win_iis_webbinding incorrectly limits value of sslFlags to [0..3]

[kjebu]

SUMMARY

When configuring Bindings in IIS, there are multiple options in addition to SNI, e.g. "Disable HTTP/2". When this is configured, together with SNI, the value for sslFlags in applicationHost.config is 5.

Current behavior of win_iis_webbinding is to only accept values in the range 0..3
In Microsoft documentation (https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/bindings/binding) only values 0..3 are mentioned. (Values 0..3 below is an excerpt from MS doc). However, there are several other values in use by IIS

For other values:

• A value of "0" specifies that the secure connection be made using an IP/Port combination. Only one certificate can be bound to a combination of IP address and the port.
• A value of "1" specifies that the secure connection be made using the port number and the host name obtained by using Server Name Indication (SNI).
• A value of "2" specifies that the secure connection be made using the centralized SSL certificate store without requiring a Server Name Indicator.
• A value of "3" specifies that the secure connection be made using the centralized SSL certificate store while requiring Server Name Indicator
• A value of "4" specifies that HTTP/2 should be disabled
• A value of "8" specifies that OCSP Stapling should be disabled
• A value of "16" specifies that QUIC should be disabled
• A value of "32" specifies that TLS 1.3 over TCP should be disabled
• A value of "64" specifies that Legacy TLS should be disabled

In addition these can be combined by adding them together to select multiple options, e.g when disabling TLS 1.3 and HTTP/2 the value would be 36.

<bindings>
     <binding protocol="https" bindingInformation="*:443:<fqdn>" sslFlags="36" />
</bindings>

ISSUE TYPE

• Bug Report

COMPONENT NAME

win_iis_webbinding

ANSIBLE VERSION

ansible [core 2.16.4]
  config file = None
  configured module search path = ['/home/<user>/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/ansible-prod/lib/python3.11/site-packages/ansible
  ansible collection location = /opt/ansible-prod/lib/python3.11/site-packages/ansible/collections
  executable location = /opt/ansible-prod/bin/ansible
  python version = 3.11.2 (main, Aug 26 2024, 07:20:54) [GCC 12.2.0] (/opt/ansible-prod/bin/python)
  jinja version = 3.1.3
  libyaml = True

COLLECTION VERSION

ansible-galaxy collection list community.windows

# /opt/ansible-prod/lib/python3.11/site-packages/ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.windows 2.2.0  

# /opt/ansible-prod/lib/python3.11/site-packages/ansible_collections
Collection        Version
----------------- -------
community.windows 2.1.0 

CONFIGURATION

N/A

OS / ENVIRONMENT

N/A

STEPS TO REPRODUCE

- name: ECS IIS site bindings
  connection: winrm
  community.windows.win_iis_webbinding:
    name: Binding name
    protocol: https
    port: 443
    host_header: header
    <b>ssl_flags: 5</b>
    certificate_hash: certhash
    state: present

EXPECTED RESULTS

SNI required and HTTP/2 should be disabled

ACTUAL RESULTS

fatal: [host]: FAILED! => {
    "changed": false,
    "msg": "Get-AnsibleParam: Argument ssl_flags needs to be one of 0,1,2,3 but was 5."
}

[kjebu]

I'm working on a fix to this issue