Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable TLS/SSL CTX Options for the get_certificate Module #779

Merged
merged 11 commits into from
Jul 7, 2024
Merged

Enable TLS/SSL CTX Options for the get_certificate Module #779

merged 11 commits into from
Jul 7, 2024

Conversation

dlehrman
Copy link
Contributor

@dlehrman dlehrman commented Jul 6, 2024
edited
Loading

SUMMARY

Adds an option for TLS/SSL CTX options to the get_certificate module. Accepts both string (e.g. OP_LEGACY_SERVER_CONNECT) and integer (e.g. 4) representations for options as some options can be enabled via integer but not string, depending on the Python and/or OpenSSL/LibreSSL versions.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

get_certificate

ADDITIONAL INFORMATION

I use Ansible to manage various device types (e.g. PDU's, BMC's, etc), some of which do not support secure renegotiation. For devices that do not support secure renegotiation, depending on the Ansible controller, the get_certificate module was experiencing an SSL failure, though I could still interact them with GUI web browsers (Chrome, Firefox).

Without manually enabling OP_LEGACY_SERVER_CONNECT (example endpoint uses 2048 bit cert, TLSv1.2 / AES128-GCM-SHA256, does not support secure renegotiation, cannot be changed):

TASK [Get Certificate] ********************************************************************************************************************************
fatal: [REDACTED]: FAILED! => {"changed": false, "msg": "Failed to get cert from REDACTED, error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1007)"}

After manually enabling OP_LEGACY_SERVER_CONNECT:

TASK [Get Certificate] ********************************************************************************************************************************
ok: [REDACTED]

Relevant task:

    - name: "Get Certificate"
      community.crypto.get_certificate:
        host: "{{ ipv4_address}}"
        port: "{{ https_port}}"
        asn1_base64: true
        ciphers:
          - HIGH
        ssl_ctx_options: # defaults for my Ansible controller (details below), except for OP_LEGACY_SERVER_CONNECT
          - OP_ALL
          - OP_NO_SSLv3
          - OP_CIPHER_SERVER_PREFERENCE
          - OP_ENABLE_MIDDLEBOX_COMPAT
          - OP_NO_COMPRESSION
          - 4 # OP_LEGACY_SERVER_CONNECT
      register: certificate

Ansible controller properties:

  • Ubuntu 22.04.4 LTS
  • Ansible 2.17.0
  • Python 3.10.6-1~22.04
  • OpenSSL 3.0.2-0ubuntu1.15

@dlehrman
Add changelog fragment
acc7282 
Signed-off-by: David Ehrman <[email protected]>
@dlehrman
Resolve doc builder error
efe1460 
ssl_ctx_options can be a mix of str and int, but `elements: [ str, int ]` made the Ansible doc builder angry.

Signed-off-by: David Ehrman <[email protected]>
felixfontein
felixfontein reviewed Jul 6, 2024
View reviewed changes
Copy link
Contributor

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution!

plugins/modules/get_certificate.py Outdated Show resolved Hide resolved
changelogs/fragments/779-add-ssl_ctx_options-option.yml Outdated Show resolved Hide resolved
plugins/modules/get_certificate.py Outdated Show resolved Hide resolved
plugins/modules/get_certificate.py Outdated Show resolved Hide resolved
plugins/modules/get_certificate.py Outdated Show resolved Hide resolved
plugins/modules/get_certificate.py Outdated Show resolved Hide resolved
plugins/modules/get_certificate.py Outdated Show resolved Hide resolved
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 6, 2024
edited
Loading

Docs Build 📝

Thank you for contribution!✨

This PR has been merged and the docs are now incorporated into main:
https://ansible-collections.github.io/community.crypto/branch/main

dlehrman and others added 2 commits July 6, 2024 15:52
@dlehrman @felixfontein
Initial application of suggestions from code review
096399f 
Working on completing application of suggestions

Co-authored-by: Felix Fontein <[email protected]>
@dlehrman
Finish applying suggestions from code review
6659bfe 
Signed-off-by: David Ehrman <[email protected]>
@dlehrman dlehrman changed the title Enable SSL CTX Options for the get_certificate Module Enable TLS/SSL CTX Options for the get_certificate Module Jul 6, 2024
felixfontein
felixfontein reviewed Jul 7, 2024
View reviewed changes
plugins/modules/get_certificate.py Outdated Show resolved Hide resolved
plugins/modules/get_certificate.py Outdated Show resolved Hide resolved
plugins/modules/get_certificate.py Outdated Show resolved Hide resolved
@felixfontein felixfontein merged commit 6ba06f2 into ansible-collections:main Jul 7, 2024
145 checks passed
@felixfontein
Copy link
Contributor

@dlehrman thanks a lot for your contribution!

@dlehrman dlehrman deleted the ssl-ctx-options branch July 7, 2024 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@felixfontein felixfontein felixfontein approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dlehrman @felixfontein