[hold] Fix #714 - Switch to (mainly) sslyze for TLS testing

.gitmodules

@@ -1,12 +1,7 @@
 [submodule "vendor/unbound"]
 	path = vendor/unbound
 	url = https://github.com/internetstandards/unbound.git
-[submodule "vendor/nassl"]
-	path = vendor/nassl
-	url = https://github.com/internetstandards/nassl.git
-[submodule "vendor/openssl-1.0.2e"]
-	path = vendor/openssl-1.0.2e
-	url = https://github.com/PeterMosmans/openssl.git
-[submodule "vendor/openssl-master"]
-	path = vendor/openssl-master
-	url = https://github.com/openssl/openssl.git
+[submodule "vendor/nassl6"]
+	path = vendor/nassl6
+	url = https://github.com/mxsasha/nassl
+	branch = sigalg

checks/categories.py

@@ -1085,24 +1085,9 @@ def result_good(self):
         self.verdict = "detail web tls cipher-order verdict good"
         self.tech_data = ""
 
-    def result_bad(self):
+    def result_bad(self, cipher_order_violation):
         self._status(STATUS_FAIL)
         self.verdict = "detail web tls cipher-order verdict bad"
-        self.tech_data = ""
-
-    def result_seclevel_bad(self, cipher_order_violation):
-        self._status(STATUS_FAIL)
-        self.verdict = "detail web tls cipher-order verdict seclevel-bad"
-        self.tech_data = cipher_order_violation
-
-    def result_score_warning(self, cipher_order_violation):
-        self._status(STATUS_NOTICE)
-        self.verdict = "detail web tls cipher-order verdict warning"
-        self.tech_data = cipher_order_violation
-
-    def result_score_info(self, cipher_order_violation):
-        self._status(STATUS_INFO)
-        self.verdict = "detail web tls cipher-order verdict warning"
         self.tech_data = cipher_order_violation
 
     def result_na(self):
@@ -1482,6 +1467,11 @@ def result_not_trusted(self):
         self.verdict = "detail web tls ocsp-stapling verdict bad"
         self.tech_data = "detail tech data no"
 
+    def result_not_in_cert(self):
+        self._status(STATUS_SUCCESS)
+        self.verdict = "detail web tls ocsp-stapling verdict not-in-cert"
+        self.tech_data = "detail tech data not-applicable"
+
 
 class WebTlsKexHashFunc(Subtest):
     def __init__(self):
@@ -1674,28 +1664,10 @@ def result_good(self):
         self.verdict = "detail mail tls cipher-order verdict good"
         self.tech_data = ""
 
-    def result_bad(self):
+    def result_bad(self, cipher_order_violation):
         self.was_tested()
         self._status(STATUS_FAIL)
         self.verdict = "detail mail tls cipher-order verdict bad"
-        self.tech_data = ""
-
-    def result_seclevel_bad(self, cipher_order_violation):
-        self.was_tested()
-        self._status(STATUS_FAIL)
-        self.verdict = "detail mail tls cipher-order verdict seclevel-bad"
-        self.tech_data = cipher_order_violation
-
-    def result_warning(self, cipher_order_violation):
-        self.was_tested()
-        self._status(STATUS_NOTICE)
-        self.verdict = "detail mail tls cipher-order verdict warning"
-        self.tech_data = cipher_order_violation
-
-    def result_info(self, cipher_order_violation):
-        self.was_tested()
-        self._status(STATUS_INFO)
-        self.verdict = "detail mail tls cipher-order verdict warning"
         self.tech_data = cipher_order_violation
 
     def result_na(self):

checks/http_client.py

@@ -10,15 +10,20 @@
 from forcediphttpsadapter.adapters import ForcedIPHTTPSAdapter
 
 from checks.resolver import dns_resolve_aaaa, dns_resolve_a
-from checks.tasks.tls_connection import DEFAULT_TIMEOUT
-from checks.tasks.tls_connection_exceptions import NoIpError
 from django.conf import settings
 from internetnl import log
 
 # Disable HTTPS warnings as we intentionally disable HTTPS verification
 urllib3.disable_warnings()
 
 
+DEFAULT_TIMEOUT = 10
+
+
+class NoIpError(Exception):
+    pass
+
+
 def _do_request(args, headers, kwargs, session, url):
     """
     This small wrapper helps with handling of redirects.

