Passer l'image wapiti en debian 12
Le passage à debian 12 pose deux principaux problèmes : - La dernière version de pip embarque une protection pour les system-packages, d'ou l'usage du flag `--break-system-packages`. - OpenSSL 3 a drop/interdit l'usage de plusieurs choses. Parmis les premiers identifiés : les plus vieux ciphers ne sont plus utilisables, et la `Legacy renegotiation` non plus. L'ajout de lignes de configuration dans le fichier de config openssl permet de réactiver tout cela.
This commit is contained in:
parent
a5d389ad52
commit
9379d1e62a
12
Dockerfile
12
Dockerfile
|
@ -1,4 +1,4 @@
|
|||
FROM debian:bullseye-slim as build
|
||||
FROM debian:bookworm-slim as build
|
||||
|
||||
ENV DEBIAN_FRONTEND=noninteractive \
|
||||
LANG=en_US.UTF-8
|
||||
|
@ -14,13 +14,14 @@ RUN apt update \
|
|||
|
||||
COPY . .
|
||||
|
||||
RUN pip3 install .
|
||||
RUN pip3 install . --break-system-packages
|
||||
|
||||
FROM debian:bullseye-slim
|
||||
FROM debian:bookworm-slim
|
||||
|
||||
ENV DEBIAN_FRONTEND=noninteractive \
|
||||
LANG=en_US.UTF-8 \
|
||||
PYTHONDONTWRITEBYTECODE=1
|
||||
PYTHONDONTWRITEBYTECODE=1 \
|
||||
OPENSSL_CONF='/etc/wapiti/openssl_conf'
|
||||
|
||||
RUN apt update \
|
||||
&& apt install python3 python3-setuptools -y \
|
||||
|
@ -29,7 +30,8 @@ RUN apt update \
|
|||
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
|
||||
&& truncate -s 0 /var/log/*log
|
||||
|
||||
COPY --from=build /usr/local/lib/python3.9/dist-packages/ /usr/local/lib/python3.9/dist-packages/
|
||||
COPY --from=build /usr/local/lib/python3.11/dist-packages/ /usr/local/lib/python3.11/dist-packages/
|
||||
COPY --from=build /usr/local/bin/wapiti /usr/local/bin/wapiti-getcookie /usr/local/bin/
|
||||
COPY --chmod=644 openssl_conf /etc/wapiti/
|
||||
|
||||
ENTRYPOINT ["wapiti"]
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
# Debian 12 is shipped with openssl 3.0, which deactivate a lot of old ciphers.
|
||||
# In order to scan some old websites, we have to activate weak ciphers.
|
||||
# This conf allow the container to use the legacy provider.
|
||||
#
|
||||
# Another problem is that the Legacy Rengotiation is deactivated. Let's reactivate it.
|
||||
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
ssl_conf = ssl_sect
|
||||
|
||||
[provider_sect]
|
||||
default = default_sect
|
||||
legacy = legacy_sect
|
||||
|
||||
[default_sect]
|
||||
activate = 1
|
||||
|
||||
[legacy_sect]
|
||||
activate = 1
|
||||
|
||||
[ssl_sect]
|
||||
system_default = system_default_sect
|
||||
|
||||
[system_default_sect]
|
||||
Options = UnsafeLegacyRenegotiation
|
||||
|
Loading…
Reference in New Issue