Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Windows FAQ should mention possible SSL protocol issue #52316
TLS 1.0 is by default the maximum TLS supported version on Windows 7. However, Linux distributions (at least Debian) begin to disable it to allow TLS 1.2 as a minimum. Thus by default connection fails with this message:
OS / ENVIRONMENT
Debian testing with openssl 1.1.1a-1.
Windows 7 is probably still a common target, and Debian Buster (next stable probably available in the summer) will probably be a common controller, so this issue should be briefly explained in the documentation.
@L1ghtman2k, not sure what you mean, this doesn't mean that encryption isn't available but that the Windows host you are connecting to doesn't offer the required TLS protocol that the client can handle. The end result is that you should explicitly enable TLS 1.2 through some registry keys on the Windows hosts so it does support TLS 1.2. This can be done with the following Ansible task but it can also be converted to a simple PowerShell script;
If you cannot do this through Ansible a simple PowerShell script can be used;
If you can't do this you can still have encryption over WinRM by using NTLM, Kerberos, or CredSSP as the auth. They have their own mechanism for encrypting the WinRM messages but NTLM isn't as secure. In reality there should be no reason why you can't just enable TLS 1.2 on the Windows host and use that. There's a reason why TLS 1.0 is not enabled on newer distros.