On CentOS Powershell uses the system libcurl that does not support custom SSL certificate validation #2511

atanasa opened this Issue Oct 20, 2016 · 6 comments


None yet

5 participants

atanasa commented Oct 20, 2016

This is similar to #2211 but for CentOS. This is probably still an issue with dotnet but maybe powershell can patch it in a similar way as the OS X patch. I haven't found a workaround yet.

Steps to reproduce


$handler = new-object "System.Net.Http.HttpClientHandler"
$handler.ServerCertificateCustomValidationCallback = { $true }
$client = new-object "System.Net.Http.HttpClient" -Arg @($handler)

Expected behavior

An error telling you that there is no runtime context on the thread. Which means the execution reached the validation script block.

Actual behavior


Exception calling "GetResult" with "0" argument(s): "The libcurl library in 
use (7.29.0) and its SSL backend ("NSS/3.19.1 Basic ECC") do not support 
custom handling of certificates. A libcurl built with OpenSSL is required."
At line:1 char:1
+ $client.GetStringAsync("https://google.com").GetAwaiter().GetResult()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : PlatformNotSupportedException

Environment data

> $PSVersionTable
Name                           Value                                           
----                           -----                                           
PSVersion                      6.0.0-alpha                                     
PSEdition                      Core                                            
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                         
GitCommitId                    v6.0.0-alpha.11                                 
WSManStackVersion              3.0                                             
PSRemotingProtocolVersion      2.3                                             

Do you know if CentOS ships--inbox or via yum--a libcurl built with libssl?

atanasa commented Oct 26, 2016 edited

I couldn't find one. One of my users found one here:
but that does not look official.

The workaround is to download the libcurl-openssl package from there, then install it with yum localinstall and run

export LD_LIBRARY_PATH=/opt/shibboleth/lib64/:$LD_LIBRARY_PATH

to redirect powershell to discover the new dynamic library.

atanasa commented Oct 26, 2016

Exporting LD_LIBRARY_PATH might redirect other executables (e.g. python) to use the new dynamic library. That might be breaking some of them. To limit the scope of the export, one option is to create a bash script that would act as a shortcut for launching powershell.
Example shortcut script:

export LD_LIBRARY_PATH=/opt/shibboleth/lib64/:$LD_LIBRARY_PATH

I tried setting the env variable inside powershell instead of bash, but for some reason that didn't affect the dynamic library resolution.


Just for reference, this looks like the upstream CoreFX bug: dotnet/corefx#10146


Hi all,
Patiently waiting for this to get fixed. I'm hoping to run Powershell and PowerCLI on CentOS (without downloading bits from Japan). Thanks for your support!

@jonathanmedd jonathanmedd referenced this issue in jakkulabs/PowervRA Jan 10, 2017

PowervRA Core does not work on CentOS #103


Hi, please provide an update on the issue.
Very much needed and your effort is very much appreciated.
Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment