Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Bootstrap: Force Windows PowerShell to use TLS 1.2 #8486
In the existing implementation of bootstrap on Windows, Windows PowerShell is used to launch a .NET WebClient object that downloads the Chef Infra Client MSI via our CDN. Depending on the OS configuration (specifically if .NET 4.7 is not installed), TLS 1.2 may not be the default protocol attempted by the WebClient and this may cause downloads to fail depending on the environment.
Specifically, Windows PowerShell on Windows Server 2012 R2 uses .NET Framework 4.5, which does not include TLS 1.2 as an available protocol
This is hard to replicate as from my testing our CDN does appear to support TLS 1.0 and 1.1 so this issue is most likely prevalent in environments that block these protocols. As such I have not provided a concrete repro here.
One suggested modification is to add the line:
Somewhere around here:
Background reading: https://docs.microsoft.com/en-us/security/solving-tls1-problem
Special note for Windows 2008 R2
The .NET Framework 3.5.1 included in Windows 2008 R2 and Windows 7 SP1 did not have support for TLS 1.2 until KB3154518. Unfortunately the implementation is subtly different between CLR 2.0 (including .NET Framework 3.5.1) and CLR 4 apps (see another workaround I discovered: navossoc/KeePass-Yet-Another-Favicon-Downloader#23). A decision needs to be made as to whether to support this or go with the simpler modification and deal with Windows 2008 by exception.