Support Custom Cipher Selection (#571)

* Enable custom cipher selection for get_certificate * get_certificate ciphers desc grammar fix Co-authored-by: Felix Fontein <felix@fontein.de> * get_certificate ciphers desc grammar fix Co-authored-by: Felix Fontein <felix@fontein.de> * get_certificate ciphers include version_added Co-authored-by: Felix Fontein <felix@fontein.de> * Add changelog fragment * Fail if ciphers is set and Python < 2.7.9 * Standardize ciphers conditionals in get_certificate Co-authored-by: Felix Fontein <felix@fontein.de> --------- Co-authored-by: Felix Fontein <felix@fontein.de>
2023-02-10 15:01:13 -05:00 · 2023-02-10 15:01:13 -05:00 · b000491514
parent 70c4585b88
commit b000491514
2 changed files with 21 additions and 0 deletions
--- a/changelogs/fragments/571_get_certificate_ciphers.yaml
+++ b/changelogs/fragments/571_get_certificate_ciphers.yaml
@ -0,0 +1,2 @@
+minor_changes:
+- get_certificate - adds ``ciphers`` option for custom cipher selection (https://github.com/ansible-collections/community.crypto/pull/571).
--- a/plugins/modules/get_certificate.py
+++ b/plugins/modules/get_certificate.py
@ -81,6 +81,16 @@ options:
      type: str
      default: auto
      choices: [ auto, cryptography ]
+    ciphers:
+      description:
+        - SSL/TLS Ciphers to use for the request.
+        - 'When a list is provided, all ciphers are joined in order with C(:).'
+        - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT)
+          for more details.
+        - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions.
+      type: list
+      elements: str
+      version_added: 2.11.0

 notes:
    - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.
@ -247,6 +257,7 @@ def main():
            timeout=dict(type='int', default=10),
            select_crypto_backend=dict(type='str', choices=['auto', 'cryptography'], default='auto'),
            starttls=dict(type='str', choices=['mysql']),
+            ciphers=dict(type='list', elements='str'),
        ),
    )

@ -258,6 +269,7 @@ def main():
    timeout = module.params.get('timeout')
    server_name = module.params.get('server_name')
    start_tls_server_type = module.params.get('starttls')
+    ciphers = module.params.get('ciphers')

    backend = module.params.get('select_crypto_backend')
    if backend == 'auto':
@ -294,6 +306,9 @@ def main():
        if proxy_host:
            module.fail_json(msg='To use proxy_host, you must run the get_certificate module with Python 2.7 or newer.',
                             exception=CREATE_DEFAULT_CONTEXT_IMP_ERR)
+        if ciphers is not None:
+            module.fail_json(msg='To use ciphers, you must run the get_certificate module with Python 2.7 or newer.',
+                             exception=CREATE_DEFAULT_CONTEXT_IMP_ERR)
        try:
            # Note: get_server_certificate does not support SNI!
            cert = get_server_certificate((host, port), ca_certs=ca_cert)
@ -325,6 +340,10 @@ def main():
            if start_tls_server_type is not None:
                send_starttls_packet(sock, start_tls_server_type)

+            if ciphers is not None:
+                ciphers_joined = ":".join(ciphers)
+                ctx.set_ciphers(ciphers_joined)
+
            cert = ctx.wrap_socket(sock, server_hostname=server_name or host).getpeercert(True)
            cert = DER_cert_to_PEM_cert(cert)
        except Exception as e: