dnrops
/
smithy-rs
mirror of https://github.com/smithy-lang/smithy-rs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix BadSSL by building everything from source (#3331) 

## Motivation and Context
The TLS test broke. Why? Because Bad SSL stopped working.

Why did BadSSL stop working? Because it used an ancient version of ruby
and it couldn't install packages anymore.

So I:
- Got it working on a newer version of ruby
- But that only work on Ubuntu 22.04.
- The version of nginx/openssl that you can install on 22.04 version
actually serve these terrible certificates.

So instead, we compile nginx and openssl from source.

I also fixed things up so they won't fail silently in the future.
<!--- Why is this change required? What problem does it solve? -->
<!--- If it fixes an open issue, please link to the issue here -->

## Description
Mostly just sadness.

## Testing
The check passes again.

## Checklist
<!--- If a checkbox below is not applicable, then please DELETE it
rather than leaving it unchecked -->
- [ ] I have updated `CHANGELOG.next.toml` if I made changes to the
smithy-rs codegen or runtime crates
- [ ] I have updated `CHANGELOG.next.toml` if I made changes to the AWS
SDK, generated SDK code, or SDK runtime crates

----

_By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice._
This commit is contained in:
Russell Cohen 2024-01-09 18:15:41 -05:00 committed by GitHub
parent 30205973b9
commit d0d75df496
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 101 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
tools/ci-scripts/configure-tls/configure-badssl
View File

@ -6,20 +6,23 @@
set -euxo pipefail
perl -p -i -e 's/ruby2\.4/ruby2.6/' Dockerfile
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
cp "$DIR/new-badssl-dockerfile" Dockerfile
grep -q 'start of badssl\.test hosts' /etc/hosts || make list-hosts | sudo tee -a /etc/hosts
# badssl fails to create dh480.pem on our Ubuntu host.
# Create it manually inside the docker container.
sed -i '/CMD /i \
RUN echo "-----BEGIN DH PARAMETERS-----" >/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
RUN echo "MEICPQDZ/YFp3iEs3/k9iRGoC/5/To2+5pUF/C6GkO6VjXHHyRVy68I0rI0q7IAq" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
RUN echo "VyyGQ7/5Q/Iu0QQnHT4X9uMCAQI=" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
RUN echo "-----END DH PARAMETERS-----" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
' Dockerfile
# we manually create this in the dockerfile. Tell the makefile not to bother to generate it.
sed -i '/ 480/c \\ttrue' certs/Makefile
# badssl does not create an expired certificate;
# it creates a certificate that expires after 1 day and waits for 1 day to run the "expired certificate" test.
# This command patches this behavior to run the test immediately.
# See: https://github.com/chromium/badssl.com/blob/df8d5a9d062f4b99fc19d8aacdea5333b399d624/certs/Makefile#L177
sed -i 's%./tool sign $@ $(D) 1 sha256 req_v3_usr $^%faketime -f "-2d" ./tool sign $@ $(D) 1 sha256 req_v3_usr $^%' certs/Makefile
screen -dmS badssl sudo make serve
# there is a command "make serve" We don't want to actually run that because we want to error out early on `docker build`
sudo make certs-test
sudo make docker-build
# manually invoke the "serve" part of things
# if things are broken, try removing the screen session to see any failure logs.
screen -dmS badssl sudo docker run -t -p 80:80 -p 443:443 -p 1000-1024:1000-1024 badssl

88
tools/ci-scripts/configure-tls/new-badssl-dockerfile Normal file
View File

@ -0,0 +1,88 @@
# Why does this file exist?
# badssl seems to be abandoned. The orginal Dockerfile was based on ubuntu 16.04 and all the bits were rotting.
# I've updated the Dockerfilet l to ubuntu 22.04 which will hopefully let everything limp along a little longer.
FROM ubuntu:22.04 as nginx
# Install necessary packages for building NGINX
RUN apt-get update && apt-get install -y \
build-essential \
libpcre3 \
libpcre3-dev \
zlib1g \
zlib1g-dev \
wget
# Define NGINX version (this is the old version from ubuntu 16.04 to match)
ARG NGINX_VERSION=1.14.2
ARG OPEN_SSL_VERSION=1.0.2g
RUN wget https://www.openssl.org/source/openssl-${OPEN_SSL_VERSION}.tar.gz \
&& tar -xzvf openssl-${OPEN_SSL_VERSION}.tar.gz
# Download NGINX source code
RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz \
&& tar -xzvf nginx-$NGINX_VERSION.tar.gz \
&& cd nginx-$NGINX_VERSION
# Configure NGINX before building it
RUN cd nginx-$NGINX_VERSION \
&& ./configure \
--prefix=/usr/local/nginx \
--with-http_ssl_module \
--with-openssl=../openssl-${OPEN_SSL_VERSION} \
--with-openssl-opt=enable-weak-ssl-ciphers \
--with-stream \
--with-threads \
&& make -j 6 \
&& make install -j 6
RUN /usr/local/nginx/sbin/nginx -V
FROM ubuntu:22.04
EXPOSE 80 443
RUN apt-get update && apt-get install -y apt-transport-https
RUN apt-get install -y software-properties-common
RUN apt-get update && apt-get install -y \
build-essential \
git \
libffi-dev \
make \
ruby3.0 \
ruby3.0-dev
#RUN gem update --system
RUN gem install jekyll
COPY --from=nginx /usr/local/nginx /usr/local/nginx
ENV PATH="/usr/local/nginx/sbin:${PATH}"
# Install badssl.com
ADD . badssl.com
WORKDIR badssl.com
RUN sed -i 's/SECLEVEL=2/SECLEVEL=0/' /etc/ssl/openssl.cnf
RUN tail -n10 /etc/ssl/openssl.cnf
RUN nginx -V
RUN mkdir /etc/nginx
# `make-in-docker` requires this file to exist.
RUN ln -s /usr/local/nginx/conf/nginx.conf /etc/nginx/nginx.conf
# Update the nginx config to include the badssl configs.
RUN head -n-1 /etc/nginx/nginx.conf > wip.conf
RUN echo "# Virtual Host Configs\ninclude /var/www/badssl/_site/nginx.conf;\n}" >> wip.conf
RUN mv wip.conf /usr/local/nginx/conf/nginx.conf
RUN make inside-docker
# Allow unsecure certs
RUN sed -i 's/SECLEVEL=2/SECLEVEL=0/' /etc/ssl/openssl.cnf
# Fix DH key that can't be generated...works in docker bug not on github. Who knows.
RUN echo "-----BEGIN DH PARAMETERS-----" > /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
RUN echo "MEICPQDZ/YFp3iEs3/k9iRGoC/5/To2+5pUF/C6GkO6VjXHHyRVy68I0rI0q7IAq" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
RUN echo "VyyGQ7/5Q/Iu0QQnHT4X9uMCAQI=" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
RUN echo "-----END DH PARAMETERS-----" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
RUN nginx -t
# Start things up!
CMD nginx && tail -f /usr/local/nginx/logs/access.log /usr/local/nginx/logs/error.log