Support TLS 1.2 - "Could not create SSL/TLS secure channel"

crazy4cs commented 6 years ago

[X] set-executionpolicy remotesigned -s currentuser has been ran

[X] PowerShell 3 or greater is installed

PS C:\WINDOWS\system32> $PSVersionTable.PSVersion
Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      16299  248

iex : Exception calling "DownloadFile" with "2" argument(s): "The request was aborted: Could not create SSL/TLS secure
channel."
At line:1 char:1
+ iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Invoke-Expression], MethodInvocationException
    + FullyQualifiedErrorId : WebException,Microsoft.PowerShell.Commands.InvokeExpressionCommand

The scoop directory is created within the user profile folder, as well as the %USERPROFILE%\scoop\apps\scoop\current directory, however, they are both empty.

hss-dev commented 6 years ago

My colleague has just tried to install Scoop and also got this problem. I installed it last week and it was fine.

r15ch13 commented 6 years ago

What's the output of Get-ExecutionPolicy -List?

hss-dev commented 6 years ago

My colleagues settings were

   Scope ExecutionPolicy
   ----- ---------------
MachinePolicy Undefined UserPolicy Undefined Process Undefined CurrentUser RemoteSigned LocalMachine RemoteSigned

ghost commented 6 years ago

Hello I'm having the same issue

r15ch13 commented 6 years ago

Whats the output of [Net.ServicePointManager]::SecurityProtocol?

ghost commented 6 years ago

PS C:\Users\chere> [Net.ServicePointManager]::SecurityProtocol Ssl3, Tls PS C:\Users\chere>

ghost commented 6 years ago

And if I try to install it again it says:

PS C:\Users\chere> iex (new-object net.webclient).downloadstring('https://get.scoop.sh') Initializing... Scoop is already installed. Run 'scoop update' to get the latest version. PS C:\Users\chere> scoop update scoop : The term 'scoop' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1
scoop update
+ CategoryInfo          : ObjectNotFound: (scoop:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\chere>

covertcj commented 6 years ago

I just ran into this as well on a 'fresh' install of Windows 10 (it was installed from a base image provided by the IT dept, for whatever that's worth). I found that I was able to delete the ~/scoop directory, run the command:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

directly in my prompt, and then re-install with the standard method. That being said, it seems I need to re-run that command in each new powershell window, or I see a bunch of SSL/TLS errors any time I use scoop.

masaeedu commented 6 years ago

You can put [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" in your Powershell profile (notepad $PROFILE) as a workaround. It seems like something's changed on github's side so they no longer accept TLSv1, which winhttp uses by default. There's also stuff you can fiddle with in the registry to get winhttp to use TLSv1.2 instead.

EDIT: Looks like installing .NET 4.6.1 also changes the default TLS scheme to 1.2.

tresf commented 6 years ago

Just updated Windows 10 today and I'm receiving this. I've tried the above suggestions without much luck, although the symptoms are the same, my error is a bit different.

PS C:\Users\Tres> scoop update
Updating Scoop...
fatal: unable to access 'https://github.com/lukesampson/scoop/': error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Update failed.

I've tried setting the registry flag to force WinHttp to a higher TLS version, but it's not working on my machine or perhaps my steps are incorrect.

The suggestion to use notepad $PROFILE doesn't seem to work on my installation, I'm not sure what that does. My scoop version is ef058e9 Update fnproject to version 0.4.34.

masaeedu commented 6 years ago

@tresf notepad $PROFILE doesn't do anything by itself, it's just supposed to open your Powershell profile file for editing. In that file you need to add [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls". Before adding it to your profile file, you can test out whether the incorrect TLS version is causing your issue by just running this command in a powershell session right before scoop update.

tresf commented 6 years ago

you can test out whether the incorrect TLS version is causing your issue by just running this command in a powershell session right before scoop update.

I wasn't able to get either proposal to help...

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

I also removed ~/scoop and reinstalled through the iex ... command from scoop.sh, which worked, but once scoop update was run, the tlsv1 alert protocol version error comes back.

@tresf notepad $PROFILE doesn't do anything by itself, it's just supposed to open your Powershell profile file for editing.

