From 4f9292562d92a1bc98fa69c5b7d19a8a3ce80c33 Mon Sep 17 00:00:00 2001 From: jschaul Date: Tue, 18 Oct 2022 18:15:25 +0200 Subject: [PATCH 1/7] cacert-fixup attempt --- nix/wire-server.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nix/wire-server.nix b/nix/wire-server.nix index e1eb035e43..beef12fe82 100644 --- a/nix/wire-server.nix +++ b/nix/wire-server.nix @@ -207,6 +207,10 @@ let lib = pkgs.lib; pkgs.dumb-init drv tmpDir + # pkgs.cacerts provides etc/ssl/certs/ca-bundle.crt, but maybe haskell reads from ca-certificates.crt? + (pkgs.runCommand "ca-certificates" {} '' + ln -s ${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/ca-certificates.crt + '') ] ++ pkgs.lib.optionals (builtins.hasAttr execName extraContents) (builtins.getAttr execName extraContents); # Any mkdir running in this step won't actually make it to the image, # hence we use the tmpDir derivation in the contents From 67a5563e1fd8665609b3c7c62de3cd5ba4c22ead Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 19 Oct 2022 13:23:17 +0200 Subject: [PATCH 2/7] Use SSL.contextSetDefaultVerifyPaths so we respect SSL_CERT_FILE env var --- services/brig/src/Brig/App.hs | 4 ++-- services/cargohold/src/CargoHold/App.hs | 2 +- services/galley/src/Galley/App.hs | 2 +- services/galley/src/Galley/Env.hs | 3 +-- services/galley/test/integration/API/SQS.hs | 2 +- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/services/brig/src/Brig/App.hs b/services/brig/src/Brig/App.hs index 1b8a7d388d..d36eb3cc7c 100644 --- a/services/brig/src/Brig/App.hs +++ b/services/brig/src/Brig/App.hs @@ -339,7 +339,7 @@ initHttpManager = do SSL.contextSetCiphers ctx "HIGH" SSL.contextSetVerificationMode ctx $ SSL.VerifyPeer True True Nothing - SSL.contextLoadSystemCerts ctx + SSL.contextSetDefaultVerifyPaths ctx -- Unfortunately, there are quite some AWS services we talk to -- (e.g. SES, Dynamo) that still only support TLSv1. -- Ideally: SSL.contextAddOption ctx SSL_OP_NO_TLSv1 @@ -369,7 +369,7 @@ initExtGetManager = do -- We use public key pinning with service providers and want to -- support self-signed certificates as well, hence 'VerifyNone'. SSL.contextSetVerificationMode ctx SSL.VerifyNone - SSL.contextLoadSystemCerts ctx + SSL.contextSetDefaultVerifyPaths ctx mgr <- newManager (opensslManagerSettings (pure ctx)) -- see Note [SSL context] diff --git a/services/cargohold/src/CargoHold/App.hs b/services/cargohold/src/CargoHold/App.hs index bd0635e456..2d130365ed 100644 --- a/services/cargohold/src/CargoHold/App.hs +++ b/services/cargohold/src/CargoHold/App.hs @@ -132,7 +132,7 @@ initSSLContext = do SSL.contextAddOption ctx SSL_OP_NO_SSLv2 SSL.contextAddOption ctx SSL_OP_NO_SSLv3 SSL.contextSetCiphers ctx "HIGH" - SSL.contextLoadSystemCerts ctx + SSL.contextSetDefaultVerifyPaths ctx SSL.contextSetVerificationMode ctx $ SSL.VerifyPeer True True Nothing pure ctx diff --git a/services/galley/src/Galley/App.hs b/services/galley/src/Galley/App.hs index 97cd4b2bf4..3dbba879e3 100644 --- a/services/galley/src/Galley/App.hs +++ b/services/galley/src/Galley/App.hs @@ -189,7 +189,7 @@ initHttpManager o = do Ssl.contextAddOption ctx SSL_OP_NO_SSLv3 Ssl.contextAddOption ctx SSL_OP_NO_TLSv1 Ssl.contextSetCiphers ctx rsaCiphers - Ssl.contextLoadSystemCerts ctx + Ssl.contextSetDefaultVerifyPaths ctx newManager (opensslManagerSettings (pure ctx)) { managerResponseTimeout = responseTimeoutMicro 10000000, diff --git a/services/galley/src/Galley/Env.hs b/services/galley/src/Galley/Env.hs index 76eecaa2cf..b9856efc0f 100644 --- a/services/galley/src/Galley/Env.hs +++ b/services/galley/src/Galley/Env.hs @@ -34,7 +34,6 @@ import Network.HTTP.Client import Network.HTTP.Client.OpenSSL import OpenSSL.EVP.Digest import OpenSSL.Session as Ssl -import qualified OpenSSL.X509.SystemStore as Ssl import Ssl.Util import System.Logger import Util.Options @@ -80,7 +79,7 @@ initExtEnv = do Ssl.contextAddOption ctx SSL_OP_NO_SSLv3 Ssl.contextAddOption ctx SSL_OP_NO_TLSv1 Ssl.contextSetCiphers ctx rsaCiphers - Ssl.contextLoadSystemCerts ctx + Ssl.contextSetDefaultVerifyPaths ctx mgr <- newManager (opensslManagerSettings (pure ctx)) diff --git a/services/galley/test/integration/API/SQS.hs b/services/galley/test/integration/API/SQS.hs index 1a66a77292..db37b58710 100644 --- a/services/galley/test/integration/API/SQS.hs +++ b/services/galley/test/integration/API/SQS.hs @@ -243,7 +243,7 @@ initHttpManager = do Ssl.contextAddOption ctx SSL_OP_NO_SSLv3 Ssl.contextAddOption ctx SSL_OP_NO_TLSv1 Ssl.contextSetCiphers ctx rsaCiphers - Ssl.contextLoadSystemCerts ctx + Ssl.contextSetDefaultVerifyPaths ctx newManager (opensslManagerSettings (pure ctx)) -- see Note [SSL context] { managerResponseTimeout = responseTimeoutMicro 10000000, From 655a4e04e7d01356f54f84de749f5172890ab4dd Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 19 Oct 2022 13:23:50 +0200 Subject: [PATCH 3/7] Revert "cacert-fixup attempt" This reverts commit 398cec18b365481640a5206b57305071401a5817. No need. --- nix/wire-server.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/nix/wire-server.nix b/nix/wire-server.nix index beef12fe82..e1eb035e43 100644 --- a/nix/wire-server.nix +++ b/nix/wire-server.nix @@ -207,10 +207,6 @@ let lib = pkgs.lib; pkgs.dumb-init drv tmpDir - # pkgs.cacerts provides etc/ssl/certs/ca-bundle.crt, but maybe haskell reads from ca-certificates.crt? - (pkgs.runCommand "ca-certificates" {} '' - ln -s ${pkgs.cacert.out}/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/ca-certificates.crt - '') ] ++ pkgs.lib.optionals (builtins.hasAttr execName extraContents) (builtins.getAttr execName extraContents); # Any mkdir running in this step won't actually make it to the image, # hence we use the tmpDir derivation in the contents From c8d61bedaccbae959486dc69e01bd618d997690a Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 19 Oct 2022 13:36:36 +0200 Subject: [PATCH 4/7] Set SSL_CERT_FILE in all docker images --- nix/wire-server.nix | 1 + services/brig/src/Brig/App.hs | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/wire-server.nix b/nix/wire-server.nix index e1eb035e43..9b7bd783a1 100644 --- a/nix/wire-server.nix +++ b/nix/wire-server.nix @@ -216,6 +216,7 @@ let lib = pkgs.lib; ''; config = { Entrypoint = ["${pkgs.dumb-init}/bin/dumb-init" "--" "${drv}/bin/${execName}"]; + Env = ["SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"]; }; } ) (staticExecs localMods); diff --git a/services/brig/src/Brig/App.hs