checks/models.py

@@ -86,6 +86,7 @@ class OcspStatus(Enum):
     ok = 0
     good = 1
     not_trusted = 2
+    not_in_cert = 3
 
 
 class ZeroRttStatus(Enum):

checks/probes.py

@@ -41,7 +41,7 @@
     from checks.tasks import mail
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
-    from checks.tasks import tls
+    from checks.tasks.tls import tasks_reports as tls_tasks
 
 if settings.INTERNET_NL_CHECK_SUPPORT_APPSECPRIV:
     from checks.tasks import appsecpriv
@@ -413,7 +413,7 @@ def get_max_score(self, modelobj, maxscore):
     )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
-    web_probe_tls = Probe("tls", "site", model=WebTestTls, category=categories.WebTls, taskset=tls.web_registered)
+    web_probe_tls = Probe("tls", "site", model=WebTestTls, category=categories.WebTls, taskset=tls_tasks.web_registered)
 
 if settings.INTERNET_NL_CHECK_SUPPORT_APPSECPRIV:
     web_probe_appsecpriv = Probe(
@@ -445,7 +445,7 @@ def get_max_score(self, modelobj, maxscore):
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
     batch_web_probe_tls = Probe(
-        "tls", "site", model=WebTestTls, category=categories.WebTls, taskset=tls.batch_web_registered
+        "tls", "site", model=WebTestTls, category=categories.WebTls, taskset=tls_tasks.batch_web_registered
     )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_APPSECPRIV:
@@ -518,7 +518,9 @@ def get_max_score(self, modelobj, maxscore):
     )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
-    mail_probe_tls = Probe("tls", "mail", model=MailTestTls, category=categories.MailTls, taskset=tls.mail_registered)
+    mail_probe_tls = Probe(
+        "tls", "mail", model=MailTestTls, category=categories.MailTls, taskset=tls_tasks.mail_registered
+    )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_RPKI:
     mail_probe_rpki = Probe(
@@ -542,7 +544,7 @@ def get_max_score(self, modelobj, maxscore):
 
 if settings.INTERNET_NL_CHECK_SUPPORT_TLS:
     batch_mail_probe_tls = Probe(
-        "tls", "mail", model=MailTestTls, category=categories.MailTls, taskset=tls.batch_mail_registered
+        "tls", "mail", model=MailTestTls, category=categories.MailTls, taskset=tls_tasks.batch_mail_registered
     )
 
 if settings.INTERNET_NL_CHECK_SUPPORT_RPKI:

checks/scoring.py

@@ -1,17 +1,22 @@
 # Copyright: 2022, ECP, NLnet Labs and the Internet.nl contributors
 # SPDX-License-Identifier: Apache-2.0
+from typing import NewType
+
+Status = NewType("Status", int)
+Score = NewType("Score", int)
 
 # --- STATUSES
 #
 # Do not change these values.
 # You can append statuses and then change the ORDERED_STATUSES below.
-STATUS_FAIL = 0
-STATUS_SUCCESS = 1
-STATUS_NOTICE = 2
-STATUS_GOOD_NOT_TESTED = 3
-STATUS_NOT_TESTED = 4
-STATUS_INFO = 5
-STATUS_ERROR = 6
+
+STATUS_FAIL = Status(0)
+STATUS_SUCCESS = Status(1)
+STATUS_NOTICE = Status(2)
+STATUS_GOOD_NOT_TESTED = Status(3)
+STATUS_NOT_TESTED = Status(4)
+STATUS_INFO = Status(5)
+STATUS_ERROR = Status(6)
 
 STATUS_MAX = STATUS_SUCCESS
 
@@ -42,10 +47,10 @@
 
 # --- SCORES
 #
-FULL_WEIGHT_POINTS = 10  # These are three levels of weighing results.
-HALF_WEIGHT_POINTS = 5  # All three can be used for passed tests, the
-LESS_WEIGHT_POINTS = 2  # difference is the effect on the overall score.
-NO_POINTS = 0
+FULL_WEIGHT_POINTS = Score(10)  # These are three levels of weighing results.
+HALF_WEIGHT_POINTS = Score(5)  # All three can be used for passed tests, the
+LESS_WEIGHT_POINTS = Score(2)  # difference is the effect on the overall score.
+NO_POINTS = Score(0)
 
 
 # You can edit the below values to change the scoring for the subtests.