Hi Walter, > Your system may not allow older TLS connections.
Exactly, and this is why I currently have to use a custom weakened openssl.cnf by the curl-based Ansible playbook. However, the environment variable OPENSSL_CONF, referring to the custom OpenSSL config, is ignored when I use "ansible.builtin.uri". Actually, "ansible.builtin.uri" even ignores by OpenSSL config located in the default path /etc/ssl/openssl.cnf on my Debian 12.6 system: -----BEGIN SHELL----- $ cat /etc/ssl/openssl.cnf openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1 CipherString = DEFAULT@SECLEVEL=0 Options = UnsafeLegacyRenegotiation $ ansible-playbook -vvv test.yml ... "msg": "Status code was -1 and not [200]: Request failed: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1000)>", ... -----END SHELL----- Thank you. Regards, Garri On Thursday, August 15, 2024 at 1:15:22 PM UTC+2 Rowe, Walter P. (Fed) wrote: > Check your system settings. Your system may not allow older TLS > connections. TLS 1.0 is compromised and therefore no longer allowed by many > systems. > > What platform is your control host? > > Walter > -- > Walter Rowe, Division Chief > Infrastructure Services Division > Mobile: 202.355.4123 <(202)%20355-4123> > > On Aug 15, 2024, at 5:00 AM, Garri Djavadyan <g.dja...@gmail.com> wrote: > > Hi Steve, > > > Did you try with SECLEVEL=0 ? > > Yes, I did. However, the result is the same: Ansible controller is not > happy with the bare TLS 1.0 reply from the legacy box: > > "msg": "Status code was -1 and not [200]: Request failed: <urlopen error > [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1000)>" > > > - name: Query legacy boxes > hosts: legacyboxes > gather_facts: false > connection: local > tasks: > - name: GET the home page > ansible.builtin.uri: > url: https://{{ ansible_host }} > ciphers: > - 'DEFAULT@SECLEVEL=0' > > > Again, ciphers-wise, the setup is fine, but I do not think it is possible > to enforce the minimum TLS protocol version with the cipher string. > > Thank you. > > Regards, > Garri > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-proje...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/85e58522-271e-45aa-832a-8a2a7c6b5a38n%40googlegroups.com > > <https://groups.google.com/d/msgid/ansible-project/85e58522-271e-45aa-832a-8a2a7c6b5a38n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fe2f9e80-a54e-4ffc-87f1-bdfe8788c858n%40googlegroups.com.
