-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
get_certificate module is not using SNI resulting in certs coming back as invalid #69
Comments
I guess this can be fixed by using a method similar to the one handling proxies, but for without proxies. Probably this would work:
(See https://docs.python.org/3/library/ssl.html#ssl.SSLContext.wrap_socket) |
felixfontein
added a commit
that referenced
this issue
Jul 13, 2020
* get_certificate - Add support of SNI For python versions supporting `create_default_context` support SNI by using low-level SSLContext.wrap_socket().getpeercert(). Add also more information in the error message fixes #69 * Make sure default CA certificates are not loaded when ca_cert is specified. * Refactor to combine common code. * Update changelogs/fragments/get_certificate-add_support_for_SNI.yml Co-authored-by: Felix Fontein <[email protected]> Co-authored-by: Felix Fontein <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SUMMARY
When using get_certificate, the client does not provide an SNI, causing some certs to come back as invalid. One example of this is from AppSpot (testsafebrowsing.appspot.com).
ISSUE TYPE
COMPONENT NAME
get_certificate
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
MacOS X Mojave
STEPS TO REPRODUCE
EXPECTED RESULTS
Certificate string returned by get_certificate is valid
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: