search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
784 stars 1.45k forks source link

[PR #8533/0d50131d backport][stable-9] Enable Custom Cipher Selection for Redfish Modules #8548

Closed patchback[bot] closed 1 week ago

patchback[bot] commented 1 week ago

This is a backport of PR #8533 as merged into main (0d50131d5ea8f1e82948b47daa4828432e5ddacf).

SUMMARY

Adds an option for ciphers to the redfish modules and aligns with the ciphers option of the ansible.builtin.uri and community.crypto.get_certificate modules.

ISSUE TYPE
COMPONENT NAME
ADDITIONAL INFORMATION

I use Ansible to manage various device types (e.g. PDU's, BMC's, etc) that only support legacy ciphers and/or do not support >2048 bit certificates. For some of these devices, depending on the Ansible controller, the redfish modules were experiencing a handshake failure, though I could still interact them with CLI or GUI web browsers (curl, Chrome, Firefox).

Without manually setting ciphers (example endpoint uses 2048 bit cert, TLSv1.2 / ECDHE-RSA-AES256-SHA, cannot be changed):

TASK [community.general.redfish_info] ************************************************************************************************************************************************************************************************************
fatal: [REDACTED]: FAILED! => {"changed": false, "msg": "URL Error on GET request to 'https://REDACTED/redfish/v1/': '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1007)'"}

After manually setting ciphers to "HIGH":

TASK [community.general.redfish_info] ************************************************************************************************************************************************************************************************************
ok: [REDACTED]

Relevant task:

    - community.general.redfish_info:
        category: Sessions
        command: GetSessions
        baseuri: "{{ ipv4_address }}"
        username: "{{ username }}"
        password: "{{ password }}"
        ciphers:
          - "HIGH"

Ansible controller properties:

ansibullbot commented 1 week ago

cc @TSKushal @bhavya06 @jyundt @mraineri @rajeevkallur @renxulei @tomasg2012 @xmadsen click here for bot help