Majic Projects ~ [CLOSED] MAR-230 - Drop OpenSSL configuration hacks in tests

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

You are not logged in

Majic Ansible Roles / Closed Task MAR-230 Drop OpenSSL configuration hacks in tests

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Task Unknown issue type
Issue label

No label set
Category

Tests Not determined
Targetted for

9.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Sep 10, 2025 - 09:24

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Sep 10, 2025 - 09:24

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Mar 06, 2024
Last updated

Jan 21, 2025
Estimated time

2 hours Not estimated
Time spent

8 hours No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

In order to test some of the TLS functionality in various roles, an OpenSSL configuration hack is deployed in order to allow for use of outdated TLS versions (like 1.1). It would be beneficial to get rid of those since every now and then they seem to break during distribution upgrades.

The easiest way to go about this would be to change the TLS protocol version defaults and use only TLSv1.2 and TLSv1.3 versions for testing purposes. For this to be effectively possible, support for Debian 11 Bullseye will have to be dropped first (since the version of OpenSSL shipped with it does not support TLSv1.3).

The following should be done:

Update tests for all roles.
- Drop use of anything lower than TLSv1.1.
- For configurable TLS protocol versions, rely on TLSv1.2 and TLSv1.3 only.
- Drop hacks made to the system-wide OpenSSL configuration files.
Make sure all tests are still passing after these changes.
Make sure to document that the Majic Ansible Roles are primarily meant to be used with TLSv1.2 and TLSv1.3 and that anything lower than that may require manual changes on the administrator's side to global OpenSSL configuration file which are outside of scope of project documentation.
Update role reference documentation.
Update usage instructions.
Update release notes.

Todos (0 / 0)

Options

There are no comments

Welcome to The Bug Genie

Log in with your username and password