Hi Everyone,
I believe I found the reason why the Python binaries supplied by the
Debian team are not affected. It is well explained in Debian bug
report #1026802 [1]:
"Starting with Python 3.10, with the default configuration
("--with-ssl-default-suites=python"), Python not only enforces its own
cipher list but also requires TLS1.2 as a minimal protocol version."
I checked both Python versions, supplied by Debian and Python, and see
that the former indeed sticks to OpenSSL defaults:
-----BEGIN debian:bookworm-slim-----
$ python3 -m sysconfig | egrep -o 'with-ssl\S+'
with-ssl-default-suites=openssl'
$ python3 -m sysconfig | grep DEFAULT_CIPHERS
PY_SSL_DEFAULT_CIPHERS = "2"
-----END debian:bookworm-slim-----
-----BEGIN python:3-slim-----
$ python3 -m sysconfig | egrep -o 'with-ssl\S+'
$
$ python3 -m sysconfig | grep DEFAULT_CIPHERS
PY_SSL_DEFAULT_CIPHERS = "1"
-----END python:3-slim-----
Below are some details from the "ssl" module sources [2] about the
macros PY_SSL_DEFAULT_CIPHERS:
-----BEGIN C-----
#elif PY_SSL_DEFAULT_CIPHERS == 1
/* Python custom selection of sensible cipher suites
* @SECLEVEL=2: security level 2 with 112 bits minimum security (e.g.
2048 bits RSA key)
* ECDH+*: enable ephemeral elliptic curve Diffie-Hellman
* DHE+*: fallback to ephemeral finite field Diffie-Hellman
* encryption order: AES AEAD (GCM), ChaCha AEAD, AES CBC
* !aNULL:!eNULL: really no NULL ciphers
* !aDSS: no authentication with discrete logarithm DSA algorithm
* !SHA1: no weak SHA1 MAC
* !AESCCM: no CCM mode, it's uncommon and slow
*
* Based on Hynek's excellent blog post (update 2021-02-11)
* https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
*/
#define PY_SSL_DEFAULT_CIPHER_STRING
"@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
#ifndef PY_SSL_MIN_PROTOCOL
#define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
#endif
#elif PY_SSL_DEFAULT_CIPHERS == 2
/* Ignored in SSLContext constructor, only used to as
_ssl.DEFAULT_CIPHER_STRING */
#define PY_SSL_DEFAULT_CIPHER_STRING SSL_DEFAULT_CIPHER_LIST
-----END C-----
Now it is totally clear why the default OpenSSL config file
"/etc/ssl/openssl.cnf" and the environment variable OPENSSL_CONF are
ignored by the officially distributed Python binaries.
And yes, @Stephen, OPENSSL_CONF set in Ansible playbooks is very well
respected by "ansible.builtin.uri" at least in the environments with
Python versions distributed by the Debian team.
Thank you everyone who contributed to this thread!
Regards,
Garri
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026802
[2] https://github.com/python/cpython/blob/main/Modules/_ssl.c
Op ma 19 aug 2024 10:37 schreef Garri Djavadyan <g.djavad...@gmail.com>:
> Hi Dick,
>
> Indeed, the problem is only manifested when OS-independent Python 3 is
> used. Even though, Python 3.12.5 is supplied with the python:3-slim image,
> I see the same issues with python:3.11.2-slim image.
>
> I do not see any issues when install ansible-core into OS-managed Python
> environment in Debian 12. It seems to me that the Debian team applied some
> local patches to the upstream python distribution to make it work. Some
> more investigation is needed, of course.
>
> Thank you.
>
> Regards,
> Garri
>
> Op ma 19 aug 2024 09:53 schreef Dick Visser <dnmvis...@gmail.com>:
>
>>
>> On Mon, 19 Aug 2024 at 00:51, Garri Djavadyan <g.djavad...@gmail.com>
>> wrote:
>>
>>> Then it seems indeed a local problem of mine. In my case, Ansible is
>>> executed in a Docker container python:3-slim, which is based on
>>> debian:bookworm-slim. Within the container, 'ansible==10.*' is
>>> installed into a normal user's directory with pip, and Ansible commands
>>> are executed on behalf of that normal user.
>>
>>
>> I can confirm things also work OK in a debian:bookworm-slim container.
>> So I guess there must be something specific with the python container....
>>
>> Dick
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ansible-project+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/CAF8BbLYWvgdmAPwSYz5%3DG8pKKPc7XWJzOjMaFyqj19aVGXrAtw%40mail.gmail.com
>> <https://groups.google.com/d/msgid/ansible-project/CAF8BbLYWvgdmAPwSYz5%3DG8pKKPc7XWJzOjMaFyqj19aVGXrAtw%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAAG9kiqR77mOggeeWNuSypqY5WeKp%2B6Xd8zXi%3DW9WQPkuy6uxA%40mail.gmail.com.
