search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
13.98k stars 5.47k forks source link

[BUG] DeprecationWarning: ssl.PROTOCOL_TLS is deprecated #66602

Open RolandRosenfeld opened 1 month ago

RolandRosenfeld commented 1 month ago

Description With the following state file I always see "DeprecationWarning: ssl.PROTOCOL_TLS is deprecated":

r7scanassistant Package:
  pkg.installed:
    - sources:
      - r7scanassistant: https://download2.rapid7.com/download/InsightVM/R7ScanAssistant_amd64.deb
    - allow_updates: True

Setup I try to install and update r7scanassistant package from https download with the above state file.

Doing salt-call state.apply test=true debian_extras.r7scanassistant results in the following warning message:

/opt/saltstack/salt/lib/python3.10/site-packages/salt/ext/tornado/netutil.py:493: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
  context = ssl.SSLContext(
local:

Summary for local
------------
Succeeded: 4
Failed:    0
------------
Total states run:     4
Total run time: 173.558 ms

Steps to Reproduce the behavior Running state.apply with the above state file.

Expected behavior No deprecation warnings.

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ```yaml salt-call --versions Salt Version: Salt: 3006.8 Python Version: Python: 3.10.14 (main, Apr 3 2024, 21:30:09) [GCC 11.2.0] Dependency Versions: cffi: 1.14.6 cherrypy: 18.6.1 dateutil: 2.8.1 docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 3.1.3 libgit2: Not Installed looseversion: 1.0.2 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.2 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 22.0 pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.19.1 pygit2: Not Installed python-gnupg: 0.4.8 PyYAML: 6.0.1 PyZMQ: 23.2.0 relenv: 0.16.0 smmap: Not Installed timelib: 0.2.4 Tornado: 4.5.3 ZMQ: 4.3.4 System Versions: dist: ubuntu 22.04.4 jammy locale: utf-8 machine: x86_64 release: 5.15.0-107-generic system: Linux version: Ubuntu 22.04.4 jammy ```

Additional context Changing the "https://" to "http://" seems to work around the issue, so this seems to be triggered by the https download mechanism. Maybe because the server (download2.rapid7.com) supportes TLSv1 (not only TLS>=v1.2)?

OrangeDog commented 1 month ago

That server does indeed support TLS 1.0, but that's not a reason to avoid TLS entirely. It should, however, be disabled in the client. Salt should not attempt to negotiate it.