Support TLS 1.2 - "Could not create SSL/TLS secure channel" #2040
Comments
|
My colleague has just tried to install Scoop and also got this problem. I installed it last week and it was fine. |
|
What's the output of |
|
My colleagues settings were
|
|
Hello I'm having the same issue |
|
Whats the output of |
|
|
|
And if I try to install it again it says:
|
|
I just ran into this as well on a 'fresh' install of Windows 10 (it was installed from a base image provided by the IT dept, for whatever that's worth). I found that I was able to delete the ~/scoop directory, run the command: directly in my prompt, and then re-install with the standard method. That being said, it seems I need to re-run that command in each new powershell window, or I see a bunch of SSL/TLS errors any time I use scoop. |
|
You can put EDIT: Looks like installing .NET 4.6.1 also changes the default TLS scheme to 1.2. |
|
Just updated Windows 10 today and I'm receiving this. I've tried the above suggestions without much luck, although the symptoms are the same, my error is a bit different. I've tried setting the registry flag to force WinHttp to a higher TLS version, but it's not working on my machine or perhaps my steps are incorrect. The suggestion to use |
|
@tresf |
I wasn't able to get either proposal to help...
I also removed
Thanks for explaining. The command didn't work on my machine. I'm happy to know it's the same effect as setting the properties via PowerShell command line, so I won't worry about it at this time. |
Apologies... My issue was a botched |
|
@masaeedu Is there a work around for this when using the command prompt? Having to use scoop exclusively in PowerShell is inconvenient. |
|
Scoop has the following functions to enable every available protocol when downloading apps: Currently they are only used in Adding them to all other commands that require downloading something could fix it. |
|
https://github.com/blog/2507-weak-cryptographic-standards-removed AFAIK, the scoop installer script is hosted by GitHub. |
|
@h404bi that is the main cause of this issue 😁 https://get.scoop.sh redirects to https://raw.githubusercontent.com/lukesampson/scoop/master/bin/install.ps1 |
|
Currently using this in a But obviously need |
Turns out this command fails on systems without a I ran into this today with Windows 7 SP1. Here's a little script that should help. mkdir $PROFILE\..
echo '[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"' >> $PROFILE
& $PROFILE
# thats it |
And input Open #requires -v 3
# remote install:
# iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
$erroractionpreference = 'stop' # quit if anything goes wrong
if(($PSVersionTable.PSVersion.Major) -lt 3) {
Write-Output "PowerShell 3 or greater is required to run Scoop."
Write-Output "Upgrade PowerShell: https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell"
break
}
# show notification to change execution policy:
if((get-executionpolicy) -gt 'RemoteSigned') {
Write-Output "PowerShell requires an execution policy of 'RemoteSigned' to run Scoop."
Write-Output "To make this change please run:"
Write-Output "'Set-ExecutionPolicy RemoteSigned -scope CurrentUser'"
break
}
# get core functions
$core_url = 'https://raw.github.com/lukesampson/scoop/master/lib/core.ps1'
Write-Output 'Initializing...'
Invoke-Expression (new-object net.webclient).downloadstring($core_url)
# prep
if(installed 'scoop') {
write-host "Scoop is already installed. Run 'scoop update' to get the latest version." -f red
# don't abort if invoked with iex——that would close the PS session
if($myinvocation.mycommand.commandtype -eq 'Script') { return } else { exit 1 }
}
$dir = ensure (versiondir 'scoop' 'current')
# download scoop zip
$zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
$zipfile = "$dir\scoop.zip"
Write-Output 'Downloading...'
dl $zipurl $zipfile
'Extracting...'
unzip $zipfile "$dir\_tmp"
Copy-Item "$dir\_tmp\scoop-master\*" $dir -r -force
Remove-Item "$dir\_tmp" -r -force
Remove-Item $zipfile
Write-Output 'Creating shim...'
shim "$dir\bin\scoop.ps1" $false
ensure_robocopy_in_path
ensure_scoop_in_path
success 'Scoop was installed successfully!'
Write-Output "Type 'scoop help' for instructions."find
Find zipurl: Or you can change the Write-Output 'Downloading...'
# this will print scoop dir
Write-Output '$dir'Then modify the #requires -v 3
# remote install:
# iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
$erroractionpreference = 'stop' # quit if anything goes wrong
if(($PSVersionTable.PSVersion.Major) -lt 3) {
Write-Output "PowerShell 3 or greater is required to run Scoop."
Write-Output "Upgrade PowerShell: https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell"
break
}
# show notification to change execution policy:
if((get-executionpolicy) -gt 'RemoteSigned') {
Write-Output "PowerShell requires an execution policy of 'RemoteSigned' to run Scoop."