b/services/brig/src/Brig/App.hs index d36eb3cc7c..b384000078 100644 --- a/services/brig/src/Brig/App.hs +++ b/services/brig/src/Brig/App.hs @@ -135,7 +135,6 @@ import Network.HTTP.Client.OpenSSL import OpenSSL.EVP.Digest (Digest, getDigestByName) import OpenSSL.Session (SSLOption (..)) import qualified OpenSSL.Session as SSL -import qualified OpenSSL.X509.SystemStore as SSL import Polysemy import Polysemy.Final import qualified Ropes.Nexmo as Nexmo From 6e811b8da2013e549230c58415e53fd97bb2cad3 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 19 Oct 2022 13:39:05 +0200 Subject: [PATCH 5/7] Changelog --- changelog.d/0-release-notes/nix-builds | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.d/0-release-notes/nix-builds b/changelog.d/0-release-notes/nix-builds index a8ffbbc8bd..61ce21a6b4 100644 --- a/changelog.d/0-release-notes/nix-builds +++ b/changelog.d/0-release-notes/nix-builds @@ -1 +1 @@ -Build docker images using nix derivations instead of Dockerfiles (#2331, ##) \ No newline at end of file +Build docker images using nix derivations instead of Dockerfiles (#2331, #2771, #2772) \ No newline at end of file From 2d59beb1ec33000abfbab6bd16ca7a4bbfb3cf98 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 19 Oct 2022 14:36:39 +0200 Subject: [PATCH 6/7] Redundant imports --- services/cargohold/src/CargoHold/App.hs | 1 - services/galley/src/Galley/App.hs | 1 - 2 files changed, 2 deletions(-) diff --git a/services/cargohold/src/CargoHold/App.hs b/services/cargohold/src/CargoHold/App.hs index 2d130365ed..c585462199 100644 --- a/services/cargohold/src/CargoHold/App.hs +++ b/services/cargohold/src/CargoHold/App.hs @@ -66,7 +66,6 @@ import Network.HTTP.Client.OpenSSL import Network.Wai.Utilities (Error (..)) import OpenSSL.Session (SSLContext, SSLOption (..)) import qualified OpenSSL.Session as SSL -import qualified OpenSSL.X509.SystemStore as SSL import System.Logger.Class hiding (settings) import qualified System.Logger.Extended as Log diff --git a/services/galley/src/Galley/App.hs b/services/galley/src/Galley/App.hs index 3dbba879e3..6cca62b1f4 100644 --- a/services/galley/src/Galley/App.hs +++ b/services/galley/src/Galley/App.hs @@ -90,7 +90,6 @@ import Network.HTTP.Client (responseTimeoutMicro) import Network.HTTP.Client.OpenSSL import qualified Network.Wai.Utilities.Error as Wai import OpenSSL.Session as Ssl -import qualified OpenSSL.X509.SystemStore as Ssl import Polysemy import Polysemy.Error import Polysemy.Input From ff90a637df26bc6ee56331af0000caec17a2cdf3 Mon Sep 17 00:00:00 2001 From: jschaul Date: Wed, 19 Oct 2022 14:59:05 +0200 Subject: [PATCH 7/7] more redundant imports --- services/galley/test/integration/API/SQS.hs | 1 - 1 file changed, 1 deletion(-) diff --git a/services/galley/test/integration/API/SQS.hs b/services/galley/test/integration/API/SQS.hs index db37b58710..d78fded08c 100644 --- a/services/galley/test/integration/API/SQS.hs +++ b/services/galley/test/integration/API/SQS.hs @@ -42,7 +42,6 @@ import Imports import Network.HTTP.Client import Network.HTTP.Client.OpenSSL import OpenSSL.Session as Ssl -import qualified OpenSSL.X509.SystemStore as Ssl import Proto.TeamEvents as E import Proto.TeamEvents_Fields as E import Safe (headDef)