Hi Walter, > Your system may not allow older TLS connections.
Exactly, and this is why I currently have to use a custom weakened openssl.cnf by the curl-based Ansible playbook. However, the environment variable OPENSSL_CONF, referring to the custom OpenSSL config, is ignored when I use "ansible.builtin.uri". Actually, "ansible.builtin.uri" even ignores by OpenSSL config located in the default path /etc/ssl/openssl.cnf on my Debian 12.6 system: -----BEGIN SHELL----- $ cat /etc/ssl/openssl.cnf openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1 CipherString = DEFAULT@SECLEVEL=0 Options = UnsafeLegacyRenegotiation $ ansible-playbook -vvv test.yml ... "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)>", ... -----END SHELL----- Thank you. Regards, Garri On Thursday, August 15, 2024 at 1:15:22 PM UTC+2 Rowe, Walter P. (Fed) wrote: > Check your system settings. Your system may not allow older TLS > connections. TLS 1.0 is compromised and therefore no longer allowed by many > systems. > > What platform is your control host? > > Walter > -- > Walter Rowe, Division Chief > Infrastructure Services Division > Mobile: 202.355.4123 <(202)%20355-4123> > > On Aug 15, 2024, at 5:00 AM, Garri Djavadyan <[email protected]> wrote: > > Hi Steve, > > > Did you try with SECLEVEL=0 ? > > Yes, I did. However, the result is the same: Ansible controller is not > happy with the bare TLS 1.0 reply from the legacy box: > > "msg": "Status code was -1 and not [200]: Request failed: <urlopen error > [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1000)>" > > > - name: Query legacy boxes > hosts: legacyboxes > gather_facts: false > connection: local > tasks: > - name: GET the home page > ansible.builtin.uri: > url: https://{{ ansible_host }} > ciphers: > - 'DEFAULT@SECLEVEL=0' > > > Again, ciphers-wise, the setup is fine, but I do not think it is possible > to enforce the minimum TLS protocol version with the cipher string. > > Thank you. > > Regards, > Garri > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/85e58522-271e-45aa-832a-8a2a7c6b5a38n%40googlegroups.com > > <https://groups.google.com/d/msgid/ansible-project/85e58522-271e-45aa-832a-8a2a7c6b5a38n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fe2f9e80-a54e-4ffc-87f1-bdfe8788c858n%40googlegroups.com.