Write-Output "To make this change please run:"
Write-Output "'Set-ExecutionPolicy RemoteSigned -scope CurrentUser'"
break
}
# get core functions
$core_url = 'https://raw.github.com/lukesampson/scoop/master/lib/core.ps1'
Write-Output 'Initializing...'
Invoke-Expression (new-object net.webclient).downloadstring($core_url)
# prep
$dir = ensure (versiondir 'scoop' 'current')
Write-Output "$dir"
# download scoop zip
# $zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
$zipfile = "$dir\scoop.zip"
# Write-Output 'Downloading...'
# comment dl command, download zipfile yourself.
# dl $zipurl $zipfile
'Extracting...'
# notice to comment unzip, otherwise there will be an error of unzip. You should unzip with winrar yourself
# the zip file should unzip in $dir\_tmp yourself
# unzip $zipfile "$dir\_tmp"
Copy-Item "$dir\_tmp\scoop-master\*" $dir -r -force
Remove-Item "$dir\_tmp" -r -force
Remove-Item $zipfile
Write-Output 'Creating shim...'
shim "$dir\bin\scoop.ps1" $false
ensure_robocopy_in_path
ensure_scoop_in_path
success 'Scoop was installed successfully!'
Write-Output "Type 'scoop help' for instructions."
save |
r15ch13
changed the title
|
One line PowerShell command for new installation, if someone is looking for workaround: set-executionpolicy remotesigned -s currentuser; [System.Net.ServicePointManager]::SecurityProtocol = 3072 -bor 768 -bor 192 -bor 48; iwr https://get.scoop.sh -UseBasicParsing | iex |
|
If I had to guess, the schoop.sh website is probably using a certificate from StartSSL. As they are no longer a trusted cert authority, the download is failing. If you browse to https://scoop.sh you'll get a security warning about the certificate. Should be easy to fix with a new certificate using letsencrypt or something similar. |
|
@danielgary nope, scoop.sh didn't have ssl, it's a CNAME of scoop's gh-pages. And https://get.scoop.sh redirects to https://raw.githubusercontent.com/lukesampson/scoop/master/bin/install.ps1 GitHub drops TLSv1 support cause this issue. |
|
@danielgary ugh, thanks for pointing this out. I contacted @lukesampson about this. |
|
@h404bi I don't think the one line solution will work, |
|
@masaeedu I said that's a workaround for fresh installation. Though I have tested on a fresh install windows 10, fresh install scoop with that command, then just install git-with-openssh, every thing seems fine, scoop update, scoop search, scoop status... The Windows 10 ServicePointManager: $ [System.Net.ServicePointManager]::SecurityProtocol
Ssl3, TlsBesides, I search that we could modify the registry of ServicePointManager to permanently force to use strong cryptography, but that's inconvenient and it needs elevated privileges, which is worse.1 |
Do you mean for all users? For the current user, #2040 (comment), @covertcj's solution works great. I've adapted @r15ch13's proposal to make it permanent for the current user and this technique was tested on Windows 7. Is the concern that this won't scale for multiple users? I would propose that the scoop library internally nudges this since it makes no sense to attempt to continue functioning otherwise. Even the |
|
@h404bi While I agree that scoop should just work, setting ServicePointManager to only use TLS 1.1 and higher is something you should do anyway since SSLv3 and TLSv1.0 are deprecated due to POODLE. (Although, this could break other .NET applications and libraries.) Here's how to do that in PowerShell: # set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
# set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord Plus, this will allow scoop to work in Command Prompt instead of just PowerShell. |
|
Was not sure if every site supports TLS 1.2 therefore I created a script to checks all the URLs. Script:protocol-test.ps1param(
[String]$Dir = "$PSScriptRoot\..\bucket",
[String]$App = '*'
)
. "$PSScriptRoot\..\lib\core.ps1"
. "$PSScriptRoot\..\lib\buckets.ps1"
. "$PSScriptRoot\..\lib\manifest.ps1"
. "$PSScriptRoot\..\lib\json.ps1"
# https://www.sysadmins.lv/blog-en/test-web-server-ssltls-protocol-support-with-powershell.aspx
function Test-ServerSSLSupport($HostName) {
$Port = 443
$RetValue = New-Object psobject -Property @{
Host = $HostName
Port = $Port
ssl2 = $false
ssl3 = $false
tls = $false
tls11 = $false
tls12 = $false
KeyExhange = $null
HashAlgorithm = $null
}
# "ssl2", "ssl3",
"tls", "tls11", "tls12" | ForEach-Object {
