diff options
author | Gonéri Le Bouder <goneri@lebouder.net> | 2019-05-02 10:32:01 -0400 |
---|---|---|
committer | Matt Clay <matt@mystile.com> | 2019-05-09 12:40:56 -0700 |
commit | 543bfbbe7f36a5756c44aa2ffc7c251a8f47c4cb (patch) | |
tree | b7817e50f6cb23998ef3185de69f514d0a05b2ab | |
parent | 5a6b9267445a3035c3381ca26f820f384bb3d626 (diff) | |
download | ansible-543bfbbe7f36a5756c44aa2ffc7c251a8f47c4cb.tar.gz |
vmware: check the SSL certification
If `validate_certs` is enable, we now validate the server SSL
certificate.
(cherry picked from commit 23e63c9237299dfbb9300899d6c36cbea8155bc0)
-rw-r--r-- | changelogs/fragments/vmware_check_ssl_cert.yaml | 2 | ||||
-rw-r--r-- | lib/ansible/module_utils/vmware.py | 9 |
2 files changed, 7 insertions, 4 deletions
diff --git a/changelogs/fragments/vmware_check_ssl_cert.yaml b/changelogs/fragments/vmware_check_ssl_cert.yaml new file mode 100644 index 0000000000..1ce902417a --- /dev/null +++ b/changelogs/fragments/vmware_check_ssl_cert.yaml @@ -0,0 +1,2 @@ +bugfixes: +- vmware - The VMware modules now enable the SSL certificate check unless ``validate_certs`` is ``false``. diff --git a/lib/ansible/module_utils/vmware.py b/lib/ansible/module_utils/vmware.py index 5722b77279..9d5b08239e 100644 --- a/lib/ansible/module_utils/vmware.py +++ b/lib/ansible/module_utils/vmware.py @@ -514,10 +514,11 @@ def connect_to_api(module, disconnect_atexit=True): module.fail_json(msg='pyVim does not support changing verification mode with python < 2.7.9. Either update ' 'python or use validate_certs=false.') - ssl_context = None - if not validate_certs and hasattr(ssl, 'SSLContext'): - ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - ssl_context.verify_mode = ssl.CERT_NONE + ssl_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + if validate_certs: + ssl_context.verify_mode = ssl.CERT_REQUIRED + ssl_context.check_hostname = True + ssl_context.load_default_certs() service_instance = None try: |