-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable TLS 1.2 in core.ps1 #2074
Conversation
Deal with https://github.com/blog/2507-weak-cryptographic-standards-removed by enabling TLS 1.2 in addition to existing encryption schemes.
This fix should be used in |
@jordanbtucker Are you referring to |
@masaeedu Oh, I see. One of the scripts refers to installing scoop, and the other refers to installing apps with scoop. Thanks. |
Of course, that only works so long as the problem is limited to api.github.com and not raw.github.com (from which we're downloading core.ps1 in the first place), as you mentioned in your comment. Perhaps I should copy paste this into install.ps1 anyway, just to be safe. |
I just noticed that this has the side effect of changing ServicePointManager.SecurityProtocol until you close your PowerShell session. |
@jordanbtucker If it's working correctly, it should only be adding TLS 1.2 and leaving your existing protocols intact. Please let me know if it's not doing that. |
Good point. It would be less intrusive to cache it, set it, use it, reset it. |
@masaeedu Yes, that is what it is doing. The default protocols are PS > [Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls
PS > scoop update
Updating Scoop...
Scoop was updated successfully!
PS > [Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls, Tls12 It's probably not that big of a deal, but I just wanted to document that it has side effects. |
@tresf If we unset it, we need to figure out all the locations in the code where we access the relevant URLs and wrap them individually, which is error prone. The approach here is how the problem was solved in Powershell codebase. |
@masaeedu yeah, I agree. 99.9% of the time, it's better to simply have it residual, that way the environment is consistent. Although to that point, one may prefer to simply go big or go home. Reason being is sporadically altering user space causes intermittent side-effects, versus predictable side-effects. Anyway, this nice, in no way am I trying to be overly critical. The fix paramount regardless. |
Deal with https://github.com/blog/2507-weak-cryptographic-standards-removed by enabling TLS 1.2 in addition to existing encryption schemes.
Fixes #2040