sslyze: init at 3.0.7 #89034
sslyze: init at 3.0.7 #89034
Conversation
|
Thanks for opening up your first PR to nixpkgs :) |
ofborg
bot
added
8.has: package (new)
10.rebuild-darwin: 1-10
10.rebuild-linux: 1-10
labels
| cp ${zlibStatic.out}/lib/libz.a deps/zlib-1.2.11/ | ||
| ''; | ||
|
|
||
| propagatedBuildInputs = [ tls-parser pytest ]; |
There was a problem hiding this comment.
couldn't find anything in their setup.py about dependencies, but this should probably be:
| propagatedBuildInputs = [ tls-parser pytest ]; | |
| propagatedBuildInputs = [ tls-parser ]; | |
| checkInputs = [ pytest ]; |
There was a problem hiding this comment.
Apparently, pytest is required in the setuptoolsCheckPhase.
There was a problem hiding this comment.
It should not be propagated still.
There was a problem hiding this comment.
You're right! I've removed pytest from the propagatedBuildInputs
Actually, both :) |
Then you'll probably want to do something similar to https://github.com/NixOS/nixpkgs/blob/master/doc/languages-frameworks/python.section.md#topythonapplication-function in which you export the package as a top-level attribute as well |
I guess I already did that :) https://github.com/NixOS/nixpkgs/pull/89034/files#diff-036410e9211b4336186fc613f7200b12R22115 |
| opensslLegacyStatic = (openssl_1_0_2.override nasslOpensslArgs).overrideAttrs ( | ||
| oldAttrs: rec { | ||
| name = "openssl-${version}"; | ||
| version = "1.0.2e"; | ||
| src = fetchurl { | ||
| url = "https://www.openssl.org/source/${name}.tar.gz"; | ||
| sha256 = "1zqb1rff1wikc62a7vj5qxd1k191m8qif5d05mwdxz2wnzywlg72"; | ||
| }; | ||
| configureFlags = oldAttrs.configureFlags ++ nasslOpensslFlagsCommon; | ||
| patches = [ ]; | ||
| buildInputs = oldAttrs.buildInputs ++ [ zlibStatic ]; | ||
| } | ||
| ); |
There was a problem hiding this comment.
Is there any support for newer versions of openssl?
$ nix-build ./nixpkgs/ -A python3Packages.sslyze
error: Package ‘openssl-1.0.2e’ in /home/jon/.cache/nixpkgs-review/pr-89034-2/nixpkgs/pkgs/development/libraries/openssl/default.nix:135 is marked as insecure, refusing to evaluate.
Known issues:
- Support for OpenSSL 1.0.2 ended with 2019.
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘openssl-1.0.2e’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.0.2e"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘openssl-1.0.2e’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"openssl-1.0.2e"
];
}
(use '--show-trace' to show detailed location information)
There was a problem hiding this comment.
Good point! I've mentioned this in the initial comment on this PR:
SSLyze relies on Nassl which uses OpenSSL 1.1. but also OpenSSL 1.0.2e. This legacy version of OpenSSL is—with good reason—marked as insecure in Nixpkgs. In this particular case, however, it is unwanted that OpenSSL 1.0.2e refuses to evaluate due to the known vulnerabilities attribute; SSLyze is a security scanner which leverages OpenSSL 1.0.2e on purpose. As a result, to install Nassl or SSLyze, one has to explicitly allow the evaluation of OpenSSL 1.0.2e globally. It would be great if we could allow evaluation just for the Nassl Python package. I'm not sure, however, if this is possible at all without duplicating the derivation of OpenSSL 1.0.2e.
There was a problem hiding this comment.
is there a way to use 1.1 instead? seems like it's compatible, but there's also a lot going on here so I'm not sure. And commit messages are great when doing git bisect or git log, but not great from a user's perspective when using the package through nix (as they will just get the error I got).
There was a problem hiding this comment.
