tls: client offered an unsupported, maximum protocol version of 301
1,075 views
Skip to first unread message
Sean Bollin
Jan 9, 2016, 4:31:35 PM1/9/16
to Vault
Trying to do something like this in ansible:
local_action: >
uri
validate_certs=no
status_code=200
return_content=yes
method=PUT
url=https://{{ ec2_ip_address }}:{{ vault.port }}/v1/sys/unseal
body='{"key": "{{ item }}"}'
This works perfectly fine on my MacBook Pro
However my other coworkers, also on MacBook Pros, trigger an "tls: client offered an unsupported, maximum protocol version of 301" in Vault when doing the same action
When I change the Vault minimum tls version down to 1.0, everything works for both of us
So basically we're trying to figure out why does my machine negotiate TLS v1.2 whereas my coworkers aren't using TLS1.2?
We've checked openssl versions, python versions, ansible versions .........
Jeff Mitchell
Jan 9, 2016, 5:44:03 PM1/9/16
to vault...@googlegroups.com
Hi Sean,
Unfortunately there's not much concrete advice I can give, as I'd do
basically the same things you've done. Check OSX versions; make sure
that you're using the exact same version/build of Python and OpenSSL
and so on (if you have homebrew, for instance, and they don't, you
might have ansible/python built against system libraries vs. homebrew
libraries, even if they are the same version).
And of course, more Googling -- others may have seen issues with
python on OSX that aren't Ansible-specific. I used to have a lot of
trouble with SNI in Python due to that only being added in Python
2.7.9 and OSX generally tending to have very old Python versions.
Maybe others will have more concrete ideas...
--Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/2769b7ad-cb20-4fe3-bbb9-a85532c8ea91%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Unfortunately there's not much concrete advice I can give, as I'd do
basically the same things you've done. Check OSX versions; make sure
that you're using the exact same version/build of Python and OpenSSL
and so on (if you have homebrew, for instance, and they don't, you
might have ansible/python built against system libraries vs. homebrew
libraries, even if they are the same version).
And of course, more Googling -- others may have seen issues with
python on OSX that aren't Ansible-specific. I used to have a lot of
trouble with SNI in Python due to that only being added in Python
2.7.9 and OSX generally tending to have very old Python versions.
Maybe others will have more concrete ideas...
--Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/2769b7ad-cb20-4fe3-bbb9-a85532c8ea91%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Tiziano Perrucci
Jan 10, 2016, 2:18:24 PM1/10/16
to Vault
Hi Sean,
there are known issues with urllib handling tls connection with python2 compatible versions.
You guys might use different version, check running `$ pip freeze` on your laptops and compare the output.
Tiziano
Reply all
Reply to author
Forward
0 new messages