Enable TLS/SSL CTX Options for the get_certificate Module #779
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Adds an option for TLS/SSL CTX options to the get_certificate module. Accepts both string (e.g. OP_LEGACY_SERVER_CONNECT) and integer (e.g. 4) representations for options as some options can be enabled via integer but not string, depending on the Python and/or OpenSSL/LibreSSL versions.
ISSUE TYPE
COMPONENT NAME
get_certificate
ADDITIONAL INFORMATION
I use Ansible to manage various device types (e.g. PDU's, BMC's, etc), some of which do not support secure renegotiation. For devices that do not support secure renegotiation, depending on the Ansible controller, the get_certificate module was experiencing an SSL failure, though I could still interact them with GUI web browsers (Chrome, Firefox).
Without manually enabling OP_LEGACY_SERVER_CONNECT (example endpoint uses 2048 bit cert, TLSv1.2 / AES128-GCM-SHA256, does not support secure renegotiation, cannot be changed):
After manually enabling OP_LEGACY_SERVER_CONNECT:
Relevant task:
Ansible controller properties: