openssl_csr cryptography backend, try II #50894
Conversation
…sible#50324)"" This reverts commit bbd2e31.
ansibot
added
WIP
| can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION) | ||
|
|
||
| # Decision | ||
| if module.params['cipher'] and module.params['passphrase'] and module.params['cipher'] != 'auto': |
There was a problem hiding this comment.
This line seems to be copy-pasted from openssl_privatekey - but this module here doesn't have these parameters.
There was a problem hiding this comment.
Yep, I know, I already prepared a commit, but wanted to wait until the first testing round finishes... which took like forever :)
There was a problem hiding this comment.
Those lemurs at shippable sure need to work harder! ;-)
ansibot
removed
the
needs_triage
|
cryptography doesn't seem to like arbitrary strings for |
|
Feels to me like an issue with something missing at the beginning of SubjectAlternativeNames (see around line 400 in your code how it should be prefixed with "DNS:"). Alternatively you can patch out automatically adding SANs to CSRs (I think there's an open bug about this). |
|
FAILED SUCCESS (CI image / OpenSSL version / cryptography version) |
|
The strange thing is that with older, newer and the same versions of both OpenSSL and cryptography, it works fine. |
|
The bug about automatic SANs is #36690 btw. |
|
If this new test (which tests arbitrary commonName) fails everywhere where the cryptography backend tests are run, then I'll fix #36690 by adding a option to disable this behavior next ;-) |
|
All tests pass now (except a sanity one which I'll fix), see here for shippable output. I'll now rebase and remove that commit which forced all tests to run (and include the |
felixfontein
force-pushed
the
openssl_csr-crypto-revert
branch
from
1391d2c
to
d9542e9
Compare
felixfontein
changed the title
felixfontein
force-pushed
the
openssl_csr-crypto-revert
branch
from
88490df
to
d9542e9
Compare
ansibot
added
community_review
| backend = 'pyopenssl' | ||
|
|
||
| # Success? | ||
| if backend == 'auto': |
There was a problem hiding this comment.
Couldn't this just be the else of lines 985-988?
There was a problem hiding this comment.
Yes, it could. I would still prefer this not to be an else, so that the failure code is somewhat separated from the detection code.
|
Does anyone mind if this gets merged? |
|
Not me... shipit |
ansibot
added
shipit
|
@felixfontein Thanks for the PR Merged into |
|
@MarkusTeufelberger thanks for reviewing! |
* Revert "Revert "openssl_csr: Allow to use cryptography as backend (ansible#50324)"" This reverts commit bbd2e31. * Remove more complicated selection copy'n'pasted from openssl_privatekey. * Add tests for backend selection. * Add openssl_csr test for arbitrary string commonName. * Allow to disable commonName -> SAN copying (fixes ansible#36690).
SUMMARY
The new cryptography backend for
openssl_csr(#50324) failed for some integration tests of other modules; see here.This PR is for debugging that issue and fixing it. I've added a test commit (ffb07c6d4a004ad42acb95671834d5823bf392e4) which touches all tests usingopenssl_csrso that CI should reproduce the failure.This PR also contains a fix (in form of a new feature) for #36690.
CC @mattclay
ISSUE TYPE
COMPONENT NAME
openssl_csr