New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
get_url module does not validate certificates for protocol TLSv1 #6904
Comments
I updated using the template. Thanks, @ansibot. You're awesome! |
I'm going to go with your second method, using wrap_socket(). It seems easier than trying to iterate over a few protocol options and we won't have to extend it in the future. |
The above patch should resolve the issue for you. If you continue seeing any problems related to this, or if you had any further questions regarding this issue, please let us know. Thanks! |
@feanil no, we do not backport patches to previous stable branches. You can, however, work around your issue simply by using the - debug: msg="Y={{Y|int}}" - debug: msg="Y JSON={{ Y |int| to_json }}" If you have any further questions, please let us know by stopping by one of the two mailing lists, as appropriate:
Because this project is very active, we're unlikely to see comments made on closed tickets, but the mailing list is a great way to ask questions, or post if you don't think this particular issue is resolved. Thank you! |
There seems to be a problem where ansible get_url cannot validate certificates (ansible/ansible#6904) It looks like this is fixed in Ansible 1.9 (ansible/ansible@d240d07), so once we move to 1.9 we can use HTTPS in get_url.
Issue Type:
Bug Report
Ansible Version:
ansible 1.6
Environment:
Ubuntu 12.04 LTS
(Linux precise64 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux)
Summary:
When using the get_url module to connect to a host that does not support SSL version ssl.PROTOCOL_SSLv23 but does support ssl.PROTOCOL_TLSv1, then the validation of the server's certificate will fail because the default ssl_version for ssl.get_server_certificates() is ssl.PROTOCOL_SSLv23.
See sample code included in this issue for a demonstration of the issue and a potential fix.
Steps To Reproduce:
Attempt to create a task that uses the get_url module to download a file from a server that only supports TLSv1:
Expected Results:
The file at https://getcomposer.org/installer should be downloaded to /tmp/composer_installer
Actual Results:
The task fails and reports that it "Failed to validate the SSL certificate for getcomposer.org:443":
Below is sample code that demonstrates the issue, with the setup code borrowed from ansible/lib/ansible/module_utils/urls.py. The code also demonstrates a fix that works for both ssl.PROTOCOL_SSLv23 and ssl.PROTOCOL_TLSv1 by using SSLSocket to validate the server certificate and not trying to do the handshake (which will fail on SSL version mismatch).
I could probably submit a pull request with a fix for the SSLValidationHandler class, if the SSLSocket technique is a preferred fix.
The text was updated successfully, but these errors were encountered: