Search code examples
powershellsslwindows-server-2012-r2

Using powershell to connect to HTTPS sites

I have been provided a new Server 2012 box to setup.

I'm trying to use powershell to install chocolatey

iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

and getting the error

Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: An unexpected error occurred on a receive." At line:1 char:1 + iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/in ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : WebException

I can visit that URL in the browser.

At first I thought this was something to do with Chocolatey but then I realised that

(New-Object System.Net.WebClient).DownloadString('http://google.com'))

can download the html content

but

((New-Object System.Net.WebClient).DownloadString('https://google.com'))

fails with the same error

The underlying connection was closed: An unexpected error occurred on a receive.

The box:

  • is windows server 2012 build 9600
  • doesn't use a proxy
  • has the firewall turned off

I feel sure I'm doing something silly but can't see what...

--- Update ---

Based on this answer

I followed these steps:

``` 1.In Control Panel, click Administrative Tools, and then double-click Local Security Policy.

2.In Local Security Settings, expand Local Policies, and then click Security Options.

3.Under Policy in the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, and then click Enabled.

  1. Ran gpupdate /force ```

After that the chocolatey install script can be downloaded but then fails with:

STDOUT: FIPS Mode detected - run 'choco feature enable -n useFipsCompliantChecksums' to use Chocolatey. When FIPS Mode is enabled, Chocolatey requires useFipsCompliantChecksums feature also be enabled. STDERR: ---- End output of C:\ProgramData\chocolatey/bin/choco.exe list -l -r ---- Ran C:\ProgramData\chocolatey/bin/choco.exe list -l -r returned 1

Still feels like the GPO change shouldn't be necessary

Solution

  • It turns out this was as a result of TLS 1.0 being disabled in our server images in order to comply with PCI DSS 3.1.

    Rolling back that change to the image resolved the powershell issue.

    In the short term we can run

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 before using System.Net.WebClient but I'd like to find a way to enforce that at a machine level too...

    I logged this with Chocolatey and they resolved the issue \o/