Cybersec
/
wapiti
mirror of https://github.com/wapiti-scanner/wapiti.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Passer l'image wapiti en debian 12 

Le passage à debian 12 pose deux principaux problèmes :
 - La dernière version de pip embarque une protection pour les
   system-packages, d'ou l'usage du flag `--break-system-packages`.
 - OpenSSL 3 a drop/interdit l'usage de plusieurs choses. Parmis les
   premiers identifiés : les plus vieux ciphers ne sont plus
   utilisables, et la `Legacy renegotiation` non plus. L'ajout de lignes
   de configuration dans le fichier de config openssl permet de
   réactiver tout cela.
This commit is contained in:
Samir ALI CHERIF 2023-07-17 09:37:51 +02:00 committed by Florian Wininger
parent a5d389ad52
commit 9379d1e62a
2 changed files with 35 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Dockerfile
View File

@ -1,4 +1,4 @@
FROM debian:bullseye-slim as build
FROM debian:bookworm-slim as build
ENV DEBIAN_FRONTEND=noninteractive \
LANG=en_US.UTF-8
@ -14,13 +14,14 @@ RUN apt update \
COPY . .
RUN pip3 install .
RUN pip3 install . --break-system-packages
FROM debian:bullseye-slim
FROM debian:bookworm-slim
ENV DEBIAN_FRONTEND=noninteractive \
LANG=en_US.UTF-8 \
PYTHONDONTWRITEBYTECODE=1
PYTHONDONTWRITEBYTECODE=1 \
OPENSSL_CONF='/etc/wapiti/openssl_conf'
RUN apt update \
&& apt install python3 python3-setuptools -y \
@ -29,7 +30,8 @@ RUN apt update \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
&& truncate -s 0 /var/log/*log
COPY --from=build /usr/local/lib/python3.9/dist-packages/ /usr/local/lib/python3.9/dist-packages/
COPY --from=build /usr/local/lib/python3.11/dist-packages/ /usr/local/lib/python3.11/dist-packages/
COPY --from=build /usr/local/bin/wapiti /usr/local/bin/wapiti-getcookie /usr/local/bin/
COPY --chmod=644 openssl_conf /etc/wapiti/
ENTRYPOINT ["wapiti"]

28
openssl_conf Normal file
View File

@ -0,0 +1,28 @@
# Debian 12 is shipped with openssl 3.0, which deactivate a lot of old ciphers.
# In order to scan some old websites, we have to activate weak ciphers.
# This conf allow the container to use the legacy provider.
#
# Another problem is that the Legacy Rengotiation is deactivated. Let's reactivate it.
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = UnsafeLegacyRenegotiation