Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cert validation fixes - Attempt 2 #55953

wants to merge 15 commits into
base: devel


None yet
3 participants
Copy link

commented Apr 30, 2019


[WIP] Start of cert validation fixes

  • Bugfix Pull Request



A few things this PR does:

  1. Doesn't effectively disable SSL verification if no_proxy is true.
  2. Doesn't build a ca cert bundle when HAS_SSLCONTEXT
  3. Doesn't use SSLValidationHandler when HAS_SSLCONTEXT
  4. Uses python default ssl validation when HAS_SSLCONTEXT
  5. Adds a new ca_path arg, to explicitly specify a CA cert (bundle)
  6. Actually allows pem files in /etc/ansible to validate SSL certs on versions of Python with HAS_SSLCONTEXT
  7. Ensure tmp files created by as cacert paths are removed (using atexit)

Likely some other fixes too.

Should obsolete #52855


For anyone wishing to test this, one key change is that on python versions supporting SSLContext:

  1. A temp file of a ca bundle should not be created
  2. A ca cert dropped into /etc/ansible should allow an otherwise unverifiable SSL cert to be verified.

@sivel sivel added the ci_verified label Apr 30, 2019

@ansibot ansibot removed the ci_verified label Apr 30, 2019

@nitzmahone nitzmahone removed the needs_triage label May 2, 2019

@sivel sivel force-pushed the sivel:cert-validation-fixes-2 branch from 84e523a to 856bf6b May 8, 2019


This comment has been minimized.

Copy link

commented May 9, 2019

@sivel sivel changed the title [WIP] cert validation fixes - Attempt 2 cert validation fixes - Attempt 2 May 9, 2019

@ansibot ansibot added core_review and removed WIP labels May 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.