Just putting this here to potentially save you an hour or two. The latest prefect python3.11 image (which is debian linux) comes with OpenSSL v3.0.9. Prior images were using OpenSSL v1.1.1; this should be a good thing in most cases, but some of the servers that we have Prefect connect to internally are outdated and not-so-secure. The change in OpenSSL versions required us to add some new steps to our Dockerfile container builds to get our flows working again.

hi @Mike Grabbe - thanks for sharing. would you be able to share which steps you had to add? (at least conceptually) (cc @David Beck would you be open to trying building off this new image with OpenSSL v3.0.9 to resolve your openssl issue?)

Sure. We formerly had these steps in our Dockerfile when OpenSSL v1.1.1 was installed:

RUN sed -i 's/TLSv1\.2/TLSv1.0/g' /etc/ssl/openssl.cnf
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf

With OpenSSL v3.0.9, the config file is structured differently, and we need to append these config options to achieve the same security level downgrade:

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=0