$TcpClient = New-Object Net.Sockets.TcpClient
$TcpClient.Connect($RetValue.Host, $RetValue.Port)
try {
$SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream()
}
catch {
write-host $_.Message
return $RetValue
}
$SslStream.ReadTimeout = 15000
$SslStream.WriteTimeout = 15000
try {
$SslStream.AuthenticateAsClient($RetValue.Host, $null, $_, $false)
$RetValue.KeyExhange = $SslStream.KeyExchangeAlgorithm
$RetValue.HashAlgorithm = $SslStream.HashAlgorithm
$status = $true
} catch {
$status = $false
}
$RetValue.$_ = $status
# dispose objects to prevent memory leaks
$TcpClient.Dispose()
$SslStream.Dispose()
}
return $RetValue
}
function Test-Url($url) {
$url = [System.Uri]$url
if(!$url) {
return
}
if($url.Scheme -ne "https") {
write-host -f DarkYellow "$($url.Host.PadRight(40, " "))" -NoNewline
write-host " | http"
return
}
$result = Test-ServerSSLSupport $url.Host
write-host "$($url.Host.PadRight(40, " ")) | " -NoNewline
if($result.tls) {
write-host -f DarkGreen "$($result.tls.ToString().PadRight(6, " "))" -NoNewline
} else {
write-host -f DarkRed "$($result.tls.ToString().PadRight(6, " "))" -NoNewline
}
write-host " | " -NoNewline
if($result.tls11) {
write-host -f DarkGreen "$($result.tls11.ToString().PadRight(6, " "))" -NoNewline
} else {
write-host -f DarkRed "$($result.tls11.ToString().PadRight(6, " "))" -NoNewline
}
write-host " | " -NoNewline
if($result.tls12) {
write-host -f DarkGreen "$($result.tls12.ToString().PadRight(6, " "))" -NoNewline
} else {
write-host -f DarkRed "$($result.tls12.ToString().PadRight(6, " "))" -NoNewline
}
write-host ""
}
function Get-ManifestUrls($file) {
$urls = @()
if(!$file) {
return $urls
}
$json = parse_json $file.FullName
if(!$json) {
return $urls
}
if ($json.url -is [System.Array]) {
$json.url | ForEach-Object {
$urls += [System.Uri]$_
}
} elseif($json.url) {
$urls += [System.Uri]$json.url
} else {
$arch_url = (arch_specific 'url' $json '64bit')
if(!$arch_url) {
$arch_url = (arch_specific 'url' $json '32bit')
}
if($arch_url -is [System.Array]) {
$arch_url | ForEach-Object {
$urls += [System.Uri]$_
}
} else {
$urls += [System.Uri]$arch_url
}
}
return $urls
}
# get apps to check
write-host "Host | TLSv10 | TLSv11 | TLSv12"
write-host "-------------------------------------------------------------------"
$urls = @()
Get-ChildItem -Path $Dir "$App.json" | ForEach-Object {
Get-ManifestUrls($_) | ForEach-Object {
$urls += $_
}
}
$urls | Sort-Object -Property @{Expression={$_.Host}} -Unique | ForEach-Object {
Test-Url $_
}Results:Main Bucket HostsExtras Bucket HostsVersion Bucket Hosts/Edit: Updated script and results (20190410) |
|
I'm not sure what's more impressive... the speed in which you valided every script mirror supports TLS12, or the neat GitHub hide huge codeblock trick. |
|
An easy fix could be to add this neat little line to [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12Sadly the initial install oneliner has to change. |
|
@r15ch13 @lukesampson The install oneliner doesn't need to change unless Amazon CloudFront drops support for TLSv1.0 or GitHub drops support for TLSv1.0 on raw.githubusercontent.com. get.scoop.sh is served from Amazon CloudFront servers, then redirects to raw.githubusercontent.com. GitHub only dropped support for TLSv1.0 on github.com and api.github.com. The install oneliner doesn't have trouble downloading the install script, it just has trouble accessing api.github.com during the install. TLDR; That being said, the following oneliner is shorter, but suffers from the same problem. iwr https://get.scoop.sh | iex |
|
I didn't see a commit related to this but I am no longer receiving the error after updating scoop. |
|
@dsbert What happens when you run this: scoop search --no-cache |
|
@jordanbtucker There it is |
|
This is fixed for me, but I left a comment about it leaving side effects. It's probably not a big deal though. |
portable one... powershell failes something like this: ScoopInstaller/Scoop#2040
|
rtgsd |
This finally let me install boxstarter on windows7 via azure-arm/packer. |
set-executionpolicy remotesigned -s currentuserhas been ranThe scoop directory is created within the user profile folder, as well as the %USERPROFILE%\scoop\apps\scoop\current directory, however, they are both empty.
The text was updated successfully, but these errors were encountered: