How can I force ansible (or python for that matter) to use openssl at seclevel 0 in Ubuntu 22.04?

eciii

12/1/23, 10:32 PM

I have ansible installed in a host with Ubuntu 22.04, from which I try to connect to a host with Windows Server 2012 R2 using winrm. The problem is that I get a connection error.

After chasing the error for several hours I found the reason:

Using sslscan (with the --show-sigs option) I found that the windows host only accepts the rsa_pkcs1-sha1 Server Signature Algorithm (as far as I have investigated I understand that this algorithm is used during the key exchange and has nothing to do with the signing algorithms related to the certificate). I'm tempted to say that this is the normal behavior of Windows Server 2012 R2 but I'm not a windows expert to be certain about that.
Ubuntu 22.04 comes with openssl 3.0.2 configured by default at seclevel 2. As far as I understand, openssl with that version and at that seclevel does not make use of any algorithm that uses SHA1. This means that, during the TLS handshake with the windows host, openssl never presents the rsa_pkcs1-sha1 algorithm as a supported algorithm in the signature_algorithms list of the Client Hello (I confirmed this with Wireshark).
Since the Windows Server 2012 R2 host only understands rsa_pkcs1-sha1, but it is not presented in the Client Hello then the only thing the host can do is to terminate the connection, leaving the following message in the Event Viewer: An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. Note that the message is kind of misleading because there is no problem with the cipher suites at all. The problem lies in the signature algorithms for the key exchange.

With this information at hand I decided to downgrade the seclevel of openssl from 2 to 0. Seclevel 0 means that openssl will behave like previous versions of openssl (which in particular allowed SHA1). I was able to confirm, using the openssl s_client command and Wireshark, that this change allowed openssl to connect to the windows host because, at seclevel 0, openssl does in fact includes the rsa_pkcs1-sha1 algorithm in the list of signature_algorithms of the Client Hello.

The problem now is that, even with /etc/ssl/openssl.cnf being configured at seclevel 0, ansible is still not capable of connecting to the windows host. My guess is that ansible makes use of some python wrapper of openssl that bypasses the /etc/ssl/openssl.cnf configuration file altogether. So the question is: how can I force ansible (or python for that matter) to use openssl at seclevel 0?

229

0 + 1

ssl

python

openssl

ansible

U880D

12/6/23, 2:21 PM

This is already a very good summary of the issue. Maybe you can add your used Ansible and Python version to make it more complete. Please take note that [Ubuntu 22.04 LTS openssh version deprecated RSA SHA-1 hash algorithm](https://github.com/alexellis/k3sup/issues/377) or [the RSA SHA-1 hash algorithm is being quickly deprecated across operating systems](https://askubuntu.com/a/1409528/774046).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I force ansible (or python for that matter) to use openssl at seclevel 0 in Ubuntu 22.04?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.