Recently, I’ve undertaken the task of PCI Compliance for several servers I manage. One of the recurring recommendations is to disable TLS 1.0 in favor of TLS 1.1/1.2.
The good news… Disabling TLS 1.0 on a group of servers is super easy using Ansible! Sadly, one of the side effects of disabling is that the WinRM connection in my Ansible scripts becomes completely broken afterward. After disabling, connecting to Windows servers results in the following error:
fatal: [10.0.20.20]: FAILED! => {“failed”: true, “msg”: “ERROR! ssl: 500 WinRMTransport. [Errno 54] Connection reset by peer”}
Re-enabling TLS 1.0 will correct the issue, but obviously it’s not ideal and I’m wondering what can be done… So, some questions:
- Is TLS 1.0 required in Windows, or is it something in pywinrm package?
- If TLS 1.0 must be used, is there an interim solution where it can be disabled for IIS (port 443) only? The only solutions I have found online disable it in the SCHANNEL/Protocols registry key, which then disables it system-wide in Windows
- Has anyone run into this problem or discovered another workaround?
Thanks, looking forward to discussing!
-chris