I think this may be more of a Windows problem than an Ansible one, but posting here in case others have come across this issue and have (or need) the solution…
We’ve enabled TLS 1.2 support on a bunch of Windows Server 2008 (non R2) servers and it seems that Ansible is now not connecting, and returning an error “500 WinRMTransport. [Errno 104] Connection reset by peer”
If I run:
$ openssl s_client -connect server.fqdn.corp:5986
I get the same sort of error (errno=104)
but if I run
$ openssl s_client -connect server.fqdn.corp:5986 -no_tls1_2
it connects fine, using TLS 1.1
Is there a way to get WinRM to talk nice over TLS 1.2 (or Ansible to talk 1.1)?
TLDR; the patch is buggy and does not enable TLS 1.1 and TLS 1.2 on Server 2008. It doesn’t detect any cipher suites available and resets the connection.
If you have an account with Microsoft that you can file these bugs against, feel free to send them my link so they can fix up the issue.
Thanks Jordan. Not the answer I wanted but an answer all the same.
I actually found your MS forum post whilst researching this issue before I posted here, and it’s a little annoying that Microsoft have seemed to ignored it. We have around 350 Server 2008 non-R2 machines and the regulatory environment in which we operate is requiring us to move from TLS 1.0 to 1.2 so there is some incentive to get this sorted. We have an MS support account so I might try and see if they can help - I just need to build a sandpit environment first so I can try some things out without having to use (and potentially break!) our production environment! If there’s anything you want to send to me that I can forward to Microsoft, you can reach me on phil [dot] cooling @ google’s free webmail service
Yep I wish I could give you a better answer but no matter what I tried I was unable to get this working. Even using a Microsoft client (like PS) it wouldn’t use TLS 1.2 but rather fall back to TLS 1.0 which defeats the point of the patch.