Add support for SNI and TLS-1.1 and TLS-1.2 to the fetch_url() helper

Fixes #1716 Fixes #1695
2026-05-06 13:22:48 +00:00 · 2015-07-14 11:48:41 -07:00
parent f6c64a8c00
commit 327b1676a8
3 changed files with 97 additions and 17 deletions
--- a/test/integration/roles/test_get_url/tasks/main.yml
+++ b/test/integration/roles/test_get_url/tasks/main.yml
@@ -60,3 +60,35 @@
    that:
      - "result.changed == true"
      - "stat_result.stat.exists == true"
+
+# SNI Tests
+# SNI is only built into the stdlib from python-2.7.9 onwards
+- name: Test that SNI works
+  get_url:
+    # A test site that returns a page with information on what SNI information
+    # the client sent.  A failure would have the string: did not send a TLS server name indication extension
+    url: 'https://foo.sni.velox.ch/'
+    dest: "{{ output_dir }}/sni.html"
+  register: get_url_result
+  ignore_errors: True
+
+- command: "grep 'sent the following TLS server name indication extension' {{ output_dir}}/sni.html"
+  register: data_result
+  when: "{{ ansible_python_version | version_compare('2.7.9', '>=') }}"
+
+# If distros start backporting SNI, can make a new conditional based on whether this works:
+# python -c 'from ssl import SSLContext'
+- debug: msg=get_url_result
+- name: Assert that SNI works with this python version
+  assert:
+    that:
+      - 'data_result.rc == 0'
+      - '"failed" not in get_url_result'
+  when: "{{ ansible_python_version | version_compare('2.7.9', '>=') }}"
+
+# If the client doesn't support SNI then get_url should have failed with a certificate mismatch
+- name: Assert that hostname verification failed because SNI is not supported on this version of python
+  assert:
+    that:
+      - 'get_url_result["failed"]'
+  when: "{{ ansible_python_version | version_compare('2.7.9', '<') }}"
--- a/test/integration/roles/test_uri/tasks/main.yml
+++ b/test/integration/roles/test_uri/tasks/main.yml
@@ -110,6 +110,11 @@
      - "'certificate does not match ' in result.msg"
      - "stat_result.stat.exists == false"

+- name: Clean up any cruft from the results directory
+  file:
+    name: "{{ output_dir }}/kreitz.html"
+    state: absent
+
 - name: test https fetch to a site with mismatched hostname and certificate and validate_certs=no
  get_url:
    url: "https://kennethreitz.org/"
@@ -124,5 +129,5 @@
 - name: Assert that the file was downloaded
  assert:
    that:
-      - "result.changed == true"
      - "stat_result.stat.exists == true"
+      - "result.changed == true"