ansible · sivel · May 20, 2024 · May 21, 2024 · May 21, 2024
diff --git a/test/integration/targets/get_url/tasks/ciphers.yml b/test/integration/targets/get_url/tasks/ciphers.yml
@@ -1,14 +1,14 @@
 - name: test good cipher
   get_url:
-    url: https://{{ httpbin_host }}/get
-    ciphers: ECDHE-RSA-AES128-SHA256
+    url: https://{{ no_tls13_host }}:445/
+    ciphers: '{{ tls_strong_cipher }}'
     dest: '{{ remote_tmp_dir }}/good_cipher_get.json'
   register: good_ciphers
 
 - name: test bad cipher
   get_url:
-    url: https://{{ httpbin_host }}/get
-    ciphers: ECDHE-ECDSA-AES128-SHA
+    url: https://{{ no_tls13_host }}:445/
+    ciphers: '{{ tls_weak_cipher }}'
     dest: '{{ remote_tmp_dir }}/bad_cipher_get.json'
   ignore_errors: true
   register: bad_ciphers

diff --git a/test/integration/targets/get_url/tasks/main.yml b/test/integration/targets/get_url/tasks/main.yml
@@ -672,7 +672,6 @@
 
 - name: Test ciphers
   import_tasks: ciphers.yml
-  when: false  # skipped until we have a way to disable TLS 1.3 on the client or server, since cipher suite selection won't break TLS 1.3
 
 - name: Test use_netrc=False
   import_tasks: use_netrc.yml
diff --git a/test/integration/targets/lookup_url/tasks/ciphers.yml b/test/integration/targets/lookup_url/tasks/ciphers.yml
@@ -1,22 +1,17 @@
-- vars:
-    url: https://{{ httpbin_host }}/get
-  block:
-    - name: test good cipher
-      debug:
-        msg: '{{ lookup("url", url) }}'
-      vars:
-        ansible_lookup_url_ciphers: ECDHE-RSA-AES128-SHA256
-      register: good_ciphers
+- name: test good cipher
+  debug:
+    msg: '{{ lookup("url", url, ciphers=[tls_strong_cipher]) }}'
+  vars:
+    url: https://{{ no_tls13_host }}:445/
 
-    - name: test bad cipher
-      debug:
-        msg: '{{ lookup("url", url) }}'
-      vars:
-        ansible_lookup_url_ciphers: ECDHE-ECDSA-AES128-SHA
-      ignore_errors: true
-      register: bad_ciphers
+- name: test bad cipher
+  debug:
+    msg: '{{ lookup("url", url, ciphers=[tls_weak_cipher]) }}'
+  vars:
+    url: https://{{ no_tls13_host }}:445/
+  register: result
+  ignore_errors: true
 
-    - assert:
-        that:
-          - good_ciphers is successful
-          - bad_ciphers is failed
+- assert:
+    that:
+      - result is failed
diff --git a/test/integration/targets/lookup_url/tasks/main.yml b/test/integration/targets/lookup_url/tasks/main.yml
@@ -29,7 +29,6 @@
 
 - name: Test ciphers
   import_tasks: ciphers.yml
-  when: false  # skipped until we have a way to disable TLS 1.3 on the client or server, since cipher suite selection won't break TLS 1.3
 
 - name: Test use_netrc=False
   import_tasks: use_netrc.yml

diff --git a/test/integration/targets/prepare_http_tests/vars/httptester.yml b/test/integration/targets/prepare_http_tests/vars/httptester.yml
@@ -4,3 +4,7 @@ httpbin_host: ansible.http.tests
 sni_host: sni1.ansible.http.tests
 badssl_host_substring: httpbin.org
 self_signed_host: self-signed.ansible.http.tests
+no_tls13_host: no-tls13.ansible.http.tests
+no_tls13_weak_host: no-tls13-weak.ansible.http.tests
+tls_strong_cipher: ECDHE-RSA-AES256-GCM-SHA384
+tls_weak_cipher: AES128-CCM8
diff --git a/test/integration/targets/uri/tasks/ciphers.yml b/test/integration/targets/uri/tasks/ciphers.yml
@@ -1,32 +1,45 @@
-- name: test good cipher
+- name: baseline test against strong ciphers
   uri:
-    url: https://{{ httpbin_host }}/get
-    ciphers: ECDHE-RSA-AES128-SHA256
-  register: good_ciphers
+    url: https://{{ no_tls13_host }}:445/
 
