Changing SSL cert detection method to allow for auto-negotiation of SSL protocols

Fixes #6904

lib/ansible/module_utils/urls.py

@@ -50,6 +50,7 @@ try:
 except:
     HAS_SSL=False
 
+import socket
 import tempfile
 
 
@@ -162,12 +163,20 @@ class SSLValidationHandler(urllib2.BaseHandler):
     def http_request(self, req):
         tmp_ca_cert_path, paths_checked = self.get_ca_certs()
         try:
-            server_cert = ssl.get_server_certificate((self.hostname, self.port), ca_certs=tmp_ca_cert_path)
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        except ssl.SSLError:
+            ssl_s = ssl.wrap_socket(s, ca_certs=tmp_ca_cert_path, cert_reqs=ssl.CERT_REQUIRED)
+            ssl_s.connect((self.hostname, self.port))
+            ssl_s.close()
+        except (ssl.SSLError, socket.error), e:
             # fail if we tried all of the certs but none worked
-            self.module.fail_json(msg='Failed to validate the SSL certificate for %s:%s. ' % (self.hostname, self.port) + \
+            if 'connection refused' in str(e).lower():
+                self.module.fail_json(msg='Failed to connect to %s:%s.' % (self.hostname, self.port))
+            else:
+                self.module.fail_json(
+                    msg='Failed to validate the SSL certificate for %s:%s. ' % (self.hostname, self.port) + \
                     'Use validate_certs=no or make sure your managed systems have a valid CA certificate installed. ' + \
-                                      'Paths checked for this platform: %s' % ", ".join(paths_checked))
+                    'Paths checked for this platform: %s' % ", ".join(paths_checked)
+                )
         try:
             # cleanup the temp file created, don't worry
             # if it fails for some reason