I have no idea what to make of the fact that http: still fails with this
Yeah, that part is super weird. Do we know if that worked before? Or has it been using https for a while?
perl version. But I think we've conclusively proven that the problem with https: is down to these machines trying to use tlsv1.
So the next question is what to do about it. Is tls < 1.2 officially deprecated these days, or was that configuration change just accidental?
It absolutely is. I actually thought we had already blocked that in the *previous* setup, but clearly we hadn't :)
That said, the buildfarm doesn't really do things that are that sensitive. So we can probably turn it off on that individual machine if we have to. Right now our config management will flip the configuration right back shortly, but I can probably get that sorted out pretty easily.
I can probably restore these machines to functionality by updating whichever Perl module knows about TLS (anyone know which that is?), so if you want to undo the config change, it's OK by me. But other owners of ancient buildfarm critters might be less happy about it.
I think what you'd need is a new version of openssl.
But it might be hard to get in on all of them. Let's see if we can turn off the restriction for a while, and see if the other BF animals also recover.