search

ansible-collections / community.crypto

The community.crypto collection for Ansible.
https://galaxy.ansible.com/ui/repo/published/community/crypto/
Other
97 stars 88 forks source link

Enable TLS/SSL CTX Options for the get_certificate Module #779

Closed dlehrman closed 3 months ago

dlehrman commented 3 months ago
SUMMARY

Adds an option for TLS/SSL CTX options to the get_certificate module. Accepts both string (e.g. OP_LEGACY_SERVER_CONNECT) and integer (e.g. 4) representations for options as some options can be enabled via integer but not string, depending on the Python and/or OpenSSL/LibreSSL versions.

ISSUE TYPE
COMPONENT NAME

get_certificate

ADDITIONAL INFORMATION

I use Ansible to manage various device types (e.g. PDU's, BMC's, etc), some of which do not support secure renegotiation. For devices that do not support secure renegotiation, depending on the Ansible controller, the get_certificate module was experiencing an SSL failure, though I could still interact them with GUI web browsers (Chrome, Firefox).

Without manually enabling OP_LEGACY_SERVER_CONNECT (example endpoint uses 2048 bit cert, TLSv1.2 / AES128-GCM-SHA256, does not support secure renegotiation, cannot be changed):

TASK [Get Certificate] ********************************************************************************************************************************
fatal: [REDACTED]: FAILED! => {"changed": false, "msg": "Failed to get cert from REDACTED, error: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1007)"}

After manually enabling OP_LEGACY_SERVER_CONNECT:

TASK [Get Certificate] ********************************************************************************************************************************
ok: [REDACTED]

Relevant task:

    - name: "Get Certificate"
      community.crypto.get_certificate:
        host: "{{ ipv4_address}}"
        port: "{{ https_port}}"
        asn1_base64: true
        ciphers:
          - HIGH
        ssl_ctx_options: # defaults for my Ansible controller (details below), except for OP_LEGACY_SERVER_CONNECT
          - OP_ALL
          - OP_NO_SSLv3
          - OP_CIPHER_SERVER_PREFERENCE
          - OP_ENABLE_MIDDLEBOX_COMPAT
          - OP_NO_COMPRESSION
          - 4 # OP_LEGACY_SERVER_CONNECT
      register: certificate

Ansible controller properties:

github-actions[bot] commented 3 months ago

Docs Build 📝

Thank you for contribution!✨

This PR has been merged and the docs are now incorporated into main: https://ansible-collections.github.io/community.crypto/branch/main

felixfontein commented 3 months ago

@dlehrman thanks a lot for your contribution!