From 245ab76b09f84e950ca16ab643cbfb13bdaa373f Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Mon, 15 May 2023 21:41:23 +0200 Subject: [PATCH] Warn that SSLSocket cannot send close_notify TLS alerts (#621) * Warn that SSLSocket cannot send close_notify TLS alerts. * Improve formulation. Co-authored-by: Don Naro --------- Co-authored-by: Don Naro --- changelogs/fragments/tls-tcp-warn.yml | 7 +++++++ plugins/connection/docker_api.py | 3 +++ plugins/inventory/docker_containers.py | 3 +++ plugins/module_utils/socket_helper.py | 4 ++++ plugins/modules/docker_container_exec.py | 2 ++ 5 files changed, 19 insertions(+) create mode 100644 changelogs/fragments/tls-tcp-warn.yml diff --git a/changelogs/fragments/tls-tcp-warn.yml b/changelogs/fragments/tls-tcp-warn.yml new file mode 100644 index 00000000..5c06c19c --- /dev/null +++ b/changelogs/fragments/tls-tcp-warn.yml @@ -0,0 +1,7 @@ +known_issues: + - "docker_container_exec - does **not work with TCP TLS sockets** when the ``stdin`` option is used! This is caused by the inability + to send an ``close_notify`` TLS alert without closing the connection with Python's ``SSLSocket`` + (https://github.com/ansible-collections/community.docker/issues/605, https://github.com/ansible-collections/community.docker/pull/621)." + - "docker_api connection plugin - does **not work with TCP TLS sockets**! This is caused by the inability to send an ``close_notify`` + TLS alert without closing the connection with Python's ``SSLSocket`` + (https://github.com/ansible-collections/community.docker/issues/605, https://github.com/ansible-collections/community.docker/pull/621)." diff --git a/plugins/connection/docker_api.py b/plugins/connection/docker_api.py index bbc13989..24c95f55 100644 --- a/plugins/connection/docker_api.py +++ b/plugins/connection/docker_api.py @@ -17,6 +17,9 @@ description: directly with the Docker daemon instead of using the Docker CLI. Use the R(community.docker.docker,ansible_collections.community.docker.docker_connection) connection plugin if you want to use the Docker CLI. +notes: + - Does B(not work with TCP TLS sockets)! This is caused by the inability to send C(close_notify) without closing the connection + with Python's C(SSLSocket)s. See U(https://github.com/ansible-collections/community.docker/issues/605) for more information. extends_documentation_fragment: - community.docker.docker.api_documentation - community.docker.docker.var_names diff --git a/plugins/inventory/docker_containers.py b/plugins/inventory/docker_containers.py index c94b0e12..a82cda95 100644 --- a/plugins/inventory/docker_containers.py +++ b/plugins/inventory/docker_containers.py @@ -44,6 +44,9 @@ options: R(docker_api connection plugin,ansible_collections.community.docker.docker_api_connection). - When C(docker-api) is used, all Docker daemon configuration values are passed from the inventory plugin to the connection plugin. This can be controlled with I(configure_docker_daemon). + - Note that the R(docker_api connection plugin,ansible_collections.community.docker.docker_api_connection) + does B(not work with TCP TLS sockets)! See U(https://github.com/ansible-collections/community.docker/issues/605) + for more information. type: str default: docker-api choices: diff --git a/plugins/module_utils/socket_helper.py b/plugins/module_utils/socket_helper.py index a0885f72..2148fe97 100644 --- a/plugins/module_utils/socket_helper.py +++ b/plugins/module_utils/socket_helper.py @@ -36,6 +36,10 @@ def _empty_writer(msg): def shutdown_writing(sock, log=_empty_writer): + # FIXME: This does **not work with SSLSocket**! Apparently SSLSocket does not allow to send + # a close_notify TLS alert without completely shutting down the connection. + # Calling sock.shutdown(pysocket.SHUT_WR) simply turns of TLS encryption and from that + # point on the raw encrypted data is returned when sock.recv() is called. :-( if hasattr(sock, 'shutdown_write'): sock.shutdown_write() elif hasattr(sock, 'shutdown'): diff --git a/plugins/modules/docker_container_exec.py b/plugins/modules/docker_container_exec.py index 95fde4f7..7270d53f 100644 --- a/plugins/modules/docker_container_exec.py +++ b/plugins/modules/docker_container_exec.py @@ -95,6 +95,8 @@ options: notes: - Does not support C(check_mode). + - Does B(not work with TCP TLS sockets) when using I(stdin). This is caused by the inability to send C(close_notify) without closing the connection + with Python's C(SSLSocket)s. See U(https://github.com/ansible-collections/community.docker/issues/605) for more information. author: - "Felix Fontein (@felixfontein)"