Thanks for explaining. The command didn't work on my machine. I'm happy to know it's the same effect as setting the properties via PowerShell command line, so I won't worry about it at this time.

tresf commented 6 years ago

PS C:\Users\Tres> scoop update
Updating Scoop...
fatal: unable to access 'https://github.com/lukesampson/scoop/': error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Update failed.

Apologies... My issue was a botched git-scm after the Windows 10 updates. The fix was to completely purge all git versions and reinstall. Interestingly enough, the default git location changed from C:\Program Files (x86)\ to C:\Program Files\ but my system did not reflect it, so this seems to be unrelated to the original bug report and fixed by repairing git through some manual steps. The symptoms and timing were very close to the original bug report, so I thought they were related, but they appear to be different.

jordanbtucker commented 6 years ago

@masaeedu Is there a work around for this when using the command prompt? Having to use scoop exclusively in PowerShell is inconvenient.

r15ch13 commented 6 years ago

Scoop has the following functions to enable every available protocol when downloading apps: https://github.com/lukesampson/scoop/blob/f8f08db7e53f624b4c81f5d61e8d16c8176a13a7/lib/install.ps1#L117-L133

Currently they are only used in do_dl(), checkver.ps1 and checkurls.ps1 https://github.com/lukesampson/scoop/blob/f8f08db7e53f624b4c81f5d61e8d16c8176a13a7/lib/install.ps1#L135-L149

Adding them to all other commands that require downloading something could fix it. It has to be set manually for the initial scoop installation to work.

chawyehsu commented 6 years ago

https://github.com/blog/2507-weak-cryptographic-standards-removed Does the change of GitHub affect this issue?

AFAIK, the scoop installer script is hosted by GitHub.

r15ch13 commented 6 years ago

@h404bi that is the main cause of this issue 😁

https://get.scoop.sh redirects to https://raw.githubusercontent.com/lukesampson/scoop/master/bin/install.ps1

kvnklk commented 6 years ago

Currently using this in a .bat on fresh installed systems:

@echo off
COLOR 1F

set filePath="%userprofile%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1"

IF EXIST $filePath (GOTO appendTLS) else (GOTO newTLS)

:appendTLS
(
echo.
echo [Net.ServicePointManager]::SecurityProtocol = ^"tls12, tls11, tls^"
) >> "%filePath%"

:newTLS
mkdir "%userprofile%\Documents\WindowsPowerShell\"
(
echo [Net.ServicePointManager]::SecurityProtocol = ^"tls12, tls11, tls^"
) > "%filePath%"

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -InputFormat None -ExecutionPolicy RemoteSigned -Command "iex (new-object net.webclient).downloadstring('https://get.scoop.sh')"

But obviously need Set-ExecutionPolicy RemoteSigned -s cu

tresf commented 6 years ago

@tresf notepad $PROFILE doesn't do anything by itself, it's just supposed to open your Powershell profile file for editing.

Turns out this command fails on systems without a ~/PowerShell folder.

I ran into this today with Windows 7 SP1. Here's a little script that should help.

mkdir $PROFILE\..
echo '[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"' >> $PROFILE
& $PROFILE
# thats it

sharh commented 6 years ago

Prepare, do this in PowerShell:

set-executionpolicy remotesigned -s currentuser

And input Y to ensure.

Open https://get.scoop.sh in your browser to download the shellscript, save as install.ps1:

#requires -v 3

# remote install:
#   iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
$erroractionpreference = 'stop' # quit if anything goes wrong

if(($PSVersionTable.PSVersion.Major) -lt 3) {
    Write-Output "PowerShell 3 or greater is required to run Scoop."
    Write-Output "Upgrade PowerShell: https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell"
    break
}

# show notification to change execution policy:
if((get-executionpolicy) -gt 'RemoteSigned') {
    Write-Output "PowerShell requires an execution policy of 'RemoteSigned' to run Scoop."
    Write-Output "To make this change please run:"
    Write-Output "'Set-ExecutionPolicy RemoteSigned -scope CurrentUser'"
    break
}

# get core functions
$core_url = 'https://raw.github.com/lukesampson/scoop/master/lib/core.ps1'
Write-Output 'Initializing...'
Invoke-Expression (new-object net.webclient).downloadstring($core_url)

# prep
if(installed 'scoop') {
    write-host "Scoop is already installed. Run 'scoop update' to get the latest version." -f red
    # don't abort if invoked with iex——that would close the PS session
    if($myinvocation.mycommand.commandtype -eq 'Script') { return } else { exit 1 }
}
$dir = ensure (versiondir 'scoop' 'current')

# download scoop zip
$zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
$zipfile = "$dir\scoop.zip"
Write-Output 'Downloading...'
dl $zipurl $zipfile

'Extracting...'
unzip $zipfile "$dir\_tmp"
Copy-Item "$dir\_tmp\scoop-master\*" $dir -r -force
Remove-Item "$dir\_tmp" -r -force
Remove-Item $zipfile

Write-Output 'Creating shim...'
shim "$dir\bin\scoop.ps1" $false

ensure_robocopy_in_path
ensure_scoop_in_path
success 'Scoop was installed successfully!'
Write-Output "Type 'scoop help' for instructions."

find $zipurl:

$zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'

Find zipurl: https://github.com/lukesampson/scoop/archive/master.zip, download it, and unzip it in the scoop's dir: %USERPROFILE%\scoop\apps\scoop\current

Or you can change the install.ps1 script, to see where scoop dir is:

Write-Output 'Downloading...'
# this will print scoop dir
Write-Output '$dir'

Then modify the install.ps1，it should be below:

#requires -v 3

# remote install:
#   iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
$erroractionpreference = 'stop' # quit if anything goes wrong

if(($PSVersionTable.PSVersion.Major) -lt 3) {
    Write-Output "PowerShell 3 or greater is required to run Scoop."
    Write-Output "Upgrade PowerShell: https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell"
    break
}

# show notification to change execution policy:
if((get-executionpolicy) -gt 'RemoteSigned') {
    Write-Output "PowerShell requires an execution policy of 'RemoteSigned' to run Scoop."
    Write-Output "To make this change please run:"
    Write-Output "'Set-ExecutionPolicy RemoteSigned -scope CurrentUser'"
    break
}

# get core functions
$core_url = 'https://raw.github.com/lukesampson/scoop/master/lib/core.ps1'
Write-Output 'Initializing...'
Invoke-Expression (new-object net.webclient).downloadstring($core_url)

# prep
$dir = ensure (versiondir 'scoop' 'current')
Write-Output "$dir"
# download scoop zip
# $zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
$zipfile = "$dir\scoop.zip"
# Write-Output 'Downloading...'
# comment dl command, download zipfile yourself.
# dl $zipurl $zipfile

'Extracting...'
# notice to comment unzip, otherwise there will be an error of unzip. You should unzip with winrar yourself
# the zip file should unzip in $dir\_tmp yourself
# unzip $zipfile "$dir\_tmp"
Copy-Item "$dir\_tmp\scoop-master\*" $dir -r -force
Remove-Item "$dir\_tmp" -r -force
Remove-Item $zipfile

Write-Output 'Creating shim...'
shim "$dir\bin\scoop.ps1" $false

ensure_robocopy_in_path
ensure_scoop_in_path
success 'Scoop was installed successfully!'
Write-Output "Type 'scoop help' for instructions."

save install.ps1, then drag it into PowerShell, and then press enter, after a moment: Scoop was installed successfully!

chawyehsu commented 6 years ago

One line PowerShell command for new installation, if someone is looking for workaround:

set-executionpolicy remotesigned -s currentuser; [System.Net.ServicePointManager]::SecurityProtocol = 3072 -bor 768 -bor 192 -bor 48; iwr https://get.scoop.sh -UseBasicParsing | iex

danielgary commented 6 years ago

If I had to guess, the schoop.sh website is probably using a certificate from StartSSL. As they are no longer a trusted cert authority, the download is failing. If you browse to https://scoop.sh you'll get a security warning about the certificate. Should be easy to fix with a new certificate using letsencrypt or something similar.

chawyehsu commented 6 years ago

@danielgary nope, scoop.sh didn't have ssl, it's a CNAME of scoop's gh-pages. And https://get.scoop.sh redirects to https://raw.githubusercontent.com/lukesampson/scoop/master/bin/install.ps1

