New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable WebRequestPSCmdlet to not validate HTTPS certificates #2006
Conversation
Added switch parameter IgnoreCertificateCheck to WebRequestPSCmdlet to enable Invoke-WebRequest and Invoke-RestMethod to not validate the HTTPS certificate of the server if required.
Hi @ffeldhaus, I'm your friendly neighborhood Microsoft Pull Request Bot (You can call me MSBOT). Thanks for your contribution! TTYL, MSBOT; |
I would suggest a parameter name of either (gcm -type Cmdlet).ParameterSets.Parameters | Group Name | Sort Name Otherwise, 👍 |
Changed the switch parameter IgnoreCertificateCheck to NoCertificateCheck for WebRequestPSCmdlet to enable Invoke-WebRequest and Invoke-RestMethod.
I would suggest to use -SkipCertificateCheck to be consistent with similar parameters: -SkipCACheck, -SkipCNCheck, and -SkipRevocationCheck. |
+1 to @alexandair. Great PR, @ffeldhaus! |
Changed the switch parameter NoCertificateCheck to SkipCertificateCheck for WebRequestPSCmdlet to enable Invoke-WebRequest and Invoke-RestMethod.
I renamed the parameter to |
Can you add a test to powershell\test\powershell\Modules\Microsoft.PowerShell.Utility\WebCmdlets.Tests.ps1? |
Awesome work @ffeldhaus as for the test would something like the following be sufficient
or
and the equivalent Invoke-RestMethod under the appropriate describe block. |
@JamesWTruher Can you comment on @GavinEke's test recommendation? Is it ok for the tests to depend on an internet resource? |
Any news on this getting accepted? Would fix some issues for us. |
We'd like to see tests added and the CLA signed.
|
@ffeldhaus, Thanks for signing the contribution license agreement so quickly! Actual humans will now validate the agreement and then evaluate the PR. |
Validation of SkipCertificateCheck parameter in Invoke-WebRequest and Invoke-RestMethod. First validating, that exception is thrown for HTTPS URI with expired certificate. Then validating, that no exception is thrown if SkipCertificateCheck parameter is used. HEAD method must be used for Invoke-RestMethod to not return any body. Invoke-RestMethod can't parse the HTML returned when using GET method.
@lzybkr I signed the CLA and added a test. I'm not sure if the tests get executed by running Start-PSPester (or travis or appveyor) as I couldn't find them in the console output. Could you please share more details what is required to implement the parameter for Windows PowerShell? |
By default, Start-PSPester runs tests tagged I can't really provide specific guidance on how you can implement this functionality on Windows PowerShell - but you should read this to get started. @Francisco-Gamino ported these commands to PowerShell Core, so he might be able to help with specifics on Windows PowerShell. |
Are there any chances this will get merged before the next release? What needs to be done to merge this pull request? |
We haven't closed on whether or not it's acceptable to add this parameter to PowerShell Core but not Windows PowerShell. It sounds like people want this capability in Windows PowerShell as well, so we'd prefer that, but if not, you'll need to add I was also hoping to see some discussion around matching the options of |
I would appreciate it, if this would also be included in Windows PowerShell. Especially for connecting to new REST endpoints it's often necessary to skip the certificate checks. I have several Cmdlets which are able to upload a new certificate via REST, but first I need to be able to accept the self-signed certificate. In my opinion it would be better to first include the In the end the most important point is, that it's currently not possible to ignore certificates in PowerShell Core as the workaround available in Windows PowerShell (via |
For what it's worth, I would vote against implementing this pull request. It's too simplistic --and dangerous-- to just have a switch that completely disables validation checking. The vast majority of the time, the right thing to do is to just disable checking the CA chain (because it's just a self-signed cert), and not disable validation completely. The rest of the time, the right thing to do is to white-list the specific certificate and url combination. Additionally, this not only disables the check on the initial request, it also automatically disables checking on any additional requests (i.e. if you're redirected, or download additional resources), so if you're hitting an internal website that uses a self-signed cert but then downloads additional content from CDNs with valid certs, you're needlessly disabling that validation, etc... Additionally, you really should solve it the same way on all the web cmdlets, including Export-ODataEndpoint, etc. I wrote a wrapper for these things a couple of years ago. It's a little complicated. In fact, it probably goes a little too far in the other direction (too many knobs). But there has to be a better solution than all or nothing. |
I partly disagree with #2006 (comment) from @Jaykul. The functionality of |
I don't think this is a good argument when balancing against security I vote for Joel's points about use the most-right solution. I believe most If we were designing a feature for a layperson, we'd call it On Fri, Sep 30, 2016, 3:13 AM Florian Feldhaus notifications@github.com
|
We decided to take this change as is without requiring the corresponding changes to Windows PowerShell. |
Any reason why this is merged but not available yet? I really hate having to break into CYGWIN from POWERSHELL to do things... |
@bgoldman69 this has been available for sometime in our alpha releases |
Has this been pulled from beta releases then? I'm using the latest beta (7) and there is no SkipCertificateCheck for Invoke-RestMethod in that version... |
It's working for me with PowerShell Beta 7 on Mac OS X Florians-MBP:~ ffeldhaus$ powershell
PowerShell v6.0.0-beta.7
Copyright (C) Microsoft Corporation. All rights reserved.
PS /Users/ffeldhaus/development> Invoke-RestMethod -SkipCertificateCheck -Uri https://expired.badssl.com/ |
Works for me using Beta 7 on Windows 10 (1703) |
I stand corrected. It's just missing from the get-help output and thus I assumed it wasn't there. |
@sbourdeaud You can see latest docs in https://github.com/PowerShell/PowerShell-Docs repo. Feel free open Issue there if the parameter isn't documented. |
Done |
Added switch parameter SkipCertificateCheck to WebRequestPSCmdlet to enable Invoke-WebRequest and Invoke-RestMethod to not validate the HTTPS certificate of the server if required.
Implemented as discussed in issue #1945