Hi Dick, Walter, and all, Dick, I totally agree that patching Ansible to support insecure protocols should be discouraged in general, and I am totally fine to continue using my current curl-based playbook until the legacy devices are decommissioned. I was just curious if it would be possible to use 'ansible.builtin.uri' in an unsafe OpenSSL context without touching the Ansible code.
Walter, as far as I know, Linux kernel's TLS sockets (ktls) [1] only provide encryption offloading capabilities to the user space libraries, such as OpenSSL. As far as I can see, the handshake still should be handled by the user space library. As far as I know, 'ansible.builtin.uri' depends on the Python standard library's 'urllib' [2], which depends on the 'ssl' module [3], also from the standard library. The latter, depends on the user space OpenSSL library. Also, as I mentioned before, I can successfully talk to my legacy devices using "curl" and loosened OpenSSL configuration, that I shared earlier, from the same Debian 12.6 system. Therefore, I do not think the kernel prohibits 'uri' from negotiating TLS 1.0 connections. Thank you. Regards, Garri [1] https://www.kernel.org/doc/html/latest/networking/tls.html [2] https://github.com/ansible/ansible/blob/v2.17.3/lib/ansible/module_utils/urls.py#L54 [3] https://docs.python.org/3/library/ssl.html On Fri, 2024-08-16 at 11:13 +0000, 'Rowe, Walter P. (Fed)' via Ansible Project wrote: > If the kernel / OS won't allow lowering the TLS then a custom > openssl.conf likely won't either. You can't override the kernel / OS > to lower security. > > Walter > -- > Walter Rowe, Division Chief > Infrastructure Services Division > Mobile: 202.355.4123 > > > On Aug 16, 2024, at 5:23 AM, Dick Visser <dnmvis...@gmail.com> > > wrote: > > > > > > > > > > > > Hii > > > > Hacking ansible to make it work with its native uri module may > > work, but it will likely make the hack go under the radar. > > > > > > Since it is already a security lowering snowflake, IMHO it is good > > to make this explicit by having it done in a custom shell/command. > > It is simple, easy, and makes it very clear what is going on for > > this specific device. > > > > > > > > > > On Thu, 15 Aug 2024 at 23:31, Garri Djavadyan > > <g.djavad...@gmail.com> wrote: > > > Hi Walter, > > > > > > > Your system may not allow older TLS connections. > > > > > > Exactly, and this is why I currently have to use a custom > > > weakened openssl.cnf by the curl-based Ansible playbook. However, > > > the environment variable OPENSSL_CONF, referring to the custom > > > OpenSSL config, is ignored when I use "ansible.builtin.uri". > > > Actually, "ansible.builtin.uri" even ignores by OpenSSL config > > > located in the default path /etc/ssl/openssl.cnf on my Debian > > > 12.6 system: > > > > > > -----BEGIN SHELL----- > > > $ cat /etc/ssl/openssl.cnf > > > openssl_conf = openssl_init > > > > > > [openssl_init] > > > ssl_conf = ssl_sect > > > > > > [ssl_sect] > > > system_default = system_default_sect > > > > > > [system_default_sect] > > > MinProtocol = TLSv1 > > > CipherString = DEFAULT@SECLEVEL=0 > > > Options = UnsafeLegacyRenegotiation > > > > > > > > > $ ansible-playbook -vvv test.yml > > > ... > > > "msg": "Status code was -1 and not [200]: Request failed: > > > <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert > > > handshake failure (_ssl.c:1000)>", > > > ... > > > -----END SHELL----- > > > > > > > > > Thank you. > > > > > > Regards, > > > Garri > > > > > > > > > > > > On Thursday, August 15, 2024 at 1:15:22 PM UTC+2 Rowe, Walter P. > > > (Fed) wrote: > > > > Check your system settings. Your system may not allow older TLS > > > > connections. TLS 1.0 is compromised and therefore no longer > > > > allowed by many systems. > > > > > > > > What platform is your control host? > > > > > > > > Walter > > > > -- > > > > Walter Rowe, Division Chief > > > > Infrastructure Services Division > > > > Mobile: 202.355.4123 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Aug 15, 2024, at 5:00 AM, Garri Djavadyan > > > > > <g.dja...@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Steve, > > > > > > > > > > > Did you try with SECLEVEL=0 ? > > > > > > > > > > Yes, I did. However, the result is the same: Ansible > > > > > controller is not happy with the bare TLS 1.0 reply from the > > > > > legacy box: > > > > > > > > > > "msg": "Status code was -1 and not [200]: Request failed: > > > > > <urlopen error [SSL: UNSUPPORTED_PROTOCOL] unsupported > > > > > protocol (_ssl.c:1000)>" > > > > > > > > > > > > > > > - name: Query legacy boxes > > > > > hosts: legacyboxes > > > > > gather_facts: false > > > > > connection: local > > > > > tasks: > > > > > - name: GET the home page > > > > > ansible.builtin.uri: > > > > > url: https://{{ ansible_host }} > > > > > ciphers: > > > > > - 'DEFAULT@SECLEVEL=0' > > > > > > > > > > > > > > > Again, ciphers-wise, the setup is fine, but I do not think it > > > > > is possible to enforce the minimum TLS protocol version with > > > > > the cipher string. > > > > > > > > > > Thank you. > > > > > > > > > > Regards, > > > > > Garri > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > You received this message because you are subscribed to the > > > > > Google Groups "Ansible Project" group. > > > > > To unsubscribe from this group and stop receiving emails from > > > > > it, send an email toansible-proje...@googlegroups.com. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > To view this discussion on the web visit > > > > > https://groups.google.com/d/msgid/ansible-project/85e58522-271e-45aa-832a-8a2a7c6b5a38n%40googlegroups.com > > > > > . > > > > > > > > > > > > > > -- > > > You received this message because you are subscribed to the > > > Google Groups "Ansible Project" group. > > > To unsubscribe from this group and stop receiving emails from it, > > > send an email toansible-project+unsubscr...@googlegroups.com. > > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/ansible-project/fe2f9e80-a54e-4ffc-87f1-bdfe8788c858n%40googlegroups.com > > > . > > > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9cda0f58e659cd8470945e833926da98af841cb1.camel%40gmail.com.
