search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
https://repo.saltproject.io/
Apache License 2.0
14.17k stars 5.48k forks source link

salt.modules.chocolatey.bootstrap fails because they removed support for old tls versions #56276

Open muddman opened 4 years ago

muddman commented 4 years ago

Description of Issue

The Chocolatey website removed support for TLS 1.0 and TLS 1.1 on 3 February 2020.

As a result salt.modules.chocolatey.bootstrap fails with the following error:

Bootstrapping Chocolatey failed: Exception calling "DownloadString" with "1" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."

Setup

chocolatey.bootstrap:
  module.run:
    - chocolatey.bootstrap:
    - unless: "where.exe chocolatey

Steps to Reproduce Issue

Apply above state. I had failures with salt 2019.2.3 and python 3.

       ----------
          ID: chocolatey.bootstrap
           Function: module.run
             Result: False
            Comment: An exception occurred in this state: Traceback (most recent call last):
                File "C:\salt\bin\lib\site-packages\salt\state.py", line 1933, in call
                  **cdata['kwargs'])
                File "C:\salt\bin\lib\site-packages\salt\loader.py", line 1951, in wrapper
                  return f(*args, **kwargs)
                File "C:\salt\bin\lib\site-packages\salt\utils\decorators\__init__.py", line 631, in _decorate
                  return self._call_function(kwargs)
                File "C:\salt\bin\lib\site-packages\salt\utils\decorators\__init__.py", line 334, in _call_function
                  raise error
                File "C:\salt\bin\lib\site-packages\salt\utils\decorators\__init__.py", line 321, in _call_function
                  return self._function(*args, **kwargs)
                File "C:\salt\bin\lib\site-packages\salt\states\module.py", line 294, in run
                  func_args=kwargs.get(func))
                File "C:\salt\bin\lib\site-packages\salt\states\module.py", line 358, in _call_function
                  mret = __salt__[name](*arg_type, **func_kw)
                File "C:\salt\bin\lib\site-packages\salt\modules\chocolatey.py", line 231, in bootstrap
                  raise CommandExecutionError(err)
              salt.exceptions.CommandExecutionError: Bootstrapping Chocolatey failed: Exception calling "DownloadString" with "1" argument(s): "The request was aborted: Could not create SSL/TLS secure

              channel."

              At line:1 char:1

              + iex ((new-object net.webclient).DownloadString('https://chocolatey.or ...

              + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                  + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException

                  + FullyQualifiedErrorId : WebException
            Started: 07:09:16.366090
           Duration: 20649.333 ms
            Changes:
       ----------

Workaround

The following two registry states resolved the issue for me and I tested the code using salt 2019.2.3 and python 3 on the following windows versions:

powershell.framework.v4_5.tls1_2.systemdefaulttlsversions_32:
  reg.present:
    - name: HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    - vname: SystemDefaultTlsVersions
    - vdata: 1
    - vtype: REG_DWORD
    - use_32bit_registry: true
    - onlyif: powershell -command "if ([Enum]::GetNames([Net.SecurityProtocolType]) -contains 'Tls12') {exit 0} else {exit 1}"

powershell.framework.v4_5.tls1_2.systemdefaulttlsversions_64:
  reg.present:
    - name: HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    - vname: SystemDefaultTlsVersions
    - vdata: 1
    - vtype: REG_DWORD
    - require:
      - windows.system.packages.powershell.framework.v4_5.tls1_2.systemdefaulttlsversions_32
    - onlyif: powershell -command "if ([Enum]::GetNames([Net.SecurityProtocolType]) -contains 'Tls12') {exit 0} else {exit 1}

chocolatey.bootstrap:
  module.run:
    - chocolatey.bootstrap:
    - unless: "where.exe chocolatey"
    - require:
      - powershell.framework.v4_5.tls1_2.systemdefaulttlsversions_64

Changing the default to TLS 1.2 on your systems may have adverse side effects for other applications so test fully before implementing this in production

Possible Fix

I don't have time to put in a pull request right now but I believe the following will resolve the issue.

The code block starts on line 221 of the chocolatey module.

Add [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; before the Invoke-Expression to download the install script in the chocolatey module fixes the issue if TLS 1.2 is available.

Possible PR

# Run the Chocolatey bootstrap.
    cmd = (
        '{0} -NoProfile -ExecutionPolicy unrestricted '
        '-Command "[Net.ServicePointManager]::SecurityProtocol '
        '= [Net.SecurityProtocolType]::Tls12; iex ((new-object net.webclient).'
        'DownloadString(\'https://chocolatey.org/install.ps1\'))" '
        '&& SET PATH=%PATH%;%systemdrive%\\chocolatey\\bin'
        .format(ps_path)
    )
    result = __salt__['cmd.run_all'](cmd, python_shell=True)

I have not tested the above modification with salt but I'm using the same modification successfully in packer builds

garethgreenaway commented 4 years ago

@saltstack/team-windows FYI.

rosscdh commented 4 years ago

+1

zoi-aschmid commented 3 years ago

+1 Please fix it asap!!!

emnavarro02 commented 3 years ago

Please fix it

tmthang commented 3 years ago

Please fix it asap.

mayadharch commented 3 years ago

Please fix it asap !

oliver1980 commented 3 years ago

I need this in my life too!

rosscdh commented 2 years ago

still broken in 3004