aws / s2n-tls

An implementation of the TLS/SSL protocols
https://aws.github.io/s2n-tls/usage-guide/
Apache License 2.0
4.53k stars 711 forks source link

ci: sslyze dependency issues #2358

Open dougch opened 4 years ago

dougch commented 4 years ago

Security issue notifications

If you discover a potential security issue in s2n we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public github issue.

Problem:

SSLyze relies on nassl. While trying to install sslyze<3.0.0, there are no aarch64 artifacts on Pypi for nassl.

Building nassl 2.2.0 from source fails with:

gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-sw$tches -moutline-atomics -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DLEGACY_OPENSSL=1 -I/tmp/nassl-2.2.0/deps/openssl-OpenSSL_1_0_2e/include -Inassl/_nassl -I/usr/include/python3.7m -c na$sl/_nassl/nassl_SSL.c -o build/temp.linux-aarch64-3.7/nassl/_nassl/nassl_SSL.o -Wall
nassl/_nassl/nassl_SSL.c: In function ‘nassl_SSL_get_available_compression_methods’:
nassl/_nassl/nassl_SSL.c:322:53: error: dereferencing pointer to incomplete type ‘SSL_COMP {aka const struct ssl_comp_st}’
         methodPyString = PyUnicode_FromString(method->name);
                                                     ^~
nassl/_nassl/nassl_SSL.c: In function ‘get_tmp_new_cipher’:
nassl/_nassl/nassl_SSL.c:461:39: error: dereferencing pointer to incomplete type ‘SSL {aka struct ssl_st}’
     if (self->ssl == NULL || self->ssl->s3 == NULL)
                                       ^~

Can we replace sslyze with something better?

Solution:

It should take less effort to upgrade sslyze than to build ancient nassl for ARM.

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

Out of scope:

Is there anything the solution will intentionally NOT address?

jmayclin commented 2 months ago

I think the first question to investigate is whether this build failure still occurs on a version of sslyze that isn't so old. One useful callout is that our versions of sslyze are starting to diverge. The linked script installs 2.x, but our tox.ini file uses 5.x.

https://github.com/aws/s2n-tls/blob/cf9129127887aca12a633afd389aef8ae18386c4/tests/integrationv2/tox.ini#L13