TLS1.2 Powershell HttpWebClient support

Question

I'm trying to upload a file to an https endpoint but I keep running into:

Could not create SSL/TLS secure channel.

Searching around, the endpoint does use TLS 1.2 but setting it in the script doesn't seem to have any effects at all. Any suggestions? Full script is:

#[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor "Tls12"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
#[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$uri = New-Object "System.Uri" "https://.../docs"
$request = [System.Net.HttpWebRequest]::Create($uri)
  $request.Accept = "text/plain"
  $request.UserAgent = "foo/2.3.0.0 (windows; x86_64)"
  $request.ContentType = "application/x-tar"
  $request.Headers.Add("Content-Encoding","gzip");
  $request.Credentials = new-object System.Net.NetworkCredential("username","password","");

Try {
  $request.Method = "PUT"
  $requestStream = $request.GetRequestStream()
  $fileStream = [System.IO.File]::OpenRead("R:\\...-docs.tar.gz")
  $bufSize=10000
  $chunk = New-Object byte[] $bufSize
  while( $bytesRead = $fileStream.Read($chunk,0,$bufsize) )
  {
    $requestStream.write($chunk, 0, $bytesRead)
    $requestStream.Flush()
  }

  $responseStream = $request.getresponse()
  Write-Host "200";
  Write-Host (-join [System.Text.Encoding]::UTF8.GetChars($bodyBytes));

} Catch [System.Net.WebException] {
  $exception = $_.Exception;
  If ($exception.Status -eq [System.Net.WebExceptionStatus]::ProtocolError) {
    $response = $exception.Response -as [System.Net.HttpWebResponse];
    $reader = new-object System.IO.StreamReader($response.GetResponseStream());
    Write-Host ($response.StatusCode -as [int]);
    Write-Host $reader.ReadToEnd();
  } Else {
    Write-Host $exception;
  }
} Catch {
  Write-Host $_.Exception;
} finally {
  $fileStream.Close()
  $requestStream.Close()
  $responseStream.Close()

}

Can you get anything else out of the exception? Are you sure the endpoint uses TLS 1.2 and not 1.1? — briantist, Mar 09 '18 at 21:21
@briantist no, the exception is rather generic, according to https://www.ssllabs.com/ssltest it's TLS 1.2 yeah. — Phyx, Mar 09 '18 at 21:29
Could you check `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client` and see if TLS 1.2 is disabled for some reason? Also which OS? Which version of PowerShell? — briantist, Mar 09 '18 at 21:34
Hmm I only have an entry for "SSL 2.0" under procols. This is a windows 10 build 10.0.16299.248 and powershell 5.1.16299.248 — Phyx, Mar 09 '18 at 21:42
Hm, as far as I can tell your code should be working @Phyx. Anything in the Application event log? Does the URL you're hitting work in a browser? Is there a redirect before the final page (maybe SSL labs missed that)? — briantist, Mar 09 '18 at 21:47
No there's nothing in the event log, the url works in a browser. There's no redirect but there is a CDN, but using the server directly also doesn't work. Weirdly in wireshark I don't see the TLS handshake failing... — Phyx, Mar 09 '18 at 21:52

score 1 · Accepted Answer · answered Mar 10 '18 at 12:19

1

Turns out you get a Could not create SSL/TLS secure channel. error if your credentials are incorrect instead of an 401 unauthorized response :(

answered Mar 10 '18 at 12:19

Phyx

2,697
1
20
35

TLS1.2 Powershell HttpWebClient support

1 Answers1