New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sslyze: init at 3.0.7 #89034
sslyze: init at 3.0.7 #89034
Conversation
Thanks for opening up your first PR to nixpkgs :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is sslyze meant to be used more as a command line utility or an importable python package?
cp ${zlibStatic.out}/lib/libz.a deps/zlib-1.2.11/ | ||
''; | ||
|
||
propagatedBuildInputs = [ tls-parser pytest ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
couldn't find anything in their setup.py about dependencies, but this should probably be:
propagatedBuildInputs = [ tls-parser pytest ]; | |
propagatedBuildInputs = [ tls-parser ]; | |
checkInputs = [ pytest ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apparently, pytest
is required in the setuptoolsCheckPhase
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that should be fine...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should not be propagated still.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right! I've removed pytest
from the propagatedBuildInputs
Actually, both :) |
Then you'll probably want to do something similar to https://github.com/NixOS/nixpkgs/blob/master/doc/languages-frameworks/python.section.md#topythonapplication-function in which you export the package as a top-level attribute as well |
I guess I already did that :) https://github.com/NixOS/nixpkgs/pull/89034/files#diff-036410e9211b4336186fc613f7200b12R22115 |
opensslLegacyStatic = (openssl_1_0_2.override nasslOpensslArgs).overrideAttrs ( | ||
oldAttrs: rec { | ||
name = "openssl-${version}"; | ||
version = "1.0.2e"; | ||
src = fetchurl { | ||
url = "https://www.openssl.org/source/${name}.tar.gz"; | ||
sha256 = "1zqb1rff1wikc62a7vj5qxd1k191m8qif5d05mwdxz2wnzywlg72"; | ||
}; | ||
configureFlags = oldAttrs.configureFlags ++ nasslOpensslFlagsCommon; | ||
patches = [ ]; | ||
buildInputs = oldAttrs.buildInputs ++ [ zlibStatic ]; | ||
} | ||
); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any support for newer versions of openssl?
$ nix-build ./nixpkgs/ -A python3Packages.sslyze
error: Package ‘openssl-1.0.2e’ in /home/jon/.cache/nixpkgs-review/pr-89034-2/nixpkgs/pkgs/development/libraries/openssl/default.nix:135 is marked as insecure, refusing to evaluate.
Known issues:
- Support for OpenSSL 1.0.2 ended with 2019.
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘openssl-1.0.2e’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.0.2e"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘openssl-1.0.2e’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"openssl-1.0.2e"
];
}
(use '--show-trace' to show detailed location information)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point! I've mentioned this in the initial comment on this PR:
SSLyze relies on Nassl which uses OpenSSL 1.1. but also OpenSSL 1.0.2e. This legacy version of OpenSSL is—with good reason—marked as insecure in Nixpkgs. In this particular case, however, it is unwanted that OpenSSL 1.0.2e refuses to evaluate due to the known vulnerabilities attribute; SSLyze is a security scanner which leverages OpenSSL 1.0.2e on purpose. As a result, to install Nassl or SSLyze, one has to explicitly allow the evaluation of OpenSSL 1.0.2e globally. It would be great if we could allow evaluation just for the Nassl Python package. I'm not sure, however, if this is possible at all without duplicating the derivation of OpenSSL 1.0.2e.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way to use 1.1 instead? seems like it's compatible, but there's also a lot going on here so I'm not sure. And commit messages are great when doing git bisect
or git log
, but not great from a user's perspective when using the package through nix (as they will just get the error I got).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent idea! This works now without the openssl-1.0.2e
warning / limitation 👍
@jonringer Tests are now enabled for |
opensslStatic = (openssl.override nasslOpensslArgs).overrideAttrs ( | ||
oldAttrs: rec { | ||
name = "openssl-${version}"; | ||
version = "1.1.1"; | ||
src = fetchurl { | ||
url = "https://www.openssl.org/source/${name}.tar.gz"; | ||
sha256 = "0gbab2fjgms1kx5xjvqx8bxhr98k4r8l2fa8vw7kvh491xd8fdi8"; | ||
}; | ||
configureFlags = oldAttrs.configureFlags ++ nasslOpensslFlagsCommon ++ [ | ||
"enable-weak-ssl-ciphers" | ||
"enable-tls1_3" | ||
"no-async" | ||
]; | ||
patches = [ ./nix-ssl-cert-file.patch ]; | ||
buildInputs = oldAttrs.buildInputs ++ [ zlibStatic cacert ]; | ||
} | ||
); | ||
opensslLegacyStatic = (openssl.override nasslOpensslArgs).overrideAttrs ( | ||
oldAttrs: rec { | ||
name = "openssl-${version}"; | ||
version = "1.0.2e"; | ||
src = fetchurl { | ||
url = "https://www.openssl.org/source/${name}.tar.gz"; | ||
sha256 = "1zqb1rff1wikc62a7vj5qxd1k191m8qif5d05mwdxz2wnzywlg72"; | ||
}; | ||
configureFlags = oldAttrs.configureFlags ++ nasslOpensslFlagsCommon; | ||
patches = [ ]; | ||
buildInputs = oldAttrs.buildInputs ++ [ zlibStatic ]; | ||
# openssl_1_0_2 needs `withDocs = false` | ||
outputs = lib.remove "doc" oldAttrs.outputs; | ||
} | ||
); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to patch the library to link against system openssl instead of building a local static copy? Maybe open an issue upstream.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The downside of missing this is not being able to scan for things that were removed (SSLv3?) from more recent OpenSSL versions AFAIUI. I'm not sure there is an actual need to scan for legacy stuff, but others might disagree.
I've looked into the testssl.sh
package and it is shipped without a legacy OpenSSL package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your comments!
I've already tried to
-
build Nassl without the legacy OpenSSL version potentially accepting a lack of functionality. Unfortunately, there's no flag and the code depends on the legacy version on quite a few places.
-
use the Nixpkgs OpenSSL version (i.e., at the time of writing,
1.1.1g
). With this version, however, Nassl tests started to fail.
AFAICS, Nassl depends on these specific versions of both the legacy and modern OpenSSL library.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you try opening an issue upstream about linking against system openssl?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure! Here you go: nabla-c0d3/nassl#64
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By that thread it seems the 1.0.2 security issues won't be a problem in here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure how to proceed here. Support for using the system OpenSSL (and, hence, dynamic linking) would require upstream work but would still require custom compile flags. However, as @vcunat already pointed out, we'd likely use this build of OpenSSL for Nassl only; this raises the question if static linking is actually an issue here. All the same applies for the legacy version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For 1.1 it also can't use our nixpkgs-wide build? (perhaps due to missing "enable-weak-ssl-ciphers"
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried that and, unfortunately, tests started to fail.
NB: I've just updated tls-parser
and sslyze
to the latest upstream version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I suppose.
Motivation for this change
Adds the Python package / application
sslyze
: SSLyze is a fast and powerful SSL/TLS scanning library.SSLyze relies on Nassl which uses OpenSSL 1.1. but also OpenSSL 1.0.2e. This legacy version of OpenSSL is—with good reason—marked as insecure in Nixpkgs. In this particular case, however, it is unwanted that OpenSSL 1.0.2e refuses to evaluate due to the known vulnerabilities attribute; SSLyze is a security scanner which leverages OpenSSL 1.0.2e on purpose. As a result, to install Nassl or SSLyze, one has to explicitly allow the evaluation of OpenSSL 1.0.2e globally. It would be great if we could allow evaluation just for the Nassl Python package. I'm not sure, however, if this is possible at all without duplicating the derivation of OpenSSL 1.0.2e.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)