Re: [ansible-project] Force ansible.builtin.uri to use minimum TLS version

Wed, 14 Aug 2024 08:15:40 -0700 

Hi Steve,

Thank you for your comments.

> Have you seen that the uri module has a ciphers verb as per below.

Yes, I checked it before but did not play with it as it only allows to set 
ciphers. Anyway, I tried it and see that the handshake moved further. 
Namely, once I allow TLS 1.0 compatible ciphers with the string 
'DEFAULT@SECLEVEL=2' for the 'uri' module, Ansible controller starts 
including the TLS 1.0 compatible cipher suite TLS_RSA_WITH_AES_256_CBC_SHA 
(0x0035) in the Client Hello. As a result, the legacy side now replies with 
Server Hello (not TLS Alert as before). However, the Ansible controller now 
initiates the TLS Alert as it does not see TLS version extensions in the 
reply:

Transport Layer Security
    TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Protocol Version (70)

This is Ansible's error message respectively:

"msg": "Status code was -1 and not [200]: Request failed: <urlopen error 
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1000)>"


To summarise, what I see is that 'DEFAULT@SECLEVEL=2' enables TLS 1.0 
compatible cipher suites but does not allow to use the legacy protocol 
itself.

Thank you.

Regards,
Garri

On Wednesday, August 14, 2024 at 3:03:22 PM UTC+2 Stephen Maher wrote:

> Hi Garri,
>
> Have you seen that the uri module has a ciphers verb as per below.
>
>
> https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/uri.py
> https://github.com/ansible/ansible/pull/78650
>
> - name: Provide SSL/TLS ciphers as a list
>   uri:
>     url: https://example.org
>     ciphers:
>       - '@SECLEVEL=2'
>
>
> Regards
>
> Steve Maher
>
> On 13 Aug 2024, at 11:44, Garri Djavadyan <g.dja...@gmail.com> wrote:
>
> SECLEVEL
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/706db547-c26a-47f7-bf5a-8b1af0c47d91n%40googlegroups.com.

Reply via email to