a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

get_certificate - add starttls option with support for mysql (#264) 

* Initial commit

* Adding changelog fragment

* Applying initial review suggestion
pull/265/head
Ajpantuso 2021-08-15 09:40:54 -04:00 committed by GitHub
parent c9ec463893
commit b59846b9fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changelogs/fragments/264-get_certificate-add-starttls-option.yml Normal file
View File

@ -0,0 +1,4 @@
---
minor_changes:
- get_certificate - added ``starttls`` option to retrieve certificates from servers which require clients to request
an encrypted connection (https://github.com/ansible-collections/community.crypto/pull/264).

27
plugins/modules/get_certificate.py
View File

@ -50,6 +50,14 @@ options:
- Proxy port used when get a certificate. - Proxy port used when get a certificate.
type: int type: int
default: 8080 default: 8080
starttls:
description:
- Requests a secure connection for protocols which require clients to initiate encryption.
- Only available for C(mysql) currently.
type: str
choices:
- mysql
version_added: 1.9.0
timeout: timeout:
description: description:
- The timeout in seconds - The timeout in seconds
@ -209,6 +217,20 @@ else:
CRYPTOGRAPHY_FOUND = True CRYPTOGRAPHY_FOUND = True
def send_starttls_packet(sock, server_type):
if server_type == 'mysql':
ssl_request_packet = (
b'\x20\x00\x00\x01\x85\xae\x7f\x00' +
b'\x00\x00\x00\x01\x21\x00\x00\x00' +
b'\x00\x00\x00\x00\x00\x00\x00\x00' +
b'\x00\x00\x00\x00\x00\x00\x00\x00' +
b'\x00\x00\x00\x00'
)
sock.recv(8192) # discard initial handshake from server for this naive implementation
sock.send(ssl_request_packet)
def main(): def main():
module = AnsibleModule( module = AnsibleModule(
argument_spec=dict( argument_spec=dict(
@ -220,6 +242,7 @@ def main():
server_name=dict(type='str'), server_name=dict(type='str'),
timeout=dict(type='int', default=10), timeout=dict(type='int', default=10),
select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'), select_crypto_backend=dict(type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'),
starttls=dict(type='str', choices=['mysql']),
), ),
) )
@ -230,6 +253,7 @@ def main():
proxy_port = module.params.get('proxy_port') proxy_port = module.params.get('proxy_port')
timeout = module.params.get('timeout') timeout = module.params.get('timeout')
server_name = module.params.get('server_name') server_name = module.params.get('server_name')
start_tls_server_type = module.params.get('starttls')
backend = module.params.get('select_crypto_backend') backend = module.params.get('select_crypto_backend')
if backend == 'auto': if backend == 'auto':
@ -305,6 +329,9 @@ def main():
ctx.check_hostname = False ctx.check_hostname = False
ctx.verify_mode = CERT_NONE ctx.verify_mode = CERT_NONE
if start_tls_server_type is not None:
send_starttls_packet(sock, start_tls_server_type)
cert = ctx.wrap_socket(sock, server_hostname=server_name or host).getpeercert(True) cert = ctx.wrap_socket(sock, server_hostname=server_name or host).getpeercert(True)
cert = DER_cert_to_PEM_cert(cert) cert = DER_cert_to_PEM_cert(cert)
except Exception as e: except Exception as e: