3

I have a Windows Server 2012R2 with powershell 4.

A sql job issues a Invoke-WebRequest https://someserver/file.xml -OutFile c:/tmp/data.xml"

It fails with ssl error, even if I follow Powershell Invoke-WebRequest Fails with SSL/TLS Secure Channel and prepend [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" or the other variations.

Is powershell 4 too old?

Should I try installing Wowershell 6 or 7 from https://github.com/PowerShell/PowerShell/releases ?

Will that be invoked by the sqljob, or should it be specified somewhere/somehow that it's supposed to run v7 instead of v4?

PS: I know "Windows Server 2012 R2 entered mainstream support on November 25, 2013, though, but its end of mainstream is January 9, 2018, and end of extended is January 10, 2023" but upgrading is not an option right now.

EDIT

I installed powershell 5.1, it didn't change


Major  Minor  Build  Revision
-----  -----  -----  --------
5      1      14409  1005

and do

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

But still get Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.

EDIT 2

PS C:\Users\leif> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14409.1005
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1005
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
Leif Neland
  • 1,416
  • 1
  • 17
  • 40
  • 2
    For 2012R2, I'd strongly recommend installing Windows Management Framework 5.1 (which includes PowerShell 5.1), then try again with `[ServicePointManager]::SecurityProtocol = 'Tls12'` – Mathias R. Jessen Mar 10 '20 at 12:49

1 Answers1

2

I believe it is. Powershell relies upon the .Net framework under the hood. PS version 4 uses .Net 4.0 which I believe did not have support for TLS 1.2 added or enabled by default.

See: https://learn.microsoft.com/en-us/powershell/scripting/install/windows-powershell-system-requirements?view=powershell-7

TLS 1.2 was made the default protocol in .Net 4.6 See: https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/

Make note of: NET 4.0. TLS 1.2 is not supported

So you're going to need to code around it as others have suggested or upgraded to WMF 5.1. Before completing the upgrade be sure to make sure it will not break anything. Some MS products, like SharePoint, may not be compatible with the newer version.

Also, try setting your TLS via:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

The above assumes a PowerShell version with support.

Zack A
  • 688
  • 5
  • 11
  • I'm going to use it in a SQL job step. – Leif Neland Mar 10 '20 at 18:15
  • I have installed wmf 5.1, it made no difference. – Leif Neland Mar 10 '20 at 18:15
  • Well, I would start at the lowest level... Does this work in a basic PowerShell Windows on the server that would be running the job? Yes/No will determine how you proceed from there. If you have WMF 5.1 and your using the code I posted above, then it should work in a PowerShell console. I have about 50 jobs scheduled using invoke-webrequest with that code. Test it, but I'm thinking the issue could be somewhere other then powershell. If you want to consume an XML file you may need to schedule a separate job in PowerShell to download it, then another in SQL to consume it. – Zack A Mar 10 '20 at 18:50
  • It does not run in powershell. It works against a foreign server which support tls 1.1 Not against my "XML- server" which only support tls 1.2 and 1.3 Perhaps I have to downgrade my server security to enable 1.1 – Leif Neland Mar 10 '20 at 19:14
  • I mean it fails in the powershell 5.1 window. – Leif Neland Mar 10 '20 at 19:14
  • You shouldn't have to. I contact web services using PS that are TLS 1.2... Did you do the: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ...before the invoke-webrequest? – Zack A Mar 10 '20 at 19:27
  • can you type this: $PSVersionTable and post the results? LEt's make sure you're on 5.1 – Zack A Mar 10 '20 at 19:28
  • The webserver on the machine which should read the XML is supporting .NET c2.0 and .NET v4.5, I don't know if this is relevant – Leif Neland Mar 10 '20 at 19:35
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/209394/discussion-between-leif-neland-and-zack-a). – Leif Neland Mar 10 '20 at 19:39
  • Temporary solution: enable TLS v1.1 on source – Leif Neland Mar 10 '20 at 20:10
  • Do you have a firewall or proxy in between the server(s) that could be manipulating the TLS session in some way? – Zack A Mar 24 '20 at 20:45
  • hey, @ZackA did you found a solution? i have the exact same problem – mech May 10 '21 at 06:54