Re: [ansible-project] Choosing Cipher In openssl_privatekey Module With Cryptography Back End
I missed that; thank you. That was super helpful. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/81c5999d-091f-d7c8-67ba-4a225ab1d932%40redhat.com.
Re: [ansible-project] Choosing Cipher In openssl_privatekey Module With Cryptography Back End
Hi,
> > the reason is that cryptography (https://cryptography.io/en/latest/)
> > only supports two states: unencrypted, and encrypted with its own
> > choice of algorithm ("best available algorithm"):
> > https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
> >
>
> Thank you, Felix! I guess I'll have to submit a pull
> request[1]. Is there a particular reason Ansible is deprecating
> pyOpenSSL? It seems it has more features and is still an active
> project[2]. (The last change was not too long ago in November 2019.)
well, there's the big fat note in
https://github.com/pyca/pyopenssl/blob/master/README.rst:
> **Note:** The Python Cryptographic Authority **strongly suggests** the
> use of pyca/cryptography where possible. If you are using pyOpenSSL for
> anything other than making a TLS connection **you should move to
> cryptography and drop your pyOpenSSL dependency**.
Besides that, working with pyOpenSSL is really not that much fun. I'd
rather get rid of the pyOpenSSL backends yesterday than somewhen in the
future...
Cheers,
Felix
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/20200602235427.417d732c%40rovaniemi.
Re: [ansible-project] Choosing Cipher In openssl_privatekey Module With Cryptography Back End
On 2020-06-02 14:47 UTC-05:00, 'Felix Fontein' via Ansible Project wrote:
the reason is that cryptography (https://cryptography.io/en/latest/)
only supports two states: unencrypted, and encrypted with its own
choice of algorithm ("best available algorithm"):
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
Thank you, Felix! I guess I'll have to submit a pull request[1].
Is there a particular reason Ansible is deprecating pyOpenSSL? It
seems it has more features and is still an active project[2]. (The last
change was not too long ago in November 2019.)
[1][https://github.com/pyca/cryptography/pulls]
[2][https://www.pyopenssl.org/en/stable/changelog.html]
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/80cf044f-ebc4-cb32-0552-26b64e44f665%40redhat.com.
Re: [ansible-project] Choosing Cipher In openssl_privatekey Module With Cryptography Back End
Hi,
> With the pyOpenSSL back end of the openssl_privatekey module
> deprecated in Ansible 2.9, a colleague started looking at the
> cryptography back end. According to the documentation:
>
> openssl_privatekey – Generate OpenSSL private keys
> [https://docs.ansible.com/ansible/latest/modules/openssl_privatekey_module.html]
>
> ...the "cipher" parameter must be set to "auto" when using the
> cryptography back end. There does not seem to be a way, using the
> cryptography back end, to specify the cipher used to encrypt the
> private key.
>
> Does anybody know why? I don't see that as a feature request:
>
> [https://github.com/ansible/ansible/issues?q=is%3Aissue+is%3Aopen+openssl_privatekey]
>
> ...so should I file one? Thanks!
the reason is that cryptography (https://cryptography.io/en/latest/)
only supports two states: unencrypted, and encrypted with its own
choice of algorithm ("best available algorithm"):
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
Cheers,
Felix
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/20200602214730.09f504fc%40rovaniemi.
