Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] v2.0.0. ALPHA: Module execution results in error when Deny SSL Renegotiation is enabled. When using WSL2. #269

Open
krausi24 opened this issue Aug 25, 2023 · 5 comments
Open

[BUG] v2.0.0. ALPHA: Module execution results in error when Deny SSL Renegotiation is enabled. When using WSL2. #269

krausi24 opened this issue Aug 25, 2023 · 5 comments
Assignees
@sumanth-lingappa
Labels
bug

Comments

@krausi24
Copy link

Describe the bug
Module execution results in error when Deny SSL Renegotiation is enabled.
"'Request failed: <urlopen error [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)>'}"

To Reproduce

  1. Install the Alpha Modules
  2. Create any Task with any module like netscaler.adc.nsip
  • name: Create SNIP
    tags: nsip
    delegate_to: localhost
    netscaler.adc.nsip:
    nsip: "{{ ansible_host }}"
    nitro_user: "{{ nitro_user }}"
    nitro_pass: "{{ nitro_pass }}"
    validate_certs: no
    state: "present"
    ipaddress: "{{ NSIP_ipaddress }}"
    netmask: "{{ NSIP_netmask }}"
    type: "{{ NSIP_type }}"

Expected behaviour
Connection and Task execution

Screenshots
If applicable, add screenshots to help explain your problem.
image

Environment (please complete the following information):

  • Python version python --version output
    Python 3.10.6
  • Ansible version ansible --version output
    ansible [core 2.14.6]
    config file = /etc/ansible/ansible.cfg
    configured module search path = ['/home/dkr/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
    ansible python module location = /usr/lib/python3/dist-packages/ansible
    ansible collection location = /home/dkr/.ansible/collections:/usr/share/ansible/collections
    executable location = /usr/bin/ansible
    python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/usr/bin/python3)
    jinja version = 3.0.3
    libyaml = True

Additional context
When setting the value of "Deny SSL Renegotiation" to "No" in Netscaler SSL Profile and binding it to the internal service "nshttps-127.0.0.1-443" the error is gone!
@krausi24 krausi24 changed the title [BUG] [BUG] Module execution results in error when Deny SSL Renegotiation is enabled. Aug 25, 2023
@krausi24 krausi24 changed the title [BUG] Module execution results in error when Deny SSL Renegotiation is enabled. [BUG] v2.0.0. ALPHA: Module execution results in error when Deny SSL Renegotiation is enabled. Aug 27, 2023
@sumanth-lingappa
Copy link
Collaborator

Thank you @krausi24 for this issue. I will look into this and get back here soon

@krausi24
Copy link
Author

I need to mention that this issue applies only to Ansible running in WSL2!

@QTjstahl
Copy link

I hit the exact same issue here, but not in a WSL2 environment as @krausi24 experienced. Running Ubuntu 22.04.3 w/ ansible [core 2.15.4] and NS13.1 37.38.nc. As a workaround, I followed the suggestion above of modifying the SSL profile on my NSIP.

@krausi24 krausi24 changed the title [BUG] v2.0.0. ALPHA: Module execution results in error when Deny SSL Renegotiation is enabled. [BUG] v2.0.0. ALPHA: Module execution results in error when Deny SSL Renegotiation is enabled. When using WSL2. Sep 27, 2023
@fa-elepape
Copy link

Just FYI, this is not specific to the Ansible modules. The "ALL" option to "Deny SSL Renegotiation" is improperly implemented in Netscaler and leads to a total absence of the Renegotiation Indication Extension (RFC 5746) in the ServerHello.

A quick analysis of what happens during a handshake with a Netscaler where "Deny SSL Renegotiation" is "ALL":

  1. Client sends ClientHello with TLS_EMPTY_RENEGOCIATION_INFO_SCSV
    From RFC 5746 § 3.4: Client Behavior: Initial Handshake:

The client MUST include either an empty "renegotiation_info"
extension, or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling
cipher suite value in the ClientHello. Including both is NOT
RECOMMENDED.

  1. Netscaler sends ServerHello without renegotiation_info extension
    From RFC 5746 § 3.6: Server Behavior: Initial Handshake:

o When a ClientHello is received, the server MUST check if it
includes the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does,
set the secure_renegotiation flag to TRUE.
[...]
o If the secure_renegotiation flag is set to TRUE, the server MUST
include an empty "renegotiation_info" extension in the ServerHello
message.

  1. Client terminates handshake because of insecure server
    From RFC 5746 § 3.4: Client Behavior: Initial Handshake:

If the extension is not present, the server does not support
secure renegotiation; set secure_renegotiation flag to FALSE.
In this case, some clients may want to terminate the handshake
instead of continuing; [...]

OpenSSL 3.0 switched to rejecting legacy (pre-2010) TLS implementations ; sadly Netscaler identifies as one when "Deny SSL Renegotiation" is "ALL" (the default). The Netscaler TLS stack needs fixing, there is nothing the netscaler.adc collection can do for you except maybe offer a way to bypass proper security checks.

@fa-elepape
Copy link

Side note: DO NOT set "Deny SSL Renegotiation" to "NO".
This leads to legacy renegotiation being globally enabled, secure or not (again, insecure TLS renegociation is 14-years old at this time).

"NONSECURE" or "FRONTEND_CLIENT" are much better options though they remain workarounds for a non RFC5746 compliant TLS stack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumanth-lingappa sumanth-lingappa

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sumanth-lingappa @QTjstahl @fa-elepape @krausi24