Skip to content

Allow SecurityProtocol to be specified for a repo#21

Open
palintir wants to merge 1 commit intohbuckle:masterfrom
palintir:Security_protocols_for_repository
Open

Allow SecurityProtocol to be specified for a repo#21
palintir wants to merge 1 commit intohbuckle:masterfrom
palintir:Security_protocols_for_repository

Conversation

@palintir
Copy link
Contributor

@palintir palintir commented Jan 30, 2019

A parameter (securityprotocols) has been added to the psrepository type
which will accept a list of security protocols that the repository will
accept, the list can contain any values can be specified for the
ServicePointManager.SecurityProtocol Property (see
https://docs.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.securityprotocol)

e.g.

psrepository { 'psrepo':
    ensure              => present,
    source_location     => 'https://local.repo.domain/',
    installation_policy => 'trusted',
    securityprotocols   => [ TLS11, TLS12 ]
}

This is to resolve an SSL connection issue that can occur if the
PowerShell repository enforces the use of a specific TLS version, but
the Windows client has a default protocol version that is lower.

@palintir
Allow SecurityProtocol to be specified for a repo
b7b37f7 
A parameter (securityprotocols) has been added to the psrepository type
which will accept a list of security protocols that the repository will
accept, the list can contain any values can be specified for the
ServicePointManager.SecurityProtocol Property (see
https://docs.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.securityprotocol)

e.g.

    psrepository { 'psrepo':
        ensure              => present,
        source_location     => 'https://local.repo.domain/',
        installation_policy => 'trusted',
        securityprotocols   => [ TLS11, TLS12 ]
    }

This is to resolve an SSL connection issue that can occur if the
PowerShell repository enforces the use of a specific TLS version, but
the Windows client has a default protocol version that is lower.
@hbuckle
Copy link
Owner

hbuckle commented Feb 3, 2019

Hi @palintir, sorry for the delayed response. Thinking about this would it make sense to just set TLS 1,2 and 3 support by default for all commands - that way we aren't reliant on the psrepository being in the catalog for the package commands to work. What do you think?

@palintir
Copy link
Contributor Author

palintir commented Feb 7, 2019

@hbuckle I was initially going to do this but I was concerned that it might cause issues for others, so I decided to make it user controllable, but I have no objections to doing it this way if that's what you suggest.

@hbuckle
Copy link
Owner

hbuckle commented Feb 11, 2019

The only issue I can think of would be if you wanted to prevent connections to TLS1.0 or TLS 1.1 repos.
I see for .NET 4.7 or Core SystemDefault can be set - what about setting SystemDefault if it is available, otherwise setting 1, 1.1 and 1.2 - that way if you need to control things you can use the system settings?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@palintir @hbuckle