-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] v2.0.0. ALPHA: Module execution results in error when Deny SSL Renegotiation is enabled. When using WSL2. #269
Comments
Thank you @krausi24 for this issue. I will look into this and get back here soon |
I need to mention that this issue applies only to Ansible running in WSL2! |
I hit the exact same issue here, but not in a WSL2 environment as @krausi24 experienced. Running Ubuntu 22.04.3 w/ ansible [core 2.15.4] and NS13.1 37.38.nc. As a workaround, I followed the suggestion above of modifying the SSL profile on my NSIP. |
Just FYI, this is not specific to the Ansible modules. The "ALL" option to "Deny SSL Renegotiation" is improperly implemented in Netscaler and leads to a total absence of the Renegotiation Indication Extension (RFC 5746) in the ServerHello. A quick analysis of what happens during a handshake with a Netscaler where "Deny SSL Renegotiation" is "ALL":
OpenSSL 3.0 switched to rejecting legacy (pre-2010) TLS implementations ; sadly Netscaler identifies as one when "Deny SSL Renegotiation" is "ALL" (the default). The Netscaler TLS stack needs fixing, there is nothing the |
Side note: DO NOT set "Deny SSL Renegotiation" to "NO". "NONSECURE" or "FRONTEND_CLIENT" are much better options though they remain workarounds for a non RFC5746 compliant TLS stack. |
Describe the bug
Module execution results in error when Deny SSL Renegotiation is enabled.
"'Request failed: <urlopen error [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)>'}"
To Reproduce
tags: nsip
delegate_to: localhost
netscaler.adc.nsip:
nsip: "{{ ansible_host }}"
nitro_user: "{{ nitro_user }}"
nitro_pass: "{{ nitro_pass }}"
validate_certs: no
state: "present"
ipaddress: "{{ NSIP_ipaddress }}"
netmask: "{{ NSIP_netmask }}"
type: "{{ NSIP_type }}"
Expected behaviour
Connection and Task execution
Screenshots
If applicable, add screenshots to help explain your problem.
Environment (please complete the following information):
python --version
outputPython 3.10.6
ansible --version
outputansible [core 2.14.6]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/dkr/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /home/dkr/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/usr/bin/python3)
jinja version = 3.0.3
libyaml = True
Additional context
When setting the value of "Deny SSL Renegotiation" to "No" in Netscaler SSL Profile and binding it to the internal service "nshttps-127.0.0.1-443" the error is gone!
The text was updated successfully, but these errors were encountered: