Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows FAQ should mention possible SSL protocol issue #52316

Closed
Yvan-Masson opened this issue Feb 15, 2019 · 7 comments

Comments

Projects
None yet
5 participants
@Yvan-Masson
Copy link
Contributor

commented Feb 15, 2019

SUMMARY

TLS 1.0 is by default the maximum TLS supported version on Windows 7. However, Linux distributions (at least Debian) begin to disable it to allow TLS 1.2 as a minimum. Thus by default connection fails with this message:

ntlm: HTTPSConnectionPool(host='my-host', port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1056)')))
Could you explain this issue on https://docs.ansible.com/ansible/latest/user_guide/windows_faq.html and add the possible workarounds (enable TLS 1.2 on Windows 7 target / temporary re-enable TLS 1.0 on controller) that are well described on the original discussion on https://groups.google.com/forum/#!msg/ansible-project/CCjQTWSAt4I/mHsdpJGUAwAJ ?

ISSUE TYPE
  • Documentation Report
COMPONENT NAME

windows_faq.rst

ANSIBLE VERSION

CONFIGURATION

OS / ENVIRONMENT

Debian testing with openssl 1.1.1a-1.

ADDITIONAL INFORMATION

Windows 7 is probably still a common target, and Debian Buster (next stable probably available in the summer) will probably be a common controller, so this issue should be briefly explained in the documentation.

Regards,
Yvan

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Feb 15, 2019

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Feb 15, 2019

@L1ghtman2k

This comment has been minimized.

Copy link

commented Mar 17, 2019

Yeah, I just had the same problem, I guess I will just use no encryption at all then :/

@jborean93

This comment has been minimized.

Copy link
Contributor

commented Mar 17, 2019

@L1ghtman2k, not sure what you mean, this doesn't mean that encryption isn't available but that the Windows host you are connecting to doesn't offer the required TLS protocol that the client can handle. The end result is that you should explicitly enable TLS 1.2 through some registry keys on the Windows hosts so it does support TLS 1.2. This can be done with the following Ansible task but it can also be converted to a simple PowerShell script;

- name: enable TLSv1.2 support
  win_regedit:
    path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\{{ item.type }}
    name: '{{ item.property }}'
    data: '{{ item.value }}'
    type: dword
    state: present
    register: pri_personalise_tls_config
  loop:
  - type: Server
    property: Enabled
    value: 1
  - type: Server
    property: DisabledByDefault
    value: 0
  - type: Client
    property: Enabled
    value: 1
  - type: Client
    property: DisabledByDefault
    value: 0

- name: reboot fi TLS config was applied
  win_reboot:
  when: pri_personalise_tls_config is changed

If you cannot do this through Ansible a simple PowerShell script can be used;

Function Enable-TLS12 {
    param(
        [ValidateSet("Server", "Client")]
        [String]$Component = "Server"
    )

    $protocols_path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
    New-Item -Path "$protocols_path\TLS 1.2\$Component" -Force
    New-ItemProperty -Path  "$protocols_path\TLS 1.2\$Component" -Name Enabled -Value 1 -Type DWORD -Force
    New-ItemProperty -Path  "$protocols_path\TLS 1.2\$Component" -Name DisabledByDefault -Value 0 -Type DWORD -Force
}
Enable-TLS12 -Component Server

# Not required but highly recommended to enable the Client side TLS 1.2 components
Enable-TLS12 -Component Client

If you can't do this you can still have encryption over WinRM by using NTLM, Kerberos, or CredSSP as the auth. They have their own mechanism for encrypting the WinRM messages but NTLM isn't as secure. In reality there should be no reason why you can't just enable TLS 1.2 on the Windows host and use that. There's a reason why TLS 1.0 is not enabled on newer distros.

@L1ghtman2k

This comment has been minimized.

Copy link

commented Mar 17, 2019

Didn't know that was a thing, thanks!

@jborean93

This comment has been minimized.

Copy link
Contributor

commented Mar 19, 2019

@Yvan-Masson I've made an attempt to try and document this information at #54016. It would be great if you could give this a review and let me know your thoughts.

@Yvan-Masson

This comment has been minimized.

Copy link
Contributor Author

commented Mar 19, 2019

@jborean93 Done! Thanks a lot, I am sure it will be helpful to many.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.