I recently encountered ansible#54589 with Ansible 2.8.1 where the uri module fails when a client cert is required by the server. While looking into urls.py from the 2.8 release, I’ve noticed the following code in SSLValidationHandler.http_request:

`

Detect if ‘no_proxy’ environment variable is set and if our URL is included

use_proxy = self.detect_no_proxy(req.get_full_url())

if not use_proxy:

ignore proxy settings for this host request

if tmp_ca_cert_path:
try:
os.remove(tmp_ca_cert_path)
except OSError:
pass
if to_add_ca_cert_path:
try:
os.remove(to_add_ca_cert_path)
except OSError:
pass
return req
`

This code was introduced by PR 9807.

The above code essentially skips the SSL validation performed by SSLValidationHandler for URLs where the host is part of the no_proxy list. Effectively having the server in no_proxy, masks the issue reported by ansible#54589.

Can someone posibly explain if it makes any sense for the above code to be part of SSLValidationHandler?

Thanks in advance.

Yes, there was errant logic in that method. It was subsequently addressed in https://github.com/ansible/ansible/pull/55953

Doesn’t effectively disable SSL verification if no_proxy is true

The changes in that PR are too large for a backport, so the fixes will only appear in the 2.9.0 release which is slated for release today.

Awesome! Thanks for the reply.