Update to sslyze patch 6, apply session reneg setting

internetstandards · Sep 3, 2024 · 1246bc9 · 1246bc9
1 parent e25df36
commit 1246bc9
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 10 deletions.
diff --git a/checks/tasks/tls/scans.py b/checks/tasks/tls/scans.py
@@ -28,7 +28,9 @@
     CipherSuite,
     ServerTlsProbingResult,
     ClientAuthRequirementEnum,
+    SessionRenegotiationExtraArgument,
 )
+
 from sslyze.errors import ServerRejectedTlsHandshake, TlsHandshakeTimedOut, ConnectionToServerFailed
 from sslyze.plugins.certificate_info._certificate_utils import (
     parse_subject_alternative_name_extension,
@@ -92,6 +94,11 @@
     supports_ecdh_key_exchange=True,
 )
 
+SSLYZE_SCAN_COMMANDS_EXTRA_ARGUMENTS = ScanCommandsExtraArguments(
+    certificate_info=CertificateInfoExtraArgument(custom_ca_file=Path(settings.CA_CERTIFICATES)),
+    session_renegotiation=SessionRenegotiationExtraArgument(client_renegotiation_attempts=1),
+)
+
 with open(settings.CA_FINGERPRINTS) as f:
     root_fingerprints = f.read().splitlines()
 
@@ -288,9 +295,7 @@ def cert_checks(hostname, mode, task, af_ip_pair=None, dane_cb_data=None, *args,
                 tls_server_name_indication=hostname_no_trailing_dot, http_user_agent=settings.USER_AGENT
             ),
             scan_commands={ScanCommand.CERTIFICATE_INFO},
-            scan_commands_extra_arguments=ScanCommandsExtraArguments(
-                certificate_info=CertificateInfoExtraArgument(custom_ca_file=Path(settings.CA_CERTIFICATES))
-            ),
+            scan_commands_extra_arguments=SSLYZE_SCAN_COMMANDS_EXTRA_ARGUMENTS,
         )
     elif mode == ChecksMode.MAIL:
         port = 25
@@ -302,9 +307,7 @@ def cert_checks(hostname, mode, task, af_ip_pair=None, dane_cb_data=None, *args,
                 smtp_ehlo_hostname=settings.SMTP_EHLO_DOMAIN,
             ),
             scan_commands={ScanCommand.CERTIFICATE_INFO},
-            scan_commands_extra_arguments=ScanCommandsExtraArguments(
-                certificate_info=CertificateInfoExtraArgument(custom_ca_file=Path(settings.CA_CERTIFICATES))
-            ),
+            scan_commands_extra_arguments=SSLYZE_SCAN_COMMANDS_EXTRA_ARGUMENTS,
         )
     else:
         raise ValueError
@@ -640,9 +643,7 @@ def check_web_tls(url, af_ip_pair=None, *args, **kwargs):
         server_location=server_location,
         network_configuration=network_configuration,
         scan_commands=scan_commands,
-        scan_commands_extra_arguments=ScanCommandsExtraArguments(
-            certificate_info=CertificateInfoExtraArgument(custom_ca_file=Path(settings.CA_CERTIFICATES))
-        ),
+        scan_commands_extra_arguments=SSLYZE_SCAN_COMMANDS_EXTRA_ARGUMENTS,
     )
     all_suites, result, error = next(run_sslyze([scan], connection_limit=25))
     if error:

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -67,7 +67,7 @@ COPY requirements.txt /src/requirements.txt
 WORKDIR /src
 
 RUN pip3 install -r requirements.txt
-RUN pip3 install --no-deps https://github.com/mxsasha/sslyze/archive/refs/tags/6.0.0+internetnl5.tar.gz
+RUN pip3 install --no-deps https://github.com/mxsasha/sslyze/archive/refs/tags/6.0.0+internetnl6.tar.gz
 
 # stage with app dependencies and lint/test depencencies
 FROM --platform=linux/amd64 build-app-deps as linttest-deps