Excellent idea! This works now without the openssl-1.0.2e warning / limitation 👍
|
@jonringer Tests are now enabled for |
| opensslStatic = (openssl.override nasslOpensslArgs).overrideAttrs ( | ||
| oldAttrs: rec { | ||
| name = "openssl-${version}"; | ||
| version = "1.1.1"; | ||
| src = fetchurl { | ||
| url = "https://www.openssl.org/source/${name}.tar.gz"; | ||
| sha256 = "0gbab2fjgms1kx5xjvqx8bxhr98k4r8l2fa8vw7kvh491xd8fdi8"; | ||
| }; | ||
| configureFlags = oldAttrs.configureFlags ++ nasslOpensslFlagsCommon ++ [ | ||
| "enable-weak-ssl-ciphers" | ||
| "enable-tls1_3" | ||
| "no-async" | ||
| ]; | ||
| patches = [ ./nix-ssl-cert-file.patch ]; | ||
| buildInputs = oldAttrs.buildInputs ++ [ zlibStatic cacert ]; | ||
| } | ||
| ); | ||
| opensslLegacyStatic = (openssl.override nasslOpensslArgs).overrideAttrs ( | ||
| oldAttrs: rec { | ||
| name = "openssl-${version}"; | ||
| version = "1.0.2e"; | ||
| src = fetchurl { | ||
| url = "https://www.openssl.org/source/${name}.tar.gz"; | ||
| sha256 = "1zqb1rff1wikc62a7vj5qxd1k191m8qif5d05mwdxz2wnzywlg72"; | ||
| }; | ||
| configureFlags = oldAttrs.configureFlags ++ nasslOpensslFlagsCommon; | ||
| patches = [ ]; | ||
| buildInputs = oldAttrs.buildInputs ++ [ zlibStatic ]; | ||
| # openssl_1_0_2 needs `withDocs = false` | ||
| outputs = lib.remove "doc" oldAttrs.outputs; | ||
| } | ||
| ); |
There was a problem hiding this comment.
Would it be possible to patch the library to link against system openssl instead of building a local static copy? Maybe open an issue upstream.
There was a problem hiding this comment.
The downside of missing this is not being able to scan for things that were removed (SSLv3?) from more recent OpenSSL versions AFAIUI. I'm not sure there is an actual need to scan for legacy stuff, but others might disagree.
I've looked into the testssl.sh package and it is shipped without a legacy OpenSSL package.
There was a problem hiding this comment.
Thanks for your comments!
I've already tried to
-
build Nassl without the legacy OpenSSL version potentially accepting a lack of functionality. Unfortunately, there's no flag and the code depends on the legacy version on quite a few places.
-
use the Nixpkgs OpenSSL version (i.e., at the time of writing,
1.1.1g). With this version, however, Nassl tests started to fail.
AFAICS, Nassl depends on these specific versions of both the legacy and modern OpenSSL library.
There was a problem hiding this comment.
Could you try opening an issue upstream about linking against system openssl?
There was a problem hiding this comment.
Sure! Here you go: nabla-c0d3/nassl#64
There was a problem hiding this comment.
By that thread it seems the 1.0.2 security issues won't be a problem in here.
There was a problem hiding this comment.
I'm not sure how to proceed here. Support for using the system OpenSSL (and, hence, dynamic linking) would require upstream work but would still require custom compile flags. However, as @vcunat already pointed out, we'd likely use this build of OpenSSL for Nassl only; this raises the question if static linking is actually an issue here. All the same applies for the legacy version.
There was a problem hiding this comment.
For 1.1 it also can't use our nixpkgs-wide build? (perhaps due to missing "enable-weak-ssl-ciphers")
There was a problem hiding this comment.
I've tried that and, unfortunately, tests started to fail.
NB: I've just updated tls-parser and sslyze to the latest upstream version.
Motivation for this change
Adds the Python package / application
sslyze: SSLyze is a fast and powerful SSL/TLS scanning library.SSLyze relies on Nassl which uses OpenSSL 1.1. but also OpenSSL 1.0.2e. This legacy version of OpenSSL is—with good reason—marked as insecure in Nixpkgs. In this particular case, however, it is unwanted that OpenSSL 1.0.2e refuses to evaluate due to the known vulnerabilities attribute; SSLyze is a security scanner which leverages OpenSSL 1.0.2e on purpose. As a result, to install Nassl or SSLyze, one has to explicitly allow the evaluation of OpenSSL 1.0.2e globally. It would be great if we could allow evaluation just for the Nassl Python package. I'm not sure, however, if this is possible at all without duplicating the derivation of OpenSSL 1.0.2e.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)