-- name: test good cipher redirect
+- name: baseline test against weak ciphers
   uri:
-    url: http://{{ httpbin_host }}/redirect-to?status_code=302&url=https://{{ httpbin_host }}/get
-    ciphers: ECDHE-RSA-AES128-SHA256
-  register: good_ciphers_redir
+    url: https://{{ no_tls13_weak_host }}:446/
+  register: result
+  failed_when: result is successful
 
-- name: test bad cipher
+- name: ensure lower cipher against higher cipher fails
   uri:
-    url: https://{{ httpbin_host }}/get
-    ciphers: ECDHE-ECDSA-AES128-SHA
-  ignore_errors: true
-  register: bad_ciphers
+    url: https://{{ no_tls13_host }}:445/
+    ciphers: '{{ tls_weak_cipher }}'
+  register: result
+  failed_when: result is successful
 
-- name: test bad cipher redirect
+- name: ensure higher cipher against lower cipher fails
+  uri:
+    url: https://{{ no_tls13_weak_host }}:446/
+    ciphers: '{{ tls_strong_cipher }}'
+  register: result
+  failed_when: result is successful
+
+- name: ensure high cipher match works
+  uri:
+    url: https://{{ no_tls13_host }}:445/
+    ciphers: '{{ tls_strong_cipher }}'
+
+- name: ensure low cipher match works
   uri:
-    url: http://{{ httpbin_host }}/redirect-to?status_code=302&url=https://{{ httpbin_host }}/get
-    ciphers: ECDHE-ECDSA-AES128-SHA
-  ignore_errors: true
-  register: bad_ciphers_redir
+    url: https://{{ no_tls13_weak_host }}:446/
+    ciphers: '{{ tls_weak_cipher }}'
 
-- assert:
-    that:
-      - good_ciphers is successful
-      - good_ciphers_redir is successful
-      - bad_ciphers is failed
-      - bad_ciphers_redir is failed
+- name: test good cipher redirect
+  uri:
+    url: http://{{ no_tls13_host }}/redir
+    ciphers: '{{ tls_strong_cipher }}'
+
+- name: test bad cipher redirect
+  uri:
+    url: http://{{ no_tls13_weak_host }}/redir
+    ciphers: '{{ tls_strong_cipher }}'
+  register: result
+  failed_when: result is successful
diff --git a/test/integration/targets/uri/tasks/main.yml b/test/integration/targets/uri/tasks/main.yml
@@ -720,7 +720,6 @@
 
 - name: Test ciphers
   import_tasks: ciphers.yml
-  when: false  # skipped until we have a way to disable TLS 1.3 on the client or server, since cipher suite selection won't break TLS 1.3
 
 - name: Test use_netrc.yml
   import_tasks: use_netrc.yml

diff --git a/test/lib/ansible_test/_internal/commands/integration/cloud/httptester.py b/test/lib/ansible_test/_internal/commands/integration/cloud/httptester.py
@@ -31,7 +31,7 @@ class HttptesterProvider(CloudProvider):
     def __init__(self, args: IntegrationConfig) -> None:
         super().__init__(args)
 
-        self.image = os.environ.get('ANSIBLE_HTTP_TEST_CONTAINER', 'quay.io/ansible/http-test-container:3.0.0')
+        self.image = os.environ.get('ANSIBLE_HTTP_TEST_CONTAINER', 'quay.io/ansible/http-test-container:3.0.1')
 
         self.uses_docker = True
 
@@ -44,6 +44,8 @@ def setup(self) -> None:
             88,
             443,
             444,
+            445,
+            446,
             749,
         ]
 
@@ -52,6 +54,8 @@ def setup(self) -> None:
             'sni1.ansible.http.tests',
             'fail.ansible.http.tests',
             'self-signed.ansible.http.tests',
+            'no-tls13.ansible.http.tests',
+            'no-tls13-weak.ansible.http.tests',
         ]
 
         descriptor = run_support_container(