Fixes #25402 - bad handshake failure

[aurelienmaury]

SUMMARY

This is a patch candidate for the #25402 issue.

This modifies the PROTOCOL floor value in urls.py, so that modules like get_url could validate certificates for website accepting only TLSv1_2 and no less.

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

module_utils/urls.py

ANSIBLE VERSION

ansible 2.3.1.0
  config file =
  configured module search path = Default w/o overrides
  python version = 2.7.13 (default, Jan 19 2017, 14:48:08) [GCC 6.3.0 20170118]

ADDITIONAL INFORMATION

• BEFORE

ansible -m get_url -a "url=https://releases.hashicorp.com dest=/tmp/hashicorp_index.html" localhost
 [WARNING]: Host file not found: /etc/ansible/hosts

 [WARNING]: provided hosts list is empty, only localhost is available

localhost | FAILED! => {
    "changed": false,
    "failed": true,
    "msg": "Failed to validate the SSL certificate for releases.hashicorp.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: (\"bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert protocol version')],)\",)."
}

• AFTER

ansible -m get_url -a "url=https://releases.hashicorp.com dest=/tmp/hashicorp_index.html" localhost
 [WARNING]: Host file not found: /etc/ansible/hosts

 [WARNING]: provided hosts list is empty, only localhost is available

localhost | SUCCESS => {
    "changed": true,
    "checksum_dest": null,
    "checksum_src": "afdac380532e75798fa0afc46d06d3cd0a9e6b84",
    "dest": "/tmp/hashicorp_index.html",
    "gid": 0,
    "group": "root",
    "md5sum": "e978f533ad1eefc5110b6354760e12f5",
    "mode": "0644",
    "msg": "OK (7998 bytes)",
    "owner": "root",
    "size": 7998,
    "src": "/tmp/tmpRL_auy",
    "state": "file",
    "status_code": 200,
    "uid": 0,
    "url": "https://releases.hashicorp.com"
}

[aurelienmaury]

Hi @nitzmahone sorry to bother, but I think there is a lack with this PR's labels: like stated in the description, it clearly affects 2.3, I have not even tested with 2.4.

[alikins]

possibly related to #31998 ?

[jctanner]

@aurelienmaury the bot uses the version of the "devel" branch at time of submission to flag the "affects_x.x" labels for PRs. Your PR would not have been merged into the 2.3 branch unless a backport had been requested or you submitted the PR against the 2.3 branch.

[sivel]

This will need more branches. Mac does not include ssl.PROTOCOL_TLSv1_2.

python -c 'import ssl; ssl.PROTOCOL_TLSv1_2'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_2'

So although it has HAS_SSLCONTEXT v1_2 doesn't exist.

[abadger]

@aurelienmaury We can't use this verbatim as ssl.PROTOCOL_TLSv1_2 wasn't available until python-2.7.9 (we need to support python-2.6.x in his code). If you have ideas on rectifying that, it would be great to hear. I'm spending a little time looking as well but I can't guarantee I'll come up with a solution.

[abadger]

@aurelienmaury Okay, I think I've tracked down a better way to fix this. See the code in PR #32053 if you'd care to test out my fix.