Choosing Cipher In openssl_privatekey Module With Cryptography Back End
15 views
Skip to first unread message
Bernie Hoefer
Jun 2, 2020, 3:30:23 PM6/2/20
to Ansible Project
With the pyOpenSSL back end of the openssl_privatekey module deprecated in Ansible 2.9, a colleague started looking at the cryptography back end. According to the documentation:
openssl_privatekey – Generate OpenSSL private keys
[https://docs.ansible.com/ansible/latest/modules/openssl_privatekey_module.html]
...the "cipher" parameter must be set to "auto" when using the cryptography back end. There does not seem to be a way, using the cryptography back end, to specify the cipher used to encrypt the private key.
Does anybody know why? I don't see that as a feature request:
[https://github.com/ansible/ansible/issues?q=is%3Aissue+is%3Aopen+openssl_privatekey]
...so should I file one? Thanks!
openssl_privatekey – Generate OpenSSL private keys
[https://docs.ansible.com/ansible/latest/modules/openssl_privatekey_module.html]
...the "cipher" parameter must be set to "auto" when using the cryptography back end. There does not seem to be a way, using the cryptography back end, to specify the cipher used to encrypt the private key.
Does anybody know why? I don't see that as a feature request:
[https://github.com/ansible/ansible/issues?q=is%3Aissue+is%3Aopen+openssl_privatekey]
...so should I file one? Thanks!
Felix Fontein
Jun 2, 2020, 3:47:47 PM6/2/20
to ansible...@googlegroups.com
Hi,
the reason is that cryptography (https://cryptography.io/en/latest/)
only supports two states: unencrypted, and encrypted with its own
choice of algorithm ("best available algorithm"):
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
Cheers,
Felix
only supports two states: unencrypted, and encrypted with its own
choice of algorithm ("best available algorithm"):
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
Cheers,
Felix
B.H.
Jun 2, 2020, 5:35:38 PM6/2/20
to ansible...@googlegroups.com
On 2020-06-02 14:47 UTC-05:00, 'Felix Fontein' via Ansible Project wrote:
> the reason is that cryptography (https://cryptography.io/en/latest/)
> only supports two states: unencrypted, and encrypted with its own
> choice of algorithm ("best available algorithm"):
> https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
Thank you, Felix! I guess I'll have to submit a pull request[1].
> the reason is that cryptography (https://cryptography.io/en/latest/)
> only supports two states: unencrypted, and encrypted with its own
> choice of algorithm ("best available algorithm"):
> https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
Is there a particular reason Ansible is deprecating pyOpenSSL? It
seems it has more features and is still an active project[2]. (The last
change was not too long ago in November 2019.)
[1][https://github.com/pyca/cryptography/pulls]
[2][https://www.pyopenssl.org/en/stable/changelog.html]
Felix Fontein
Jun 2, 2020, 5:54:44 PM6/2/20
to ansible...@googlegroups.com
Hi,
> > the reason is that cryptography (https://cryptography.io/en/latest/)
> > only supports two states: unencrypted, and encrypted with its own
> > choice of algorithm ("best available algorithm"):
> > https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
> >
>
> Thank you, Felix! I guess I'll have to submit a pull
> request[1]. Is there a particular reason Ansible is deprecating
> pyOpenSSL? It seems it has more features and is still an active
> project[2]. (The last change was not too long ago in November 2019.)
well, there's the big fat note in
https://github.com/pyca/pyopenssl/blob/master/README.rst:
> **Note:** The Python Cryptographic Authority **strongly suggests** the
> use of pyca/cryptography where possible. If you are using pyOpenSSL for
> anything other than making a TLS connection **you should move to
> cryptography and drop your pyOpenSSL dependency**.
Besides that, working with pyOpenSSL is really not that much fun. I'd
rather get rid of the pyOpenSSL backends yesterday than somewhen in the
future...
Cheers,
Felix
> > the reason is that cryptography (https://cryptography.io/en/latest/)
> > only supports two states: unencrypted, and encrypted with its own
> > choice of algorithm ("best available algorithm"):
> > https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#serialization-encryption-types
> >
>
> Thank you, Felix! I guess I'll have to submit a pull
> request[1]. Is there a particular reason Ansible is deprecating
> pyOpenSSL? It seems it has more features and is still an active
> project[2]. (The last change was not too long ago in November 2019.)
https://github.com/pyca/pyopenssl/blob/master/README.rst:
> **Note:** The Python Cryptographic Authority **strongly suggests** the
> use of pyca/cryptography where possible. If you are using pyOpenSSL for
> anything other than making a TLS connection **you should move to
> cryptography and drop your pyOpenSSL dependency**.
Besides that, working with pyOpenSSL is really not that much fun. I'd
rather get rid of the pyOpenSSL backends yesterday than somewhen in the
future...
Cheers,
Felix
B.H.
Jun 2, 2020, 6:07:10 PM6/2/20
to ansible...@googlegroups.com
I missed that; thank you. That was super helpful.
Reply all
Reply to author
Forward
0 new messages