Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bootstrap: Force Windows PowerShell to use TLS 1.2 #8486

stuartpreston opened this issue May 7, 2019 · 0 comments


None yet
1 participant
Copy link

commented May 7, 2019


In the existing implementation of bootstrap on Windows, Windows PowerShell is used to launch a .NET WebClient object that downloads the Chef Infra Client MSI via our CDN. Depending on the OS configuration (specifically if .NET 4.7 is not installed), TLS 1.2 may not be the default protocol attempted by the WebClient and this may cause downloads to fail depending on the environment.

Specifically, Windows PowerShell on Windows Server 2012 R2 uses .NET Framework 4.5, which does not include TLS 1.2 as an available protocol

Chef Version


Platform Version


Replication Case

This is hard to replicate as from my testing our CDN does appear to support TLS 1.0 and 1.1 so this issue is most likely prevalent in environments that block these protocols. As such I have not provided a concrete repro here.

Suggested Fix

One suggested modification is to add the line:

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12

Somewhere around here:

$ProxyUrl = $env:http_proxy;
$webClient = new-object System.Net.WebClient;
if ($ProxyUrl -ne '') {
$WebProxy = New-Object System.Net.WebProxy($ProxyUrl,$true)
$WebClient.Proxy = $WebProxy
$webClient.DownloadFile($remoteUrl, $localPath);
so that the win_wget_ps template variable is passed correctly to any core or custom bootstrap templates on Windows when combined with the knife bootstrap command.

Background reading:

Special note for Windows 2008 R2

The .NET Framework 3.5.1 included in Windows 2008 R2 and Windows 7 SP1 did not have support for TLS 1.2 until KB3154518. Unfortunately the implementation is subtly different between CLR 2.0 (including .NET Framework 3.5.1) and CLR 4 apps (see another workaround I discovered: navossoc/KeePass-Yet-Another-Favicon-Downloader#23). A decision needs to be made as to whether to support this or go with the simpler modification and deal with Windows 2008 by exception.

/cc @marcparadise

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.