From 800684f4c534b69a541b6df3f07181709c228bc5 Mon Sep 17 00:00:00 2001
From: Sasha Romijn <github@mxsasha.eu>
Date: Mon, 8 Sep 2025 15:27:22 +0200
Subject: [PATCH] Revert "Switch to latest pypi nassl/sslyze"

This reverts commit 6423790757b3d43df8bc2a153c8d66db740aa3e9.
---
 .gitmodules                         |  4 ++--
 docker/Dockerfile                   | 18 ++++++++++++++++++
 documentation/images/dockerfiles.py |  4 ++++
 requirements.in                     |  3 ++-
 requirements.txt                    | 15 +++++++--------
 vendor/nassl6                       |  2 +-
 6 files changed, 34 insertions(+), 12 deletions(-)

diff --git a/.gitmodules b/.gitmodules
index 1564e6b7d..52c9bdfe7 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -3,5 +3,5 @@
 	url = https://github.com/internetstandards/unbound.git
 [submodule "vendor/nassl6"]
 	path = vendor/nassl6
-	url = https://github.com/mxsasha/nassl
-	branch = sigalg
+	url = https://github.com/nabla-c0d3/nassl
+	branch = release
diff --git a/docker/Dockerfile b/docker/Dockerfile
index a5abdfc3e..e11a0f786 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -52,6 +52,17 @@ RUN ./configure \
 RUN make
 RUN make install
 
+FROM build-deps AS build-nassl
+
+COPY vendor/nassl6 /src/vendor/nassl
+WORKDIR /src/vendor/nassl
+
+RUN ln -s /usr/bin/python3 /usr/bin/python
+
+RUN pip3 install -r requirements-dev.txt
+RUN invoke build.all
+RUN python3 setup.py install
+
 # intermediate stage with apt and python dependencies
 FROM build-deps AS build-app-deps
 
@@ -60,6 +71,10 @@ COPY requirements.txt /src/
 WORKDIR /src
 
 RUN pip3 install --system -r requirements.txt
+# sslyze is installed from our own fork, and installed
+# without deps to avoid it trying to install nassl, when
+# we have our custom nassl
+RUN pip3 install --no-deps sslyze
 
 # stage with app dependencies and lint/test depencencies
 FROM build-app-deps AS linttest-deps
@@ -146,6 +161,9 @@ RUN apt update && \
 COPY --from=build-unbound /opt/unbound /opt/unbound
 COPY --from=build-unbound /usr/lib/python3/dist-packages/*unbound* /usr/lib/python3/dist-packages/
 
+# copy nassl Python module into image
+COPY --from=build-nassl /usr/local/lib/python${PYTHON_VERSION}/dist-packages/nassl-*.egg /usr/local/lib/python${PYTHON_VERSION}/dist-packages/
+
 # copy application dependencies into image
 COPY --from=build-app-deps /usr/local/lib/python${PYTHON_VERSION}/dist-packages/ /usr/local/lib/python${PYTHON_VERSION}/dist-packages/
 COPY --from=build-app-deps /usr/local/bin/* /usr/local/bin/
diff --git a/documentation/images/dockerfiles.py b/documentation/images/dockerfiles.py
index 28568629f..4d4e664f7 100644
--- a/documentation/images/dockerfiles.py
+++ b/documentation/images/dockerfiles.py
@@ -82,6 +82,7 @@
         with Cluster("Stages"):
             build_deps = Stage("build-deps")
             build_unbound = Stage("build-unbound")
+            build_nassl = Stage("build-nassl")
             build_app_deps = Stage("build-app-deps")
             build_linttest_deps = Stage("build-linttest-deps")
             build_app = Stage("build-app")
@@ -96,6 +97,9 @@
         build_deps >> build_unbound
         vendor_unbound >> build_unbound
 
+        build_deps >> build_nassl
+        vendor_openssl >> build_nassl
+
         build_deps >> build_app_deps
         requirements >> build_app_deps
 
diff --git a/requirements.in b/requirements.in
index 332b73634..bf2468bf1 100644
--- a/requirements.in
+++ b/requirements.in
@@ -47,7 +47,8 @@ pyopenssl
 dnspython
 
 # sslyze dependencies, which is installed from outside this file
-sslyze
+tls-parser>=2,<3
+pydantic>=2.2,<2.7
 
 # https://stackoverflow.com/questions/73933432/django-celery-cannot-import-name-celery-from-celery-after-rebuilding-dockerf
 importlib-metadata<5
diff --git a/requirements.txt b/requirements.txt
index 2972aca0b..0a38617a2 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -20,6 +20,8 @@ asgiref==3.8.1
     #   django-browser-reload
 async-timeout==5.0.1
     # via redis
+attrs==25.3.0
+    # via pytest
 beautifulsoup4==4.13.3
     # via -r requirements.in
 billiard==4.2.1
@@ -65,7 +67,6 @@ cryptography==44.0.2
     #   -r requirements.in
     #   pgpy-dtc
     #   pyopenssl
-    #   sslyze
 django==4.2.22
     # via
     #   -r requirements.in
@@ -132,8 +133,6 @@ markdown==3.7
     # via -r requirements.in
 markdown2==2.5.3
     # via django-markdown-deux
-nassl==5.3.0
-    # via sslyze
 packaging==24.2
     # via
     #   forcediphttpsadapter
@@ -156,7 +155,7 @@ pyasn1==0.6.1
 pycparser==2.22
     # via cffi
 pydantic==2.6.4
-    # via sslyze
+    # via -r requirements.in
 pydantic-core==2.16.3
     # via pydantic
 pyopenssl==25.0.0
@@ -217,8 +216,6 @@ soupsieve==2.6
     # via beautifulsoup4
 sqlparse==0.5.3
     # via django
-sslyze==6.1.0
-    # via -r requirements.in
 statsd==4.0.0
     # via
     #   celery-statsd
@@ -230,6 +227,10 @@ tinycss2==1.1.1
 tls-parser==2.0.1
     # via -r requirements.in
     # via sslyze
+tinycss2==1.1.1
+    # via bleach
+toml==0.10.2
+    # via pytest
 tomli==2.2.1
     # via
     #   pytest
@@ -237,8 +238,6 @@ tomli==2.2.1
 typing-extensions==4.12.2
     # via
     #   asgiref
-    #   beautifulsoup4
-    #   exceptiongroup
     #   kombu
     #   pydantic
     #   pydantic-core
diff --git a/vendor/nassl6 b/vendor/nassl6
index 4a73fb59b..fd8467fe0 160000
--- a/vendor/nassl6
+++ b/vendor/nassl6
@@ -1 +1 @@
-Subproject commit 4a73fb59b2d8c1e789c664f73d0b8298dd73aec3
+Subproject commit fd8467fe0b4e08f80d7abaf7e39080bc8611c924