Git Product home page Git Product logo

Comments (5)

bernielomax avatar bernielomax commented on September 23, 2024

Im experiencing this too with Ansible's Kubernetes plugin. They do mention there is a validation bug. But I am hitting the same problem with validation turned off.

https://docs.ansible.com/ansible/kubernetes_module.html

from ansible-vault.

dch avatar dch commented on September 23, 2024

root cause

via IRC:

the virtualenv we install ansible in to is constructed with system python, which uses apple's bad openssl; pyopenssl is installed and configured against homebrew's openssl but doesn't automatically replace the stdlib ssl module. requests should be using it; things in the stdlib probably are not.

Sadly ansible & therefore vault.py is at the mercy of this arcane mess, and effectively pulls in the crippled OSX OpenSSL, OpenSSL 0.9.8zh 14 Jan 2016, instead of the desired brewed version OpenSSL 1.0.2h 3 May 2016 that we need to have TLS1.2 support.

solution

  • in /usr/local/Library/Taps/homebrew/homebrew-core/Formula/ansible.rb L20 change to depend on brewed python 100% of the time: depends_on :python and not just for snow leopard
  • rebuild the dependencies from source
brew update
brew upgrade openssl
brew cleanup
brew rm --force python ansible
brew install --build-from-source python
brew install --build-from-source ansible

In vault.py we need a single change, just after generating the context in https://github.com/jhaals/ansible-vault/blob/master/vault.py#L66 :

        # homebrew's ansible setup is quirky so let's lock to TLS1.2 only
        # https://docs.python.org/dev/library/ssl.html
        context.options = ssl.PROTOCOL_TLSv1_2

The issue is that for users with a different SSL, this might actually be ssl.PROTOCOL_TLS or ssl.PROTOCOLv23 instead for older ones. I don't know if using ssl.OPENSSL_VERSION as a string to check against against is sensible, any better suggestions?

from ansible-vault.

dch avatar dch commented on September 23, 2024

@bernielomax I am pretty sure your certificate validation issue in kubernetes is unrelated BTW

from ansible-vault.

dch avatar dch commented on September 23, 2024

https://github.com/Homebrew/brew-evolution/pull/12 hopefully should resolve this in future

from ansible-vault.

VFagundes avatar VFagundes commented on September 23, 2024

I've installed python via brew
then

installed pip via sudo easy_install

sudo easynstall pip

from ansible-vault.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.