Hii Hacking ansible to make it work with its native uri module may work, but it will likely make the hack go under the radar. Since it is already a security lowering snowflake, IMHO it is good to make this explicit by having it done in a custom shell/command. It is simple, easy, and makes it very clear what is going on for this specific device.
On Thu, 15 Aug 2024 at 23:31, Garri Djavadyan <[email protected]> wrote: > Hi Walter, > > > Your system may not allow older TLS connections. > > Exactly, and this is why I currently have to use a custom weakened > openssl.cnf by the curl-based Ansible playbook. However, the environment > variable OPENSSL_CONF, referring to the custom OpenSSL config, is ignored > when I use "ansible.builtin.uri". Actually, "ansible.builtin.uri" even > ignores by OpenSSL config located in the default path /etc/ssl/openssl.cnf > on my Debian 12.6 system: > > -----BEGIN SHELL----- > $ cat /etc/ssl/openssl.cnf > openssl_conf = openssl_init > > [openssl_init] > ssl_conf = ssl_sect > > [ssl_sect] > system_default = system_default_sect > > [system_default_sect] > MinProtocol = TLSv1 > CipherString = DEFAULT@SECLEVEL=0 > Options = UnsafeLegacyRenegotiation > > > $ ansible-playbook -vvv test.yml > ... > "msg": "Status code was -1 and not [200]: Request failed: <urlopen error > [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure > (_ssl.c:1000)>", > ... > -----END SHELL----- > > > Thank you. > > Regards, > Garri > > On Thursday, August 15, 2024 at 1:15:22 PM UTC+2 Rowe, Walter P. (Fed) > wrote: > >> Check your system settings. Your system may not allow older TLS >> connections. TLS 1.0 is compromised and therefore no longer allowed by many >> systems. >> >> What platform is your control host? >> >> Walter >> -- >> Walter Rowe, Division Chief >> Infrastructure Services Division >> Mobile: 202.355.4123 <(202)%20355-4123> >> >> On Aug 15, 2024, at 5:00 AM, Garri Djavadyan <[email protected]> wrote: >> >> Hi Steve, >> >> > Did you try with SECLEVEL=0 ? >> >> Yes, I did. However, the result is the same: Ansible controller is not >> happy with the bare TLS 1.0 reply from the legacy box: >> >> "msg": "Status code was -1 and not [200]: Request failed: <urlopen error >> [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1000)>" >> >> >> - name: Query legacy boxes >> hosts: legacyboxes >> gather_facts: false >> connection: local >> tasks: >> - name: GET the home page >> ansible.builtin.uri: >> url: https://{{ ansible_host }} >> ciphers: >> - 'DEFAULT@SECLEVEL=0' >> >> >> Again, ciphers-wise, the setup is fine, but I do not think it is possible >> to enforce the minimum TLS protocol version with the cipher string. >> >> Thank you. >> >> Regards, >> Garri >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/85e58522-271e-45aa-832a-8a2a7c6b5a38n%40googlegroups.com >> <https://groups.google.com/d/msgid/ansible-project/85e58522-271e-45aa-832a-8a2a7c6b5a38n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/fe2f9e80-a54e-4ffc-87f1-bdfe8788c858n%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/fe2f9e80-a54e-4ffc-87f1-bdfe8788c858n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLaK%3DxwBsph-SMrvdKRBSUCT4SKvnAYxwUk%3Dhio9orKJNg%40mail.gmail.com.
