OpenSSL v3 experiments

.gitmodules

@@ -3,5 +3,5 @@
 	url = https://github.com/internetstandards/unbound.git
 [submodule "vendor/nassl6"]
 	path = vendor/nassl6
-	url = https://github.com/mxsasha/nassl
-	branch = sigalg
+	url = https://github.com/nabla-c0d3/nassl
+	branch = release

docker/Dockerfile

@@ -52,6 +52,17 @@ RUN ./configure \
 RUN make
 RUN make install
 
+FROM build-deps AS build-nassl
+
+COPY vendor/nassl6 /src/vendor/nassl
+WORKDIR /src/vendor/nassl
+
+RUN ln -s /usr/bin/python3 /usr/bin/python
+
+RUN pip3 install -r requirements-dev.txt
+RUN invoke build.all
+RUN python3 setup.py install
+
 # intermediate stage with apt and python dependencies
 FROM build-deps AS build-app-deps
 
@@ -60,6 +71,10 @@ COPY requirements.txt /src/
 WORKDIR /src
 
 RUN pip3 install --system -r requirements.txt
+# sslyze is installed from our own fork, and installed
+# without deps to avoid it trying to install nassl, when
+# we have our custom nassl
+RUN pip3 install --no-deps sslyze
 
 # stage with app dependencies and lint/test depencencies
 FROM build-app-deps AS linttest-deps
@@ -146,6 +161,9 @@ RUN apt update && \
 COPY --from=build-unbound /opt/unbound /opt/unbound
 COPY --from=build-unbound /usr/lib/python3/dist-packages/*unbound* /usr/lib/python3/dist-packages/
 
+# copy nassl Python module into image
+COPY --from=build-nassl /usr/local/lib/python${PYTHON_VERSION}/dist-packages/nassl-*.egg /usr/local/lib/python${PYTHON_VERSION}/dist-packages/
+
 # copy application dependencies into image
 COPY --from=build-app-deps /usr/local/lib/python${PYTHON_VERSION}/dist-packages/ /usr/local/lib/python${PYTHON_VERSION}/dist-packages/
 COPY --from=build-app-deps /usr/local/bin/* /usr/local/bin/

documentation/images/dockerfiles.py

@@ -82,6 +82,7 @@
         with Cluster("Stages"):
             build_deps = Stage("build-deps")
             build_unbound = Stage("build-unbound")
+            build_nassl = Stage("build-nassl")
             build_app_deps = Stage("build-app-deps")
             build_linttest_deps = Stage("build-linttest-deps")
             build_app = Stage("build-app")
@@ -96,6 +97,9 @@
         build_deps >> build_unbound
         vendor_unbound >> build_unbound
 
+        build_deps >> build_nassl
+        vendor_openssl >> build_nassl
+
         build_deps >> build_app_deps
         requirements >> build_app_deps
 

requirements.in

@@ -47,7 +47,8 @@ pyopenssl
 dnspython
 
 # sslyze dependencies, which is installed from outside this file
-sslyze
+tls-parser>=2,<3
+pydantic>=2.2,<2.7
 
 # https://stackoverflow.com/questions/73933432/django-celery-cannot-import-name-celery-from-celery-after-rebuilding-dockerf
 importlib-metadata<5

requirements.txt

@@ -20,6 +20,8 @@ asgiref==3.8.1
     #   django-browser-reload
 async-timeout==5.0.1
     # via redis
+attrs==25.3.0
+    # via pytest
 beautifulsoup4==4.13.3
     # via -r requirements.in
 billiard==4.2.1
@@ -65,7 +67,6 @@ cryptography==44.0.2
     #   -r requirements.in
     #   pgpy-dtc
     #   pyopenssl
-    #   sslyze
 django==4.2.22
     # via
     #   -r requirements.in
@@ -132,8 +133,6 @@ markdown==3.7
     # via -r requirements.in
 markdown2==2.5.3
     # via django-markdown-deux
-nassl==5.3.0
-    # via sslyze
 packaging==24.2
     # via
     #   forcediphttpsadapter
@@ -156,7 +155,7 @@ pyasn1==0.6.1
 pycparser==2.22
     # via cffi
 pydantic==2.6.4
-    # via sslyze
+    # via -r requirements.in
 pydantic-core==2.16.3
     # via pydantic
 pyopenssl==25.0.0
@@ -217,8 +216,6 @@ soupsieve==2.6
     # via beautifulsoup4
 sqlparse==0.5.3
     # via django
-sslyze==6.1.0
-    # via -r requirements.in
 statsd==4.0.0
     # via
     #   celery-statsd
@@ -230,15 +227,17 @@ tinycss2==1.1.1
 tls-parser==2.0.1
     # via -r requirements.in
     # via sslyze
+tinycss2==1.1.1
+    # via bleach
+toml==0.10.2
+    # via pytest
 tomli==2.2.1
     # via
     #   pytest
     #   setuptools-scm
 typing-extensions==4.12.2
     # via
     #   asgiref
-    #   beautifulsoup4
-    #   exceptiongroup
     #   kombu
     #   pydantic
     #   pydantic-core