GitHub drops TLSv1 support cause this issue.

r15ch13 commented 6 years ago

@danielgary ugh, thanks for pointing this out. I contacted @lukesampson about this.

masaeedu commented 6 years ago

@h404bi I don't think the one line solution will work, scoop frequently consults the buckets (which are on github), post-install. This means you need to have the TLS settings in every powershell instance you start; i.e. you need to put it in your profile.

chawyehsu commented 6 years ago

@masaeedu I said that's a workaround for fresh installation. Though I have tested on a fresh install windows 10, fresh install scoop with that command, then just install git-with-openssh, every thing seems fine, scoop update, scoop search, scoop status...

The Windows 10 ServicePointManager:

$ [System.Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls

Besides, I search that we could modify the registry of ServicePointManager to permanently force to use strong cryptography, but that's inconvenient and it needs elevated privileges, which is worse.1

tresf commented 6 years ago

Besides, I search that we could modify the registry of ServicePointManager to permanently force to use strong cryptography, but that's inconvenient and it needs elevated privileges, which is worse.1

Do you mean for all users? For the current user, https://github.com/lukesampson/scoop/issues/2040#issuecomment-368145842, @covertcj's solution works great. I've adapted @r15ch13's proposal to make it permanent for the current user and this technique was tested on Windows 7.

Is the concern that this won't scale for multiple users? I would propose that the scoop library internally nudges this since it makes no sense to attempt to continue functioning otherwise.

Even the set-executionpolicy remotesigned -s currentuser, I don't entirely understand as this is part of the base scoop.sh install, this command should already have been run 100% of the time adding it to this thread seems like it will only confuse first time users.

jordanbtucker commented 6 years ago

@h404bi While I agree that scoop should just work, setting ServicePointManager to only use TLS 1.1 and higher is something you should do anyway since SSLv3 and TLSv1.0 are deprecated due to POODLE. (Although, this could break other .NET applications and libraries.)

Here's how to do that in PowerShell:

# set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

# set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

Plus, this will allow scoop to work in Command Prompt instead of just PowerShell.

r15ch13 commented 6 years ago

Was not sure if every site supports TLS 1.2 therefore I created a script to checks all the URLs. Every single hosts supports it, so it's safe to just enable it I guess.

Script:

