From b0004915145aca37c7e638cc86b6f5d1ed9676d2 Mon Sep 17 00:00:00 2001 From: dlehrman Date: Fri, 10 Feb 2023 15:01:13 -0500 Subject: [PATCH] Support Custom Cipher Selection (#571) * Enable custom cipher selection for get_certificate * get_certificate ciphers desc grammar fix Co-authored-by: Felix Fontein * get_certificate ciphers desc grammar fix Co-authored-by: Felix Fontein * get_certificate ciphers include version_added Co-authored-by: Felix Fontein * Add changelog fragment * Fail if ciphers is set and Python < 2.7.9 * Standardize ciphers conditionals in get_certificate Co-authored-by: Felix Fontein --------- Co-authored-by: Felix Fontein --- .../571_get_certificate_ciphers.yaml | 2 ++ plugins/modules/get_certificate.py | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 changelogs/fragments/571_get_certificate_ciphers.yaml diff --git a/changelogs/fragments/571_get_certificate_ciphers.yaml b/changelogs/fragments/571_get_certificate_ciphers.yaml new file mode 100644 index 00000000..17201fb8 --- /dev/null +++ b/changelogs/fragments/571_get_certificate_ciphers.yaml @@ -0,0 +1,2 @@ +minor_changes: +- get_certificate - adds ``ciphers`` option for custom cipher selection (https://github.com/ansible-collections/community.crypto/pull/571). diff --git a/plugins/modules/get_certificate.py b/plugins/modules/get_certificate.py index 6ccfae51..066930b0 100644 --- a/plugins/modules/get_certificate.py +++ b/plugins/modules/get_certificate.py @@ -81,6 +81,16 @@ options: type: str default: auto choices: [ auto, cryptography ] + ciphers: + description: + - SSL/TLS Ciphers to use for the request. + - 'When a list is provided, all ciphers are joined in order with C(:).' + - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT) + for more details. + - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions. + type: list + elements: str + version_added: 2.11.0 notes: - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed. @@ -247,6 +257,7 @@ def main(): timeout=dict(type='int', default=10), select_crypto_backend=dict(type='str', choices=['auto', 'cryptography'], default='auto'), starttls=dict(type='str', choices=['mysql']), + ciphers=dict(type='list', elements='str'), ), ) @@ -258,6 +269,7 @@ def main(): timeout = module.params.get('timeout') server_name = module.params.get('server_name') start_tls_server_type = module.params.get('starttls') + ciphers = module.params.get('ciphers') backend = module.params.get('select_crypto_backend') if backend == 'auto': @@ -294,6 +306,9 @@ def main(): if proxy_host: module.fail_json(msg='To use proxy_host, you must run the get_certificate module with Python 2.7 or newer.', exception=CREATE_DEFAULT_CONTEXT_IMP_ERR) + if ciphers is not None: + module.fail_json(msg='To use ciphers, you must run the get_certificate module with Python 2.7 or newer.', + exception=CREATE_DEFAULT_CONTEXT_IMP_ERR) try: # Note: get_server_certificate does not support SNI! cert = get_server_certificate((host, port), ca_certs=ca_cert) @@ -325,6 +340,10 @@ def main(): if start_tls_server_type is not None: send_starttls_packet(sock, start_tls_server_type) + if ciphers is not None: + ciphers_joined = ":".join(ciphers) + ctx.set_ciphers(ciphers_joined) + cert = ctx.wrap_socket(sock, server_hostname=server_name or host).getpeercert(True) cert = DER_cert_to_PEM_cert(cert) except Exception as e: