From 398218b6ea768464e10825b22b67b864eb31399c Mon Sep 17 00:00:00 2001 From: Matt Martz Date: Wed, 6 Apr 2016 11:04:04 -0500 Subject: More intelligent building of the SSLValidationError message based on capabilities --- lib/ansible/module_utils/urls.py | 53 ++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 24 deletions(-) diff --git a/lib/ansible/module_utils/urls.py b/lib/ansible/module_utils/urls.py index 75a32a896e..7fe36d3f47 100644 --- a/lib/ansible/module_utils/urls.py +++ b/lib/ansible/module_utils/urls.py @@ -487,6 +487,33 @@ def RedirectHandlerFactory(follow_redirects=None, validate_certs=True): return RedirectHandler +def build_ssl_validation_error(hostname, port, paths): + '''Inteligently build out the SSLValidationError based on what support + you have installed + ''' + + msg = [ + ('Failed to validate the SSL certificate for %s:%s.' + ' Make sure your managed systems have a valid CA' + ' certificate installed.') + ] + if not HAS_SSLCONTEXT: + msg.append('If the website serving the url uses SNI you need' + ' python >= 2.7.9 on your managed machine') + if not HAS_URLLIB3_SNI_SUPPORT: + msg.append('or you can install the `urllib3`, `pyopenssl`,' + ' `ndg-httpsclient`, and `pyasn1` python modules') + + msg.append('to perform SNI verification in python >= 2.6.') + + msg.append('You can use validate_certs=False if you do' + ' not need to confirm the servers identity but this is' + ' unsafe and not recommended.' + ' Paths checked for this platform: %s') + + raise SSLValidationError(' '.join(msg) % (hostname, port, ", ".join(paths))) + + class SSLValidationHandler(urllib2.BaseHandler): ''' A custom handler class for SSL validation. @@ -642,31 +669,9 @@ class SSLValidationHandler(urllib2.BaseHandler): if 'connection refused' in str(e).lower(): raise ConnectionError('Failed to connect to %s:%s.' % (self.hostname, self.port)) else: - raise SSLValidationError('Failed to validate the SSL certificate for %s:%s.' - ' Make sure your managed systems have a valid CA' - ' certificate installed. If the website serving the url' - ' uses SNI you need python >= 2.7.9 on your managed' - ' machine or you can install `urllib3`, `pyopenssl`,' - ' `ndg-httpsclient`, and `pyasn1` to perform SNI' - ' verification in python >= 2.6. You can use' - ' validate_certs=False if you do' - ' not need to confirm the server\s identity but this is' - ' unsafe and not recommended' - ' Paths checked for this platform: %s' % (self.hostname, self.port, ", ".join(paths_checked)) - ) + build_ssl_validation_error(self.hostname, self.port, paths_checked) except CertificateError: - raise SSLValidationError('Failed to validate the SSL certificate for %s:%s.' - ' Make sure your managed systems have a valid CA' - ' certificate installed. If the website serving the url' - ' uses SNI you need python >= 2.7.9 on your managed' - ' machine or you can install `urllib3`, `pyopenssl`,' - ' `ndg-httpsclient`, and `pyasn1` to perform SNI' - ' verification in python >= 2.6. You can use' - ' validate_certs=False if you do' - ' not need to confirm the server\s identity but this is' - ' unsafe and not recommended' - ' Paths checked for this platform: %s' % (self.hostname, self.port, ", ".join(paths_checked)) - ) + build_ssl_validation_error(self.hostname, self.port, paths_checked) try: # cleanup the temp file created, don't worry -- cgit v1.2.1