Switch to latest pypi nassl/sslyze

mxsasha · mxsasha · commit b05f52c2ad6f · 2025-07-24T12:18:18.000+02:00
diff --git a/checks/tasks/tls/scans.py b/checks/tasks/tls/scans.py
@@ -860,7 +860,7 @@ def test_key_exchange_hash(
     There are few or no hosts that do not meet this requirement.
     """
     ssl_connection = server_connectivity_info.get_preconfigured_tls_connection(should_use_legacy_openssl=False)
-    ssl_connection.ssl_client.set_sigalgs(SIGNATURE_ALGORITHMS_SHA2)
+    ssl_connection.ssl_client.set_signature_algorithms(SIGNATURE_ALGORITHMS_SHA2)
 
     try:
         ssl_connection.connect()
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -52,17 +52,6 @@ RUN ./configure \
 RUN make
 RUN make install
 
-FROM build-deps AS build-nassl
-
-COPY vendor/nassl6 /src/vendor/nassl
-WORKDIR /src/vendor/nassl
-
-RUN ln -s /usr/bin/python3 /usr/bin/python
-
-RUN pip3 install -r requirements-dev.txt
-RUN invoke build.all
-RUN python3 setup.py install
-
 # intermediate stage with apt and python dependencies
 FROM build-deps AS build-app-deps
 
@@ -71,10 +60,6 @@ COPY requirements.txt /src/
 WORKDIR /src
 
 RUN pip3 install --system -r requirements.txt
-# sslyze is installed from our own fork, and installed
-# without deps to avoid it trying to install nassl, when
-# we have our custom nassl
-RUN pip3 install --no-deps https://github.com/mxsasha/sslyze/archive/refs/tags/6.0.0+internetnl6.tar.gz
 
 # stage with app dependencies and lint/test depencencies
 FROM build-app-deps AS linttest-deps
@@ -161,9 +146,6 @@ RUN apt update && \
 COPY --from=build-unbound /opt/unbound /opt/unbound
 COPY --from=build-unbound /usr/lib/python3/dist-packages/*unbound* /usr/lib/python3/dist-packages/
 
-# copy nassl Python module into image
-COPY --from=build-nassl /usr/local/lib/python${PYTHON_VERSION}/dist-packages/nassl-*.egg /usr/local/lib/python${PYTHON_VERSION}/dist-packages/
-
 # copy application dependencies into image
 COPY --from=build-app-deps /usr/local/lib/python${PYTHON_VERSION}/dist-packages/ /usr/local/lib/python${PYTHON_VERSION}/dist-packages/
 COPY --from=build-app-deps /usr/local/bin/* /usr/local/bin/
diff --git a/documentation/images/dockerfiles.py b/documentation/images/dockerfiles.py
@@ -82,7 +82,6 @@
         with Cluster("Stages"):
             build_deps = Stage("build-deps")
             build_unbound = Stage("build-unbound")
-            build_nassl = Stage("build-nassl")
             build_app_deps = Stage("build-app-deps")
             build_linttest_deps = Stage("build-linttest-deps")
             build_app = Stage("build-app")
@@ -97,9 +96,6 @@
         build_deps >> build_unbound
         vendor_unbound >> build_unbound
 
-        build_deps >> build_nassl
-        vendor_openssl >> build_nassl
-
         build_deps >> build_app_deps
         requirements >> build_app_deps
 
diff --git a/requirements.in b/requirements.in
@@ -47,8 +47,7 @@ pyopenssl
 dnspython
 
 # sslyze dependencies, which is installed from outside this file
-tls-parser>=2,<3
-pydantic>=2.2,<2.7
+sslyze
 
 # https://stackoverflow.com/questions/73933432/django-celery-cannot-import-name-celery-from-celery-after-rebuilding-dockerf
 importlib-metadata<5
diff --git a/requirements.txt b/requirements.txt
@@ -20,8 +20,6 @@ asgiref==3.8.1
     #   django-browser-reload
 async-timeout==5.0.1
     # via redis
-attrs==25.3.0
-    # via pytest
 beautifulsoup4==4.13.3
     # via -r requirements.in
 billiard==4.2.1
@@ -65,6 +63,7 @@ cryptography==44.0.2
     #   -r requirements.in
     #   pgpy-dtc
     #   pyopenssl
+    #   sslyze
 django==4.2.22
     # via
     #   -r requirements.in
@@ -131,6 +130,8 @@ markdown==3.7
     # via -r requirements.in
 markdown2==2.5.3
     # via django-markdown-deux
+nassl==5.3.0
+    # via sslyze
 packaging==24.2
     # via
     #   forcediphttpsadapter
@@ -153,7 +154,7 @@ pyasn1==0.6.1
 pycparser==2.22
     # via cffi
 pydantic==2.6.4
-    # via -r requirements.in
+    # via sslyze
 pydantic-core==2.16.3
     # via pydantic
 pyopenssl==25.0.0
@@ -214,6 +215,8 @@ soupsieve==2.6
     # via beautifulsoup4
 sqlparse==0.5.3
     # via django
+sslyze==6.1.0
+    # via -r requirements.in
 statsd==4.0.0
     # via
     #   celery-statsd
@@ -223,19 +226,16 @@ statshog==1.0.6
 tinycss2==1.1.1
     # via bleach
 tls-parser==2.0.1
-    # via -r requirements.in
     # via sslyze
-tinycss2==1.1.1
-    # via bleach
-toml==0.10.2
-    # via pytest
 tomli==2.2.1
     # via
     #   pytest
     #   setuptools-scm
 typing-extensions==4.12.2
     # via
     #   asgiref
+    #   beautifulsoup4
+    #   exceptiongroup
     #   kombu
     #   pydantic
     #   pydantic-core
