From d0d75df496c52de0d81797680ffa451cf98f08da Mon Sep 17 00:00:00 2001
From: Russell Cohen <rcoh@amazon.com>
Date: Tue, 9 Jan 2024 18:15:41 -0500
Subject: [PATCH] Fix BadSSL by building everything from source (#3331)

## Motivation and Context
The TLS test broke. Why? Because Bad SSL stopped working.

Why did BadSSL stop working? Because it used an ancient version of ruby
and it couldn't install packages anymore.

So I:
- Got it working on a newer version of ruby
- But that only work on Ubuntu 22.04.
- The version of nginx/openssl that you can install on 22.04 version
actually serve these terrible certificates.

So instead, we compile nginx and openssl from source.

I also fixed things up so they won't fail silently in the future.
<!--- Why is this change required? What problem does it solve? -->
<!--- If it fixes an open issue, please link to the issue here -->

## Description
Mostly just sadness.

## Testing
The check passes again.

## Checklist
<!--- If a checkbox below is not applicable, then please DELETE it
rather than leaving it unchecked -->
- [ ] I have updated `CHANGELOG.next.toml` if I made changes to the
smithy-rs codegen or runtime crates
- [ ] I have updated `CHANGELOG.next.toml` if I made changes to the AWS
SDK, generated SDK code, or SDK runtime crates

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._
---
 .../ci-scripts/configure-tls/configure-badssl | 23 ++---
 .../configure-tls/new-badssl-dockerfile       | 88 +++++++++++++++++++
 2 files changed, 101 insertions(+), 10 deletions(-)
 create mode 100644 tools/ci-scripts/configure-tls/new-badssl-dockerfile

diff --git a/tools/ci-scripts/configure-tls/configure-badssl b/tools/ci-scripts/configure-tls/configure-badssl
index f0b04951cb..05d2a9a412 100755
--- a/tools/ci-scripts/configure-tls/configure-badssl
+++ b/tools/ci-scripts/configure-tls/configure-badssl
@@ -6,20 +6,23 @@
 
