Hi Dick, Walter, and all, Dick, I totally agree that patching Ansible to support insecure protocols should be discouraged in general, and I am totally fine to continue using my current curl-based playbook until the legacy devices are decommissioned. I was just curious if it would be possible to use 'ansible.builtin.uri' in an unsafe OpenSSL context without touching the Ansible code.
Walter, as far as I know, Linux kernel's TLS sockets (ktls) [1] only provide encryption offloading capabilities to the user space libraries, such as OpenSSL. As far as I can see, the handshake still should be handled by the user space library. As far as I know, 'ansible.builtin.uri' depends on the Python standard library's 'urllib' [2], which depends on the 'ssl' module [3], also from the standard library. The latter, depends on the user space OpenSSL library. Also, as I mentioned before, I can successfully talk to my legacy devices using "curl" and loosened OpenSSL configuration, that I shared earlier, from the same Debian 12.6 system. Therefore, I do not think the kernel prohibits 'uri' from negotiating TLS 1.0 connections. Thank you. Regards, Garri [1] https://www.kernel.org/doc/html/latest/networking/tls.html [2] https://github.com/ansible/ansible/blob/v2.17.3/lib/ansible/module_utils/urls.py#L54 [3] https://docs.python.org/3/library/ssl.html On Fri, 2024-08-16 at 11:13 +0000, 'Rowe, Walter P. (Fed)' via Ansible Project wrote: > If the kernel / OS won't allow lowering the TLS then a custom > openssl.conf likely won't either. You can't override the kernel / OS > to lower security. > > Walter > -- > Walter Rowe, Division Chief > Infrastructure Services Division > Mobile: 202.355.4123 > > > On Aug 16, 2024, at 5:23 AM, Dick Visser <[email protected]> > > wrote: > > > > > > > > > > > > Hii > > > > Hacking ansible to make it work with its native uri module may > > work, but it will likely make the hack go under the radar. > > > > > > Since it is already a security lowering snowflake, IMHO it is good > > to make this explicit by having it done in a custom shell/command. > > It is simple, easy, and makes it very clear what is going on for > > this specific device. > > > > > > > > > > On Thu, 15 Aug 2024 at 23:31, Garri Djavadyan > > <[email protected]> wrote: > > > Hi Walter, > > > > > > > Your system may not allow older TLS connections. > > > > > > Exactly, and this is why I currently have to use a custom > > > weakened openssl.cnf by the curl-based Ansible playbook. However, > > > the environment variable OPENSSL_CONF, referring to the custom > > > OpenSSL config, is ignored when I use "ansible.builtin.uri". > > > Actually, "ansible.builtin.uri" even ignores by OpenSSL config > > > located in the default path /etc/ssl/openssl.cnf on my Debian > > > 12.6 system: > > > > > > -----BEGIN SHELL----- > > > $ cat /etc/ssl/openssl.cnf > > > openssl_conf = openssl_init > > > > > > [openssl_init] > > > ssl_conf = ssl_sect > > > > > > [ssl_sect] > > > system_default = system_default_sect > > > > > > [system_default_sect] > > > MinProtocol = TLSv1 > > > CipherString = DEFAULT@SECLEVEL=0 > > > Options = UnsafeLegacyRenegotiation > > > > > > > > > $ ansible-playbook -vvv test.yml > > > ... > > > "msg": "Status code was -1 and not [200]: Request failed: > > > <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert > > > handshake failure (_ssl.c:1000)>", > > > ... > > > -----END SHELL----- > > > > > > > > > Thank you. > > > > > > Regards, > > > Garri > > > > > > > > > > > > On Thursday, August 15, 2024 at 1:15:22 PM UTC+2 Rowe, Walter P. > > > (Fed) wrote: > > > > Check your system settings. Your system may not allow older TLS > > > > connections. TLS 1.0 is compromised and therefore no longer > > > > allowed by many systems. > > > > > > > > What platform is your control host? > > > > > > > > Walter > > > > -- > > > > Walter Rowe, Division Chief > > > > Infrastructure Services Division > > > > Mobile: 202.355.4123 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Aug 15, 2024, at 5:00 AM, Garri Djavadyan > > > > > <[email protected]> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Steve, > > > > > > > > > > > Did you try with SECLEVEL=0 ? > > > > > > > > > > Yes, I did. However, the result is the same: Ansible > > > > > controller is not happy with the bare TLS 1.0 reply from the > > > > > legacy box: > > > > > > > > > > "msg": "Status code was -1 and not [200]: Request failed: > > > > > <urlopen error [SSL: UNSUPPORTED_PROTOCOL] unsupported > > > > > protocol (_ssl.c:1000)>" > > > > > > > > > > > > > > > - name: Query legacy boxes > > > > > hosts: legacyboxes > > > > > gather_facts: false > > > > > connection: local > > > > > tasks: > > > > > - name: GET the home page > > > > > ansible.builtin.uri: > > > > > url: https://{{ ansible_host }} > > > > > ciphers: > > > > > - 'DEFAULT@SECLEVEL=0' > > > > > > > > > > > > > > > Again, ciphers-wise, the setup is fine, but I do not think it > > > > > is possible to enforce the minimum TLS protocol version with > > > > > the cipher string. > > > > > > > > > > Thank you. > > > > > > > > > > Regards, > > > > > Garri > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > You received this message because you are subscribed to the > > > > > Google Groups "Ansible Project" group. > > > > > To unsubscribe from this group and stop receiving emails from > > > > > it, send an email [email protected]. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To view this discussion on the web visit > > > > > https://groups.google.com/d/msgid/ansible-project/85e58522-271e-45aa-832a-8a2a7c6b5a38n%40googlegroups.com > > > > > . > > > > > > > > > > > > > > -- > > > You received this message because you are subscribed to the > > > Google Groups "Ansible Project" group. > > > To unsubscribe from this group and stop receiving emails from it, > > > send an email [email protected]. > > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/ansible-project/fe2f9e80-a54e-4ffc-87f1-bdfe8788c858n%40googlegroups.com > > > . > > > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9cda0f58e659cd8470945e833926da98af841cb1.camel%40gmail.com.
