Fix BadSSL by building everything from source (#3331)

## Motivation and Context The TLS test broke. Why? Because Bad SSL stopped working. Why did BadSSL stop working? Because it used an ancient version of ruby and it couldn't install packages anymore. So I: - Got it working on a newer version of ruby - But that only work on Ubuntu 22.04. - The version of nginx/openssl that you can install on 22.04 version actually serve these terrible certificates. So instead, we compile nginx and openssl from source. I also fixed things up so they won't fail silently in the future.   ## Description Mostly just sadness. ## Testing The check passes again. ## Checklist  - [ ] I have updated `CHANGELOG.next.toml` if I made changes to the smithy-rs codegen or runtime crates - [ ] I have updated `CHANGELOG.next.toml` if I made changes to the AWS SDK, generated SDK code, or SDK runtime crates ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._
smithy-lang · Jan 9, 2024 · d0d75df · d0d75df
1 parent 3020597
commit d0d75df
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 10 deletions.
diff --git a/tools/ci-scripts/configure-tls/configure-badssl b/tools/ci-scripts/configure-tls/configure-badssl
@@ -6,20 +6,23 @@
 
 set -euxo pipefail
 
-perl -p -i -e 's/ruby2\.4/ruby2.6/' Dockerfile
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+
+cp "$DIR/new-badssl-dockerfile" Dockerfile
 grep -q 'start of badssl\.test hosts' /etc/hosts || make list-hosts | sudo tee -a /etc/hosts
-# badssl fails to create dh480.pem on our Ubuntu host.
-# Create it manually inside the docker container.
-sed -i '/CMD /i \
-RUN echo "-----BEGIN DH PARAMETERS-----" >/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-RUN echo "MEICPQDZ/YFp3iEs3/k9iRGoC/5/To2+5pUF/C6GkO6VjXHHyRVy68I0rI0q7IAq" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-RUN echo "VyyGQ7/5Q/Iu0QQnHT4X9uMCAQI=" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-RUN echo "-----END DH PARAMETERS-----" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-' Dockerfile
+
+# we manually create this in the dockerfile. Tell the makefile not to bother to generate it.
 sed -i '/ 480/c \\ttrue' certs/Makefile
 # badssl does not create an expired certificate;
 # it creates a certificate that expires after 1 day and waits for 1 day to run the "expired certificate" test.
 # This command patches this behavior to run the test immediately.
 # See: https://github.com/chromium/badssl.com/blob/df8d5a9d062f4b99fc19d8aacdea5333b399d624/certs/Makefile#L177
 sed -i 's%./tool sign $@ $(D) 1 sha256 req_v3_usr $^%faketime -f "-2d" ./tool sign $@ $(D) 1 sha256 req_v3_usr $^%' certs/Makefile
-screen -dmS badssl sudo make serve
+# there is a command "make serve" We don't want to actually run that because we want to error out early on `docker build`
+sudo make certs-test
+sudo make docker-build
+
+# manually invoke the "serve" part of things
+# if things are broken, try removing the screen session to see any failure logs.
+screen -dmS badssl sudo docker run -t -p 80:80 -p 443:443 -p 1000-1024:1000-1024 badssl
diff --git a/tools/ci-scripts/configure-tls/new-badssl-dockerfile b/tools/ci-scripts/configure-tls/new-badssl-dockerfile
@@ -0,0 +1,88 @@
+# Why does this file exist?
+# badssl seems to be abandoned. The orginal Dockerfile was based on ubuntu 16.04 and all the bits were rotting.
+# I've updated the Dockerfilet l to ubuntu 22.04 which will hopefully let everything limp along a little longer.
+FROM ubuntu:22.04 as nginx
+# Install necessary packages for building NGINX
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    libpcre3 \
+    libpcre3-dev \
+    zlib1g \
+    zlib1g-dev \
+    wget
+
+# Define NGINX version (this is the old version from ubuntu 16.04 to match)
+ARG NGINX_VERSION=1.14.2
+ARG OPEN_SSL_VERSION=1.0.2g
+
+RUN wget https://www.openssl.org/source/openssl-${OPEN_SSL_VERSION}.tar.gz \
+    && tar -xzvf openssl-${OPEN_SSL_VERSION}.tar.gz
+
+# Download NGINX source code
+RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz \
+    && tar -xzvf nginx-$NGINX_VERSION.tar.gz \
+    && cd nginx-$NGINX_VERSION
+
+
+# Configure NGINX before building it
+RUN cd nginx-$NGINX_VERSION \
+    && ./configure \
+        --prefix=/usr/local/nginx \
+        --with-http_ssl_module \
+        --with-openssl=../openssl-${OPEN_SSL_VERSION} \
+        --with-openssl-opt=enable-weak-ssl-ciphers \
+        --with-stream \
+        --with-threads \
+    && make -j 6 \
+    && make install -j 6
+
+RUN /usr/local/nginx/sbin/nginx -V
+
+FROM ubuntu:22.04
+
+EXPOSE 80 443
+RUN apt-get update && apt-get install -y apt-transport-https
+RUN apt-get install -y software-properties-common
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    git \
+    libffi-dev \
+    make \
+    ruby3.0 \
+    ruby3.0-dev
+#RUN gem update --system
+RUN gem install jekyll
+
+COPY --from=nginx /usr/local/nginx /usr/local/nginx
+ENV PATH="/usr/local/nginx/sbin:${PATH}"
+
+# Install badssl.com
+ADD . badssl.com
+WORKDIR badssl.com
+
+RUN sed -i 's/SECLEVEL=2/SECLEVEL=0/' /etc/ssl/openssl.cnf
+RUN tail -n10 /etc/ssl/openssl.cnf
+
+RUN nginx -V
+RUN mkdir /etc/nginx
+# `make-in-docker` requires this file to exist.
+RUN ln -s /usr/local/nginx/conf/nginx.conf /etc/nginx/nginx.conf
+
+# Update the nginx config to include the badssl configs.
+RUN head -n-1 /etc/nginx/nginx.conf > wip.conf
+RUN echo "# Virtual Host Configs\ninclude /var/www/badssl/_site/nginx.conf;\n}" >> wip.conf
+RUN mv wip.conf /usr/local/nginx/conf/nginx.conf
+RUN make inside-docker
+
+# Allow unsecure certs
+RUN sed -i 's/SECLEVEL=2/SECLEVEL=0/' /etc/ssl/openssl.cnf
+
+# Fix DH key that can't be generated...works in docker bug not on github. Who knows.
+RUN echo "-----BEGIN DH PARAMETERS-----" > /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+RUN echo "MEICPQDZ/YFp3iEs3/k9iRGoC/5/To2+5pUF/C6GkO6VjXHHyRVy68I0rI0q7IAq" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+RUN echo "VyyGQ7/5Q/Iu0QQnHT4X9uMCAQI=" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+RUN echo "-----END DH PARAMETERS-----" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+
+RUN nginx -t
+# Start things up!
+CMD nginx && tail -f /usr/local/nginx/logs/access.log /usr/local/nginx/logs/error.log