ansible-collection-netscaleradc icon indicating copy to clipboard operation
ansible-collection-netscaleradc copied to clipboard
verified publisher icon netscaler

[BUG] v2.0.0. ALPHA: Module execution results in error when Deny SSL Renegotiation is enabled. When using WSL2.

Open krausi24 opened this issue 2 years ago • 5 comments

Describe the bug Module execution results in error when Deny SSL Renegotiation is enabled. "'Request failed: <urlopen error [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)>'}"

To Reproduce

  1. Install the Alpha Modules
  2. Create any Task with any module like netscaler.adc.nsip
  • name: Create SNIP tags: nsip delegate_to: localhost netscaler.adc.nsip: nsip: "{{ ansible_host }}" nitro_user: "{{ nitro_user }}" nitro_pass: "{{ nitro_pass }}" validate_certs: no state: "present" ipaddress: "{{ NSIP_ipaddress }}" netmask: "{{ NSIP_netmask }}" type: "{{ NSIP_type }}"

Expected behaviour Connection and Task execution

Screenshots If applicable, add screenshots to help explain your problem. image

Environment (please complete the following information):

  • Python version python --version output Python 3.10.6
  • Ansible version ansible --version output ansible [core 2.14.6] config file = /etc/ansible/ansible.cfg configured module search path = ['/home/dkr/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3/dist-packages/ansible ansible collection location = /home/dkr/.ansible/collections:/usr/share/ansible/collections executable location = /usr/bin/ansible python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/usr/bin/python3) jinja version = 3.0.3 libyaml = True

Additional context When setting the value of "Deny SSL Renegotiation" to "No" in Netscaler SSL Profile and binding it to the internal service "nshttps-127.0.0.1-443" the error is gone!

krausi24 avatar Aug 25 '23 10:08 krausi24

Thank you @krausi24 for this issue. I will look into this and get back here soon

sumanth-lingappa avatar Sep 25 '23 10:09 sumanth-lingappa

I need to mention that this issue applies only to Ansible running in WSL2!

krausi24 avatar Sep 25 '23 10:09 krausi24

I hit the exact same issue here, but not in a WSL2 environment as @krausi24 experienced. Running Ubuntu 22.04.3 w/ ansible [core 2.15.4] and NS13.1 37.38.nc. As a workaround, I followed the suggestion above of modifying the SSL profile on my NSIP.

QTjstahl avatar Sep 27 '23 16:09 QTjstahl

Just FYI, this is not specific to the Ansible modules. The "ALL" option to "Deny SSL Renegotiation" is improperly implemented in Netscaler and leads to a total absence of the Renegotiation Indication Extension (RFC 5746) in the ServerHello.

A quick analysis of what happens during a handshake with a Netscaler where "Deny SSL Renegotiation" is "ALL":

  1. Client sends ClientHello with TLS_EMPTY_RENEGOCIATION_INFO_SCSV From RFC 5746 § 3.4: Client Behavior: Initial Handshake:

The client MUST include either an empty "renegotiation_info" extension, or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the ClientHello. Including both is NOT RECOMMENDED.

  1. Netscaler sends ServerHello without renegotiation_info extension From RFC 5746 § 3.6: Server Behavior: Initial Handshake:

o When a ClientHello is received, the server MUST check if it includes the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does, set the secure_renegotiation flag to TRUE. [...] o If the secure_renegotiation flag is set to TRUE, the server MUST include an empty "renegotiation_info" extension in the ServerHello message.

  1. Client terminates handshake because of insecure server From RFC 5746 § 3.4: Client Behavior: Initial Handshake:

If the extension is not present, the server does not support secure renegotiation; set secure_renegotiation flag to FALSE. In this case, some clients may want to terminate the handshake instead of continuing; [...]

OpenSSL 3.0 switched to rejecting legacy (pre-2010) TLS implementations ; sadly Netscaler identifies as one when "Deny SSL Renegotiation" is "ALL" (the default). The Netscaler TLS stack needs fixing, there is nothing the netscaler.adc collection can do for you except maybe offer a way to bypass proper security checks.

fa-elepape avatar Mar 08 '24 14:03 fa-elepape

Side note: DO NOT set "Deny SSL Renegotiation" to "NO". This leads to legacy renegotiation being globally enabled, secure or not (again, insecure TLS renegociation is 14-years old at this time).

"NONSECURE" or "FRONTEND_CLIENT" are much better options though they remain workarounds for a non RFC5746 compliant TLS stack.

fa-elepape avatar Mar 08 '24 14:03 fa-elepape