diff --git a/bin/checkurls.ps1 b/bin/checkurls.ps1 index cb0ef7d4ba..883a4f55ad 100644 --- a/bin/checkurls.ps1 +++ b/bin/checkurls.ps1 @@ -38,8 +38,6 @@ Get-ChildItem $Dir "$App.json" | ForEach-Object { $Queue += , @($_.Name, $manifest) } -$original = use_any_https_protocol - Write-Host '[' -NoNewLine Write-Host 'U' -NoNewLine -ForegroundColor Cyan Write-Host ']RLs' @@ -130,5 +128,3 @@ foreach ($man in $Queue) { Write-Host " > $_" -ForegroundColor DarkRed } } - -set_https_protocols $original diff --git a/bin/checkver.ps1 b/bin/checkver.ps1 index 014754eb80..500668e79a 100644 --- a/bin/checkver.ps1 +++ b/bin/checkver.ps1 @@ -89,8 +89,6 @@ Get-Event | ForEach-Object { Remove-Event $_.SourceIdentifier } -$original = use_any_https_protocol - # start all downloads $Queue | ForEach-Object { $name, $json = $_ @@ -287,5 +285,3 @@ while ($in_progress -gt 0) { } } } - -set_https_protocols $original diff --git a/lib/core.ps1 b/lib/core.ps1 index 1ae7e119e7..beb3c08b1d 100644 --- a/lib/core.ps1 +++ b/lib/core.ps1 @@ -20,12 +20,23 @@ $cachedir = $env:SCOOP_CACHE, "$scoopdir\cache" | Select-Object -first 1 # Note: Github disabled TLS 1.0 support on 2018-02-23. Need to enable TLS 1.2 # for all communication with api.github.com -function enable-encryptionscheme([Net.SecurityProtocolType]$scheme) { - # Net.SecurityProtocolType is a [Flags] enum, binary-OR sets - # the specified scheme in addition to whatever scheme is already active - [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor $scheme -} -enable-encryptionscheme "Tls12" +function Optimize-SecurityProtocol { + # .NET Framework 4.7+ has a default security protocol called 'SystemDefault', + # which allows the operating system to choose the best protocol to use. + # If SecurityProtocolType contains 'SystemDefault' (means .NET4.7+ detected) + # and the value of SecurityProtocol is 'SystemDefault', just do nothing on SecurityProtocol, + # 'SystemDefault' will use TLS 1.2 if the webrequest requires. + $isNewerNetFramework = ([System.Enum]::GetNames([System.Net.SecurityProtocolType]) -contains 'SystemDefault') + $isSystemDefault = ([System.Net.ServicePointManager]::SecurityProtocol.Equals([System.Net.SecurityProtocolType]::SystemDefault)) + + # If not, change it to support TLS 1.2 + if (!($isNewerNetFramework -and $isSystemDefault)) { + # Set to TLS 1.2 (3072), then TLS 1.1 (768), and TLS 1.0 (192). Ssl3 has been superseded, + # https://docs.microsoft.com/en-us/dotnet/api/system.net.securityprotocoltype?view=netframework-4.5 + [System.Net.ServicePointManager]::SecurityProtocol = 3072 -bor 768 -bor 192 + } +} +Optimize-SecurityProtocol function Get-UserAgent() { return "Scoop/1.0 (+http://scoop.sh/) PowerShell/$($PSVersionTable.PSVersion.Major).$($PSVersionTable.PSVersion.Minor) (Windows NT $([System.Environment]::OSVersion.Version.Major).$([System.Environment]::OSVersion.Version.Minor); $(if($env:PROCESSOR_ARCHITECTURE -eq 'AMD64'){'Win64; x64; '})$(if($env:PROCESSOR_ARCHITEW6432 -eq 'AMD64'){'WOW64; '})$PSEdition)" diff --git a/lib/install.ps1 b/lib/install.ps1 index 3c3ea574a6..1d8a9e8205 100644 --- a/lib/install.ps1 +++ b/lib/install.ps1 @@ -113,26 +113,7 @@ function dl_with_cache($app, $version, $url, $to, $cookies = $null, $use_cache = } } -function use_any_https_protocol() { - $original = "$([System.Net.ServicePointManager]::SecurityProtocol)" - $available = [string]::join(', ', [Enum]::GetNames([System.Net.SecurityProtocolType])) - - # use whatever protocols are available that the server supports - set_https_protocols $available - - return $original -} - -function set_https_protocols($protocols) { - try { - [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType] $protocols - } catch { - [System.Net.ServicePointManager]::SecurityProtocol = "Tls,Tls11,Tls12" - } -} - function do_dl($url, $to, $cookies) { - $original_protocols = use_any_https_protocol $progress = [console]::isoutputredirected -eq $false -and $host.name -ne 'Windows PowerShell ISE Host' @@ -143,8 +124,6 @@ function do_dl($url, $to, $cookies) { $e = $_.exception if($e.innerexception) { $e = $e.innerexception } throw $e - } finally { - set_https_protocols $original_protocols } }