Prefer the stdlib SSLContext over urllib3 context

[abadger]

We do not go through the effort of finding the right PROTOCOL setting if
we have SSLContext in the stdlib. So we do not want to hit the code
that uses PROTOCOL to set the urllib3-provided ssl context when
SSLContext is available. Also, the urllib3 implementation appears to
have a bug in some recent versions. Preferring the stdlib version will
work around that for those with Python-2.7.9+ as well.

Fixes #26235
Fixes #25402
Fixes #31998

@sivel, if you have time, please review this.

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

lib/ansible/module_utils/urls.py

ANSIBLE VERSION

devel, 2.4, 2.3 (but I don't know if we'lll backport to 2.3.x)

[sivel]

I like this. It should have been done this way to start with.

[sivel]

Looks good. The only thing I wonder is whether we could do a try/except around importing tlsv1_2 to use it if available, failing back to v1

[alikins]

There is similar code around the CustomHTTPSConnection (https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/urls.py#L365). Should it be updated as well?

[sivel]

There is similar code around the CustomHTTPSConnection (https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/urls.py#L365). Should it be updated as well?

That seems to be in the correct order.

[abadger]

@sivel I think we could use a try: except in the imports but it would still need the ctypes code in addition. The vanilla stdlib introduces SSLContext in the same version as it introduces PROTOCOL_TLSv1_2 (2.7.9). I know that RHEL7 backported those changes to python-2.7.5 but it backported both changes. So right now the check for if not HAS_SSLCONTEXT is also a hidden (version-based) check for PROTOCOL_TLSv1_2. If we added a try: except to import PROTOCOL_TLSv1_2, it would end up being in addition to the SSLCONTEXT check.

We still end up using ctypes as the next step as that check finds out if the underlying openssl will support TLS-1.1 and TLS-1.2. If it does, then we set the PROTOCOL to ssl.PROTOCOL_SSLv23 which allows the library to negotiate the best version that both the client and server support. If it doesn't, then we leave the protocol setting at ssl.PROTOCOL_TLSv1 which at least prevents ssl2/3 from being used. So a try: except will help us out if there's platforms which have PROTOCOL_TLSv1_2 exposed in the python layer but do not implement SSLContext.

[abadger]

@alikins combining the code is not needed because the order is correct in the second instance but it does look tantaliyzingly like duplicate that could be combined. The _make_context() helper is not using self so we could move that out to a toplevel helper function. One is using context.load_verify_locations(to_add_ca_cert_path) while the other is using context.load_cert_chain(self.cert_file, self.key_file) though. I don't know what changing that code would do so I'm loathe to change that in a bugfix. Perhaps that's something someone can research and refactor in devel if they have time.

[sivel]

I think that makes sense. We should move forward with this as is.

As for TLS versions, I suppose I speak mostly from experience on Mac. Although SSLContext is available on Mac, PROTOCOL_TLSv1_2 is not, at least not on macOS 10.12 running Python 2.7.10.

[abadger]

Interesting. I wonder if that means the underlying openssl on MacOS 10.12 also doesn't support PROTOCOL_TLSv1_2.

[abadger]

Merged to devel and cherry-picked to temp-staging-post-2.4.1 This fix will be present in the 2.4.2beta1 release but not in the 2.4.1 release that's due out later this week.

[abadger]

Cherry-picked to stable-2.3 for a 2.3.4 release.