search

nabla-c0d3 / nassl

Experimental OpenSSL wrapper for Python 3.8+ and SSLyze.
GNU Affero General Public License v3.0
39 stars 35 forks source link

5.0.1 does not build with OpenSSL 3 #110

Closed ngie-eign closed 1 year ago

ngie-eign commented 1 year ago

This package uses a number of APIs that were deprecated in OpenSSL 3. It needs to be updated to work with OpenSSL 1.1 and 3.0 (the former will be EOL as of 09/2023), or the relevant "allow deprecated APIs" #define needs to be specified when compiling the C extension. Attached log obtained from: https://pkg.bofh.network/data/MAIN-default-openssl3/2023-05-02_02h56m25s/logs/errors/py39-nassl-5.0.1.log py39-nassl-5.0.1.log

nabla-c0d3 commented 1 year ago

Hello,

The commit at https://github.com/pfsense/FreeBSD-ports/commit/2c26d5e9c031c03b03e6f57a0ca785a25883827b mentions that nassl "fails to detect OpenSSL 3.0.0 shared library libcrypt.so".

This is actually by design: nassl links OpenSSL statically, because it requires very specific, outdated versions of the library, to provide the functionality needed by https://github.com/nabla-c0d3/sslyze .

ngie-eign commented 1 year ago

Hi.

This is actually by design: nassl links OpenSSL statically, because it requires very specific, outdated versions of the library, to provide the functionality needed by https://github.com/nabla-c0d3/sslyze

Specifying OPENSSL_API_COMPAT=10100 in the sources or via CC should get the package to compile again, as I suggested in my original comment:

or the relevant "allow deprecated APIs" #define needs to be specified when compiling the C extension.

nabla-c0d3 commented 1 year ago

Hello @ngie-eign,

I had a deeper look and the patch that's part of the py-nassl port at https://github.com/pfsense/FreeBSD-ports/blob/devel/security/py-nassl/files/patch-openssl#L158 is highly problematic. It modifies nassl's setup.py to use the system's OpenSSL; even tho the whole thing might compile, it won't work the intended way and will break SSLyze's functionality at runtime in hidden ways.

The only supported way of building nassl is to use python -m invoke build.all.

I can see that the patch does look like a lot of work tho, so I understand that it's too bad that it doesn't actually solve the initial problem ("correctly" building nassl on freebsd).

Would it be possible to remove the py-nassl package ?

ngie-eign commented 1 year ago

One of my FreeBSD colleagues reached back over Bugzilla and noted your reply. Thank you :). I agree that we should mark the port broken and remove it on versions of FreeBSD which don't ship with OpenSSL 1.x.