Fix-test.patch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is an upstream patch can we use fetchpatch instead?
}: | ||
let | ||
nasslTlsprofiler = nassl.overrideAttrs ( | ||
oldAttrs: rec { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think rec
is necessary.
Closing due to no response from author in a while. |
Motivation for this change
Tlsprofiler allows to test if a TLS server adheres to Mozzilla's server side TLS recommendations. NixOS also relies on these guidelines for Nginx, implementing the "intermediate" profile as a configuration flag. The original authors of Tlsprofiler provide a web version here.
Tlsprofiler makes use of Nassl/SSLyze, which have been merged recently. It does, however, rely on a forked version of Nassl and SSLyze. In contrast to the Nixpgks version of SSLyze, I had to disable the tests as virtually all are online. They passed just fine though: https://gist.github.com/veehaitch/a7eb5164ff1480dd47da3500509897d3
One may use Tlsprofiler as a Python 3 package or as a command line application; see
tlsprofiler -h
for further information.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)