pyOpenSSL (python-openssl) is not used for standard SSL connections in Python. It is a requirement of CredSSP auth in Ansible but that's unrelated to the problem here.
I think you still have a mismatch of compatible TLS protocols just in the opposite direction we initially thought. I believe your Debian host only supports TLS 1.2 but your Windows 7 host only supports up to TLS 1.0. TLS 1.0 is old and potentially insecure which is why more and more distributions are disabling TLS 1.0 and TLS 1.1 and older, see https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html. Luckily for you, Windows 7 does support TLS 1.2 just not by default. You need to make sure you have installed the latest updates on your Windows host then create the following registry keys, you can use the below script to do so; Function Enable-TLS12 { param( [ValidateSet("Server", "Client")] [String]$Component = "Server" ) $protocols_path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" New-Item -Path "$protocols_path\TLS 1.2\$Component" -Force New-ItemProperty -Path "$protocols_path\TLS 1.2\$Component" -Name Enabled -Value 1 -Type DWORD -Force New-ItemProperty -Path "$protocols_path\TLS 1.2\$Component" -Name DisabledByDefault -Value 0 -Type DWORD -Force } Enable-TLS12 -Component Server # Not required but highly recommended to enable the Client side TLS 1.2 components Enable-TLS12 -Component Client You definitely need to enable the Server component but I also highly recommend you enable the Client component as well. Once you've created the registry keys you need to reboot the host and try again. To verify independently what protocol is being negotiated by OpenSSL you can run the comman below; openssl s_client -connect <hostname>:5986 Near the bottom of the output you can see something like the following; SSL handshake has read 1884 bytes and written 293 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: E61400004F2F2662F404CDCD3203CB6AE5F53C36B0129AF615A016D404F1C155 Session-ID-ctx: Master-Key: 123F15364A949A03DD75E7841EDD395304A2568B32124206A5E36BDDD10AF7837E74746DED16356972D318169DD81B5E Start Time: 1550089169 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- We can see that the Protocol negotiated was TLSv1.2 and it negotiated the cipher suite 'ECDHE-RSA-AES256-GCM-SHA384'. Try running that before and after you enable TLS 1.2 on your Windows host and reboot to check for differences. Thanks Jordan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/291eecbe-3385-4865-80ff-6a3196121eee%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
