Disable use of deprecated Ciphers #34
Conversation
Old ciphers shouldn't be used. Devices that use newer ciphers couldn't be reached as the cipher was locked to sslv3.
Codecov Report
@@ Coverage Diff @@
## main #34 +/- ##
==========================================
+ Coverage 80.16% 80.23% +0.06%
==========================================
Files 11 11
Lines 1190 1189 -1
Branches 161 161
==========================================
Hits 954 954
+ Misses 174 173 -1
Partials 62 62
Continue to review full report at Codecov.
|
| @@ -451,7 +451,6 @@ def ros_api_connect(self, username, password, host, port, use_ssl): | |||
| conn_status["connection"]["port"] = port | |||
| ctx = ssl.create_default_context() | |||
| ctx.check_hostname = False | |||
| ctx.set_ciphers('ADH:@SECLEVEL=0') | |||
There was a problem hiding this comment.
@NikolayDachev was there a reason why you added this? Does it not work for you without this line? If yes, we should add a setting for it.
(We should also do that for the line above, check_hostname.)
There was a problem hiding this comment.
I did some testing, with this line I could neither connect to my device when "TLS version" was set to "any", nor when it was set to "only v1.2". So if there's no explanation why this line is needed on some devices, let's just remove it. We can make it configurable if someone reports that it is really needed in some cases.
|
@jadyndev can you please add a changelog fragment so we can merge this? For that, add a file bugfixes:
- "api - when using TLS/SSL, remove explicit cipher configuration to insecure values, which also makes it impossible to connect to newer RouterOS versions (https://github.com/ansible-collections/community.routeros/pull/34)."(Or something similar; see the guidelines.) |
There was a problem hiding this comment.
@jadyndev, thanks for submitting this PR!
@felixfontein, thanks for reviewing!
SUMMARY
Old ciphers shouldn't be used. Devices that use newer ciphers couldn't be reached as the cipher was locked to sslv3.
ISSUE TYPE