Disable executable stack

[koczkatamas]

sslyze does not work on Windows WSL (tested on Ubuntu 16.04.3 LTS, installed via pip) because nassl is compiled with executable stack.

I think executable stack is not necessary for nassl to work properly, because if I disable it, then sslyze seemingly works correctly. On the other hand enabling executable stack imposes a security risk.

The related WSL issue: microsoft/WSL#2866

Turning executable stack off (for testing purposes):

sslyze ... => exception
sudo apt install execstack
sudo execstack -c /usr/local/lib/python2.7/dist-packages/nassl/_nassl.so
sudo execstack -c /usr/local/lib/python2.7/dist-packages/nassl/_nassl_legacy.so
sslyze ... => works

A related cryptography package issue (pyca/cryptography#3993) links to an openssl issue (openssl/openssl#4575) where they say that

all the linux distros work around this by providing the -Wa,--noexecstack incantation, but people who compile their own OpenSSL do not get these protections.

So it may resolve the issue if you add -Wa,--noexecstack to the appropriate configure script.

You can check whether the library is compiled with executable stack or not like this:

Compiled without executable stack (expected / good state):

$ execstack _nassl.so
- _nassl.so

Compiled with executable stack (current / bad state):

$ execstack _nassl.so
X _nassl.so

[nabla-c0d3]

Thanks for the details! I actually was running into this problem constantly as I do my Linux dev on WSL.