On CentOS Powershell uses the system libcurl that does not support custom SSL certificate validation #2511

Open
atanasa opened this Issue Oct 20, 2016 · 6 comments

Projects

None yet

5 participants

@atanasa
atanasa commented Oct 20, 2016

This is similar to #2211 but for CentOS. This is probably still an issue with dotnet but maybe powershell can patch it in a similar way as the OS X patch. I haven't found a workaround yet.

Steps to reproduce

Run:

$handler = new-object "System.Net.Http.HttpClientHandler"
$handler.ServerCertificateCustomValidationCallback = { $true }
$client = new-object "System.Net.Http.HttpClient" -Arg @($handler)
$client.GetStringAsync("https://google.com").GetAwaiter().GetResult()

Expected behavior

An error telling you that there is no runtime context on the thread. Which means the execution reached the validation script block.

Actual behavior

Error:

Exception calling "GetResult" with "0" argument(s): "The libcurl library in 
use (7.29.0) and its SSL backend ("NSS/3.19.1 Basic ECC") do not support 
custom handling of certificates. A libcurl built with OpenSSL is required."
At line:1 char:1
+ $client.GetStringAsync("https://google.com").GetAwaiter().GetResult()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : PlatformNotSupportedException

Environment data

> $PSVersionTable
Name                           Value                                           
----                           -----                                           
PSVersion                      6.0.0-alpha                                     
PSEdition                      Core                                            
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                         
BuildVersion                   3.0.0.0                                         
GitCommitId                    v6.0.0-alpha.11                                 
CLRVersion                                                                     
WSManStackVersion              3.0                                             
PSRemotingProtocolVersion      2.3                                             
SerializationVersion           1.1.0.1
@joeyaiello
Member

Do you know if CentOS ships--inbox or via yum--a libcurl built with libssl?

@atanasa
atanasa commented Oct 26, 2016 edited

I couldn't find one. One of my users found one here:
http://ftp.riken.jp/Linux/cern/centos/7/cern/x86_64/repoview/letter_l.group.html
but that does not look official.

The workaround is to download the libcurl-openssl package from there, then install it with yum localinstall and run

export LD_LIBRARY_PATH=/opt/shibboleth/lib64/:$LD_LIBRARY_PATH

to redirect powershell to discover the new dynamic library.

@atanasa
atanasa commented Oct 26, 2016

Exporting LD_LIBRARY_PATH might redirect other executables (e.g. python) to use the new dynamic library. That might be breaking some of them. To limit the scope of the export, one option is to create a bash script that would act as a shortcut for launching powershell.
Example shortcut script:

#!/bin/bash
export LD_LIBRARY_PATH=/opt/shibboleth/lib64/:$LD_LIBRARY_PATH
powershell

I tried setting the env variable inside powershell instead of bash, but for some reason that didn't affect the dynamic library resolution.

@joeyaiello
Member

Just for reference, this looks like the upstream CoreFX bug: dotnet/corefx#10146

@vmkdaily

Hi all,
Patiently waiting for this to get fixed. I'm hoping to run Powershell and PowerCLI on CentOS (without downloading bits from Japan). Thanks for your support!

@jonathanmedd jonathanmedd referenced this issue in jakkulabs/PowervRA Jan 10, 2017
Open

PowervRA Core does not work on CentOS #103

@ryangurazov

Hi, please provide an update on the issue.
Very much needed and your effort is very much appreciated.
Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment