ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
784 stars 1.45k forks source link

Enable Custom Cipher Selection for Redfish Modules #8533

Closed dlehrman closed 1 week ago

dlehrman commented 2 weeks ago
SUMMARY

Adds an option for ciphers to the redfish modules and aligns with the ciphers option of the ansible.builtin.uri and community.crypto.get_certificate modules.

ISSUE TYPE
COMPONENT NAME
ADDITIONAL INFORMATION

I use Ansible to manage various device types (e.g. PDU's, BMC's, etc) that only support legacy ciphers and/or do not support >2048 bit certificates. For some of these devices, depending on the Ansible controller, the redfish modules were experiencing a handshake failure, though I could still interact them with CLI or GUI web browsers (curl, Chrome, Firefox).

Without manually setting ciphers (example endpoint uses 2048 bit cert, TLSv1.2 / ECDHE-RSA-AES256-SHA, cannot be changed):

TASK [community.general.redfish_info] ************************************************************************************************************************************************************************************************************
fatal: [REDACTED]: FAILED! => {"changed": false, "msg": "URL Error on GET request to 'https://REDACTED/redfish/v1/': '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1007)'"}

After manually setting ciphers to "HIGH":

TASK [community.general.redfish_info] ************************************************************************************************************************************************************************************************************
ok: [REDACTED]

Relevant task:

    - community.general.redfish_info:
        category: Sessions
        command: GetSessions
        baseuri: "{{ ipv4_address }}"
        username: "{{ username }}"
        password: "{{ password }}"
        ciphers:
          - "HIGH"

Ansible controller properties:

ansibullbot commented 2 weeks ago

cc @TSKushal @bhavya06 @jyundt @mraineri @rajeevkallur @renxulei @tomasg2012 @xmadsen click here for bot help

dlehrman commented 2 weeks ago

The failing CI tests are complaining about FATAL: A Python version was not specified for environment, which seems to be an issue with the CI test configuration.

felixfontein commented 2 weeks ago

The failing CI tests are complaining about FATAL: A Python version was not specified for environment, which seems to be an issue with the CI test configuration.

ansible-core devel updated their supported platforms (https://github.com/ansible/ansible/commit/dad6f077319d993c0fa440dd426174a54f034c53), I'll need to adjust CI to that...

mraineri commented 2 weeks ago

The code changes themselves look good to me though; thanks for submitting this!

patchback[bot] commented 1 week ago

Backport to stable-9: 💚 backport PR created

✅ Backport PR branch: patchback/backports/stable-9/0d50131d5ea8f1e82948b47daa4828432e5ddacf/pr-8533

Backported as https://github.com/ansible-collections/community.general/pull/8548

🤖 @patchback I'm built with octomachinery and my source is open — https://github.com/sanitizers/patchback-github-app.

felixfontein commented 1 week ago

@dlehrman thanks for your contribution! @mraineri thanks for reviewing!