Switch to latest pypi nassl/sslyze

Author: mxsasha

checks/tasks/tls/scans.py

@@ -15,7 +15,6 @@
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicKey
 from cryptography.x509 import Certificate
 from django.conf import settings
-from dns.exception import ValidationFailure
 from dns.name import EmptyLabel
 from dns.resolver import NXDOMAIN, NoAnswer, NoNameservers, LifetimeTimeout
 from nassl._nassl import OpenSSLError
@@ -145,13 +144,13 @@ def dane(
     dane_data = None
     dnssec_status = None
     try:
-        rrset, dnssec_status = dns_resolve_tlsa(dane_qname, allow_bogus=False)
+        rrset, dnssec_status = dns_resolve_tlsa(dane_qname)
         dane_data = [(rr.usage, rr.selector, rr.mtype, binascii.hexlify(rr.cert).decode("ascii")) for rr in rrset]
+        if dnssec_status == DNSSECStatus.BOGUS:
+            status = DaneStatus.none_bogus
+            score = score_none_bogus
     except (NXDOMAIN, NoAnswer, NoNameservers, LifetimeTimeout, EmptyLabel):
         pass
-    except ValidationFailure:
-        status = DaneStatus.none_bogus
-        score = score_none_bogus
 
     if not dane_data or dnssec_status != DNSSECStatus.SECURE:
         return dict(
@@ -860,7 +859,7 @@ def test_key_exchange_hash(
     There are few or no hosts that do not meet this requirement.
     """
     ssl_connection = server_connectivity_info.get_preconfigured_tls_connection(should_use_legacy_openssl=False)
-    ssl_connection.ssl_client.set_sigalgs(SIGNATURE_ALGORITHMS_SHA2)
+    ssl_connection.ssl_client.set_signature_algorithms(SIGNATURE_ALGORITHMS_SHA2)
 
     try:
         ssl_connection.connect()

docker/Dockerfile

@@ -53,17 +53,6 @@ RUN ./configure \
 RUN make
 RUN make install
 
-FROM build-deps AS build-nassl
-
-COPY vendor/nassl6 /src/vendor/nassl
-WORKDIR /src/vendor/nassl
-
-RUN ln -s /usr/bin/python3 /usr/bin/python
-
-RUN pip3 install -r requirements-dev.txt
-RUN invoke build.all
-RUN python3 setup.py install
-
 # intermediate stage with apt and python dependencies
 FROM build-deps AS build-app-deps
 
@@ -74,10 +63,6 @@ WORKDIR /src
 ENV UV_LINK_MODE=copy
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv pip install --system -r requirements.txt
-# sslyze is installed from our own fork, and installed
-# without deps to avoid it trying to install nassl, when
-# we have our custom nassl
-RUN pip3 install --no-deps https://github.com/mxsasha/sslyze/archive/refs/tags/6.0.0+internetnl6.tar.gz
 
 # stage with app dependencies and lint/test depencencies
 FROM build-app-deps AS linttest-deps
@@ -166,9 +151,6 @@ RUN apt update && \
 COPY --from=build-unbound /opt/unbound /opt/unbound
 COPY --from=build-unbound /usr/lib/python3/dist-packages/*unbound* /usr/lib/python3/dist-packages/
 
-# copy nassl Python module into image
-COPY --from=build-nassl /usr/local/lib/python${PYTHON_VERSION}/dist-packages/nassl-*.egg /usr/local/lib/python${PYTHON_VERSION}/dist-packages/
-
 # copy application dependencies into image
 COPY --from=build-app-deps /usr/local/lib/python${PYTHON_VERSION}/dist-packages/ /usr/local/lib/python${PYTHON_VERSION}/dist-packages/
 COPY --from=build-app-deps /usr/local/bin/* /usr/local/bin/

documentation/images/dockerfiles.py

@@ -82,7 +82,6 @@
         with Cluster("Stages"):
             build_deps = Stage("build-deps")
             build_unbound = Stage("build-unbound")
-            build_nassl = Stage("build-nassl")
             build_app_deps = Stage("build-app-deps")
             build_linttest_deps = Stage("build-linttest-deps")
             build_app = Stage("build-app")
@@ -97,9 +96,6 @@
         build_deps >> build_unbound
         vendor_unbound >> build_unbound
 
-        build_deps >> build_nassl
-        vendor_openssl >> build_nassl
-
         build_deps >> build_app_deps
         requirements >> build_app_deps
 

requirements.in

@@ -47,8 +47,7 @@ pyopenssl
 dnspython
 
 # sslyze dependencies, which is installed from outside this file
-tls-parser>=2,<3
-pydantic>=2.2,<2.7
+sslyze
 
 # https://stackoverflow.com/questions/73933432/django-celery-cannot-import-name-celery-from-celery-after-rebuilding-dockerf
 importlib-metadata<5

requirements.txt

@@ -20,8 +20,6 @@ asgiref==3.8.1
     #   django-browser-reload
 async-timeout==5.0.1
     # via redis
-attrs==25.3.0
-    # via pytest
 beautifulsoup4==4.13.3
     # via -r requirements.in
 billiard==4.2.1
@@ -65,6 +63,7 @@ cryptography==44.0.2
     #   -r requirements.in
     #   pgpy-dtc
     #   pyopenssl
+    #   sslyze
 django==4.2.24
     # via
     #   -r requirements.in
@@ -131,6 +130,8 @@ markdown==3.7
     # via -r requirements.in
 markdown2==2.5.3
     # via django-markdown-deux
+nassl==5.3.0
+    # via sslyze
 packaging==24.2
     # via
     #   forcediphttpsadapter
@@ -153,7 +154,7 @@ pyasn1==0.6.1
 pycparser==2.22
     # via cffi
 pydantic==2.6.4
-    # via -r requirements.in
+    # via sslyze
 pydantic-core==2.16.3
     # via pydantic
 pyopenssl==25.0.0
@@ -214,6 +215,8 @@ soupsieve==2.6
     # via beautifulsoup4
 sqlparse==0.5.3
     # via django
+sslyze==6.1.0
+    # via -r requirements.in
 statsd==4.0.0
     # via
     #   celery-statsd
@@ -223,19 +226,16 @@ statshog==1.0.6
 tinycss2==1.1.1
     # via bleach
 tls-parser==2.0.1
-    # via -r requirements.in
     # via sslyze
-tinycss2==1.1.1
-    # via bleach
-toml==0.10.2
-    # via pytest
 tomli==2.2.1
     # via
     #   pytest
     #   setuptools-scm
 typing-extensions==4.12.2
     # via
     #   asgiref
+    #   beautifulsoup4
+    #   exceptiongroup
     #   kombu
     #   pydantic
     #   pydantic-core