 set -euxo pipefail
 
-perl -p -i -e 's/ruby2\.4/ruby2.6/' Dockerfile
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+
+cp "$DIR/new-badssl-dockerfile" Dockerfile
 grep -q 'start of badssl\.test hosts' /etc/hosts || make list-hosts | sudo tee -a /etc/hosts
-# badssl fails to create dh480.pem on our Ubuntu host.
-# Create it manually inside the docker container.
-sed -i '/CMD /i \
-RUN echo "-----BEGIN DH PARAMETERS-----" >/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-RUN echo "MEICPQDZ/YFp3iEs3/k9iRGoC/5/To2+5pUF/C6GkO6VjXHHyRVy68I0rI0q7IAq" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-RUN echo "VyyGQ7/5Q/Iu0QQnHT4X9uMCAQI=" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-RUN echo "-----END DH PARAMETERS-----" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-' Dockerfile
+
+# we manually create this in the dockerfile. Tell the makefile not to bother to generate it.
 sed -i '/ 480/c \\ttrue' certs/Makefile
 # badssl does not create an expired certificate;
 # it creates a certificate that expires after 1 day and waits for 1 day to run the "expired certificate" test.
 # This command patches this behavior to run the test immediately.
 # See: https://github.com/chromium/badssl.com/blob/df8d5a9d062f4b99fc19d8aacdea5333b399d624/certs/Makefile#L177
 sed -i 's%./tool sign $@ $(D) 1 sha256 req_v3_usr $^%faketime -f "-2d" ./tool sign $@ $(D) 1 sha256 req_v3_usr $^%' certs/Makefile
-screen -dmS badssl sudo make serve
+# there is a command "make serve" We don't want to actually run that because we want to error out early on `docker build`
+sudo make certs-test
+sudo make docker-build
+
+# manually invoke the "serve" part of things
+# if things are broken, try removing the screen session to see any failure logs.
+screen -dmS badssl sudo docker run -t -p 80:80 -p 443:443 -p 1000-1024:1000-1024 badssl
diff --git a/tools/ci-scripts/configure-tls/new-badssl-dockerfile b/tools/ci-scripts/configure-tls/new-badssl-dockerfile
new file mode 100644
index 0000000000..369b3e894b
--- /dev/null
+++ b/tools/ci-scripts/configure-tls/new-badssl-dockerfile
@@ -0,0 +1,88 @@
+# Why does this file exist?
+# badssl seems to be abandoned. The orginal Dockerfile was based on ubuntu 16.04 and all the bits were rotting.
+# I've updated the Dockerfilet l to ubuntu 22.04 which will hopefully let everything limp along a little longer.
+FROM ubuntu:22.04 as nginx
+# Install necessary packages for building NGINX
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    libpcre3 \
+    libpcre3-dev \
+    zlib1g \
+    zlib1g-dev \
+    wget
+
+# Define NGINX version (this is the old version from ubuntu 16.04 to match)
+ARG NGINX_VERSION=1.14.2
+ARG OPEN_SSL_VERSION=1.0.2g
+
+RUN wget https://www.openssl.org/source/openssl-${OPEN_SSL_VERSION}.tar.gz \
+    && tar -xzvf openssl-${OPEN_SSL_VERSION}.tar.gz
+
+# Download NGINX source code
+RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz \
+    && tar -xzvf nginx-$NGINX_VERSION.tar.gz \
+    && cd nginx-$NGINX_VERSION
+
+
+# Configure NGINX before building it
+RUN cd nginx-$NGINX_VERSION \
+    && ./configure \
+        --prefix=/usr/local/nginx \
+        --with-http_ssl_module \
+        --with-openssl=../openssl-${OPEN_SSL_VERSION} \
+        --with-openssl-opt=enable-weak-ssl-ciphers \
+        --with-stream \
+        --with-threads \
+    && make -j 6 \
+    && make install -j 6
+
+RUN /usr/local/nginx/sbin/nginx -V
+
+FROM ubuntu:22.04
+
+EXPOSE 80 443
+RUN apt-get update && apt-get install -y apt-transport-https
+RUN apt-get install -y software-properties-common
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    git \
+    libffi-dev \
+    make \
+    ruby3.0 \
+    ruby3.0-dev
+#RUN gem update --system
+RUN gem install jekyll
+
+COPY --from=nginx /usr/local/nginx /usr/local/nginx
+ENV PATH="/usr/local/nginx/sbin:${PATH}"
+
+# Install badssl.com
+ADD . badssl.com
+WORKDIR badssl.com
+
+RUN sed -i 's/SECLEVEL=2/SECLEVEL=0/' /etc/ssl/openssl.cnf
+RUN tail -n10 /etc/ssl/openssl.cnf
+
+RUN nginx -V
+RUN mkdir /etc/nginx
+# `make-in-docker` requires this file to exist.
+RUN ln -s /usr/local/nginx/conf/nginx.conf /etc/nginx/nginx.conf
+
+# Update the nginx config to include the badssl configs.
+RUN head -n-1 /etc/nginx/nginx.conf > wip.conf
+RUN echo "# Virtual Host Configs\ninclude /var/www/badssl/_site/nginx.conf;\n}" >> wip.conf
+RUN mv wip.conf /usr/local/nginx/conf/nginx.conf
+RUN make inside-docker
+
+# Allow unsecure certs
+RUN sed -i 's/SECLEVEL=2/SECLEVEL=0/' /etc/ssl/openssl.cnf
+
+# Fix DH key that can't be generated...works in docker bug not on github. Who knows.
+RUN echo "-----BEGIN DH PARAMETERS-----" > /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+RUN echo "MEICPQDZ/YFp3iEs3/k9iRGoC/5/To2+5pUF/C6GkO6VjXHHyRVy68I0rI0q7IAq" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+RUN echo "VyyGQ7/5Q/Iu0QQnHT4X9uMCAQI=" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+RUN echo "-----END DH PARAMETERS-----" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+
+RUN nginx -t
+# Start things up!
+CMD nginx && tail -f /usr/local/nginx/logs/access.log /usr/local/nginx/logs/error.log