Hi Stephen and Ansible People,
I am sorry, I am afraid my feedback was not correct enough.
The trick with the custom OpenSSL config file defined as an environment
variable in the Ansible playbook helped me achieve the goal: to access the
legacy devices with Ansible. However, to do so, I still used "curl"
executed in "ansible.builtin.shell". Initially, the default OpenSSL config
did not work for some my devices using "curl" either as legacy TLS
renegotiation (UnsafeLegacyRenegotiation) is disabled by default.
Therefore, I assumed, that the very same approach should work similarly for
"ansible.builtin.uri". However, today, once I started rewriting the
playbook, to replace "curl" with "ansible.builtin.uri", I learned that it
is not the case. In fact, the handshake fails:
"msg": "Status code was -1 and not [200]: Request failed: <urlopen
error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure
(_ssl.c:1000)>",
"redirected": false,
"status": -1,
Below is my test playbook:
-----BEGIN PLAYBOOK-----
- name: Query legacy boxes
hosts: legacyboxes
gather_facts: false
connection: local
environment:
OPENSSL_CONF: /etc/ssl/openssl-unsafe.cnf
tasks:
- name: GET the home page
ansible.builtin.uri:
url: https://{{ ansible_host }}
-----END PLAYBOOK-----
And my custom OpenSSL config (/etc/ssl/openssl-unsafe.cnf) is defined as:
-----BEGIN OPENSSL_CONF-----
openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0
Options = UnsafeLegacyRenegotiation
-----END OPENSSL_CONF-----
In the packet dumps I see that "ansible.builtin.uri" still announces only
TLS versions 1.2 and 1.3:
-----BEGIN PACKET DUMP-----
Extension: supported_versions (len=5) TLS 1.3, TLS 1.2
Type: supported_versions (43)
Length: 5
Supported Versions length: 4
Supported Version: TLS 1.3 (0x0304)
Supported Version: TLS 1.2 (0x0303)
-----END PACKET DUMP-----
While "curl" expectedly sends the minimal TLS version 1.0:
-----BEGIN PACKET DUMP-----
Extension: supported_versions (len=9) TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0
Type: supported_versions (43)
Length: 9
Supported Versions length: 8
Supported Version: TLS 1.3 (0x0304)
Supported Version: TLS 1.2 (0x0303)
Supported Version: TLS 1.1 (0x0302)
Supported Version: TLS 1.0 (0x0301)
-----END PACKET DUMP-----
I am really sorry for the caused confusion.
Thank you.
Garri
On Wednesday, August 7, 2024 at 1:48:01 PM UTC+2 Stephen Maher wrote:
> Good feed back and thanks Garri (and not Caroline, apologies!) - hopefully
> someone will find this answer more easily in the future
>
> Regards
>
>
>
> On 7 Aug 2024, at 12:24, Garri Djavadyan <[email protected]> wrote:
>
> Hi Stephan,
>
> Thank you for your answer!
>
> It took a few weeks for my question to be approved actually: I did not
> even expect it would be published eventually. :)
>
> Yes, the method you mentioned works pretty well as I had to go with that
> approach 2 weeks ago.
>
> Sorry I could not mention the solution earlier as my initial question (Jul
> 24) came only today (Aug 7).
>
> Again, thank you.
>
> Regards,
> Garri
>
> On Wednesday, August 7, 2024 at 12:54:48 PM UTC+2 Stephen Maher wrote:
>
>> Hi Caroline,
>>
>> In the past where I have had issues here I have created a custom SSL
>> config, I think many forget that its possible to customise the SSL config
>> in this way and this can solve some of the issues where the SSL config in
>> controller or execution environment is not quite right for your outcome.
>>
>> ie.
>>
>> - name: Get stuff
>> environment:
>> OPENSSL_CONF: /path/to/your/custom/openssl.cnf
>> ansible.builtin.uri:
>> ….
>>
>> And within the SSL config set MinProtocol & CipherString or update in
>> Protocol.
>>
>> I should think this will help.
>>
>> Regards
>>
>> Steve Maher
>>
>>
>> On 23 Jul 2024, at 23:19, Garri Djavadyan <[email protected]> wrote:
>>
>> ansible.builtin.uri
>>
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/8111b62b-fb5f-468e-8c8b-f6765b7cfc71n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/ansible-project/8111b62b-fb5f-468e-8c8b-f6765b7cfc71n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/9840db4c-6df4-461e-ac13-462d24ac16adn%40googlegroups.com.