protocol-test.ps1

```powershell param( [String]$Dir = "$PSScriptRoot\..\bucket", [String]$App = '*' ) . "$PSScriptRoot\..\lib\core.ps1" . "$PSScriptRoot\..\lib\buckets.ps1" . "$PSScriptRoot\..\lib\manifest.ps1" . "$PSScriptRoot\..\lib\json.ps1" # https://www.sysadmins.lv/blog-en/test-web-server-ssltls-protocol-support-with-powershell.aspx function Test-ServerSSLSupport($HostName) { $Port = 443 $RetValue = New-Object psobject -Property @{ Host = $HostName Port = $Port ssl2 = $false ssl3 = $false tls = $false tls11 = $false tls12 = $false KeyExhange = $null HashAlgorithm = $null } # "ssl2", "ssl3", "tls", "tls11", "tls12" | ForEach-Object { $TcpClient = New-Object Net.Sockets.TcpClient $TcpClient.Connect($RetValue.Host, $RetValue.Port) try { $SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream() } catch { write-host $_.Message return $RetValue } $SslStream.ReadTimeout = 15000 $SslStream.WriteTimeout = 15000 try { $SslStream.AuthenticateAsClient($RetValue.Host, $null, $_, $false) $RetValue.KeyExhange = $SslStream.KeyExchangeAlgorithm $RetValue.HashAlgorithm = $SslStream.HashAlgorithm $status = $true } catch { $status = $false } $RetValue.$_ = $status # dispose objects to prevent memory leaks $TcpClient.Dispose() $SslStream.Dispose() } return $RetValue } function Test-Url($url) { $url = [System.Uri]$url if(!$url) { return } if($url.Scheme -ne "https") { write-host -f DarkYellow "$($url.Host.PadRight(40, " "))" -NoNewline write-host " | http" return } $result = Test-ServerSSLSupport $url.Host write-host "$($url.Host.PadRight(40, " ")) | " -NoNewline if($result.tls) { write-host -f DarkGreen "$($result.tls.ToString().PadRight(6, " "))" -NoNewline } else { write-host -f DarkRed "$($result.tls.ToString().PadRight(6, " "))" -NoNewline } write-host " | " -NoNewline if($result.tls11) { write-host -f DarkGreen "$($result.tls11.ToString().PadRight(6, " "))" -NoNewline } else { write-host -f DarkRed "$($result.tls11.ToString().PadRight(6, " "))" -NoNewline } write-host " | " -NoNewline if($result.tls12) { write-host -f DarkGreen "$($result.tls12.ToString().PadRight(6, " "))" -NoNewline } else { write-host -f DarkRed "$($result.tls12.ToString().PadRight(6, " "))" -NoNewline } write-host "" } function Get-ManifestUrls($file) { $urls = @() if(!$file) { return $urls } $json = parse_json $file.FullName if(!$json) { return $urls } if ($json.url -is [System.Array]) { $json.url | ForEach-Object { $urls += [System.Uri]$_ } } elseif($json.url) { $urls += [System.Uri]$json.url } else { $arch_url = (arch_specific 'url' $json '64bit') if(!$arch_url) { $arch_url = (arch_specific 'url' $json '32bit') } if($arch_url -is [System.Array]) { $arch_url | ForEach-Object { $urls += [System.Uri]$_ } } else { $urls += [System.Uri]$arch_url } } return $urls } # get apps to check write-host "Host | TLSv10 | TLSv11 | TLSv12" write-host "-------------------------------------------------------------------" $urls = @() Get-ChildItem -Path $Dir "$App.json" | ForEach-Object { Get-ManifestUrls($_) | ForEach-Object { $urls += $_ } } $urls | Sort-Object -Property @{Expression={$_.Host}} -Unique | ForEach-Object { Test-Url $_ } ```

Results:

Main Bucket Hosts

Extras Bucket Hosts

Version Bucket Hosts

/Edit: Updated script and results (20190410)

tresf commented 6 years ago

I'm not sure what's more impressive... the speed in which you valided every script mirror supports TLS12, or the neat GitHub hide huge codeblock trick.

r15ch13 commented 6 years ago

An easy fix could be to add this neat little line to core.ps1. Mentioned by @masaeedu in https://github.com/lukesampson/scoop/pull/2065#issuecomment-369669048

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

Sadly the initial install oneliner has to change.

jordanbtucker commented 6 years ago

@r15ch13 @lukesampson The install oneliner doesn't need to change unless Amazon CloudFront drops support for TLSv1.0 or GitHub drops support for TLSv1.0 on raw.githubusercontent.com.

get.scoop.sh is served from Amazon CloudFront servers, then redirects to raw.githubusercontent.com. GitHub only dropped support for TLSv1.0 on github.com and api.github.com.

The install oneliner doesn't have trouble downloading the install script, it just has trouble accessing api.github.com during the install.

TLDR; install.ps1 and core.ps1 need to be updated, but the oneliner doesn't need to change... yet.

That being said, the following oneliner is shorter, but suffers from the same problem.

iwr https://get.scoop.sh | iex

dsbert commented 6 years ago

I didn't see a commit related to this but I am no longer receiving the error after updating scoop.

jordanbtucker commented 6 years ago

@dsbert What happens when you run this:

scoop search --no-cache

dsbert commented 6 years ago

@jordanbtucker There it is

jordanbtucker commented 6 years ago

This is fixed for me, but I left a comment about it leaving side effects. It's probably not a big deal though.

ghost commented 5 years ago

rtgsd

wbrewer commented 4 years ago

@h404bi While I agree that scoop should just work, setting ServicePointManager to only use TLS 1.1 and higher is something you should do anyway since SSLv3 and TLSv1.0 are deprecated due to POODLE. (Although, this could break other .NET applications and libraries.)

Here's how to do that in PowerShell:
# set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

# set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord 
Plus, this will allow scoop to work in Command Prompt instead of just PowerShell.

This finally let me install boxstarter on windows7 via azure-arm/packer.

ScoopInstaller / Scoop

Support TLS 1.2 - "Could not create SSL/TLS secure channel" #2040

Script:

Results: