From b59846b9fa55e6aa2932d2599ec149b24a398af2 Mon Sep 17 00:00:00 2001 From: Ajpantuso Date: Sun, 15 Aug 2021 09:40:54 -0400 Subject: [PATCH] get_certificate - add starttls option with support for mysql (#264) * Initial commit * Adding changelog fragment * Applying initial review suggestion --- ...64-get_certificate-add-starttls-option.yml | 4 +++ plugins/modules/get_certificate.py | 27 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 changelogs/fragments/264-get_certificate-add-starttls-option.yml diff --git a/changelogs/fragments/264-get_certificate-add-starttls-option.yml b/changelogs/fragments/264-get_certificate-add-starttls-option.yml new file mode 100644 index 00000000..adccd978 --- /dev/null +++ b/changelogs/fragments/264-get_certificate-add-starttls-option.yml @@ -0,0 +1,4 @@ +--- +minor_changes: + - get_certificate - added ``starttls`` option to retrieve certificates from servers which require clients to request + an encrypted connection (https://github.com/ansible-collections/community.crypto/pull/264). diff --git a/plugins/modules/get_certificate.py b/plugins/modules/get_certificate.py index bcc5e7d7..3fd5fb90 100644 --- a/plugins/modules/get_certificate.py +++ b/plugins/modules/get_certificate.py @@ -50,6 +50,14 @@ options: - Proxy port used when get a certificate. type: int default: 8080 + starttls: + description: + - Requests a secure connection for protocols which require clients to initiate encryption. + - Only available for C(mysql) currently. + type: str + choices: + - mysql + version_added: 1.9.0 timeout: description: - The timeout in seconds @@ -209,6 +217,20 @@ else: CRYPTOGRAPHY_FOUND = True +def send_starttls_packet(sock, server_type): + if server_type == 'mysql': + ssl_request_packet = ( + b'\x20\x00\x00\x01\x85\xae\x7f\x00' + + b'\x00\x00\x00\x01\x21\x00\x00\x00' + + b'\x00\x00\x00\x00\x00\x00\x00\x00' + + b'\x00\x00\x00\x00\x00\x00\x00\x00' + + b'\x00\x00\x00\x00' + ) + + sock.recv(8192) # discard initial handshake from server for this naive implementation + sock.send(ssl_request_packet) + + def main(): module = AnsibleModule( argument_spec=dict( @@ -220,6 +242,7 @@ def main(): server_name=dict(type='str'), timeout=dict(type='int', default=10), select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'), + starttls=dict(type='str', choices=['mysql']), ), ) @@ -230,6 +253,7 @@ def main(): proxy_port = module.params.get('proxy_port') timeout = module.params.get('timeout') server_name = module.params.get('server_name') + start_tls_server_type = module.params.get('starttls') backend = module.params.get('select_crypto_backend') if backend == 'auto': @@ -305,6 +329,9 @@ def main(): ctx.check_hostname = False ctx.verify_mode = CERT_NONE + if start_tls_server_type is not None: + send_starttls_packet(sock, start_tls_server_type) + cert = ctx.wrap_socket(sock, server_hostname=server_name or host).getpeercert(True) cert = DER_cert_to_PEM_cert(cert) except Exception as e: