none
Powershell TLS Failure? RRS feed

  • Question

  • Hello dear Community

    Nearly at the beginning of this year I experienced something strange.

    I had wrote a powershell Script back in September 2019 which downloads a zip and unpacks it.

    It worked perfectly until January 2020, newly on Windows 7 with Powershell 3.0 an error occured while trying to download.

    On Windows 10 it still worked like a charm. Later I found out, that the problem is the encryption which I newly have to force to be TLS1.2.

    Why did they do this and where exactly happened this "mistake"?

    Is there any offical statement to this?

    Thanks beforehand


    Into VBA, Batch and a bit of Powershell! The possibilities are endless...

    • Moved by jrv Wednesday, February 12, 2020 6:57 AM Nonsense
    Wednesday, February 12, 2020 6:50 AM

All replies

  • We knew you would fall for that old hack so we changed it without telling you.

    Of course you would try to use Windows 7 and we knew you would be totally confused.

    We tried to warn everybody that Windows 7 was being cancelled in January and we knew you wouldn't pay attention to our message.  This was also done to punish you and others for continuing to use Windows 7.

    I you continue to use Windows 7 we will have more surprises that will entertain us while watching you look confused.

    The moral of this story is .... well, you can figure it out.


    \_(ツ)_/

    Wednesday, February 12, 2020 7:02 AM
  • Sorry but currently with ESU you will still receive security updates until 2023.

    As I am not responsible for such things at my workplace this does not answer my question in any way!

    I am just asking for the reason for this behavior, as I do not know how and why it just should be changed to standard TLS 1.0. This would be fairly a security risk to everyone using it.

    I know that windows 7 is "old", but just randomly killing it with bugs can't be a serious thing.


    Into VBA, Batch and a bit of Powershell! The possibilities are endless...

    Wednesday, February 12, 2020 7:12 AM
  • Security updates are not enhancements or bug fixes.  I doubt that you have an ESU contract.

    Your issue has been addressed by Microsoft for years.  I have received more than 100 emails nd articles warning of this and that it would be an issue. I addressed this issue with one customer two years ago. The customer forced us to remove the patch because they had services that they used that failed to implement the new requirements.

    The cause of this has nothing to do what Microsoft.  TLS is not a Microsoft product. m Windows 7 was altered to address this issue years ago but noon-technical users likely didn't read any of the articles and emails sent out by Microsoft and most other vendors.

    There have also been numerous articles and discussions about how to allow PowerShell on pre-Win10 systems to address this issue.

    To understand what happened you first have to take the time to learn what TLS is.  This can be easily learned by searching or by getting a modern book on networking.

    As an example of what happened to you consider what happened to all of the millions of people who were using Widows 3.1 and modems for networking.  Why is this no longer done?  We can still buy modems.  What changed?

    Why is TLS not an issue on Windows 10?  How does TLS effect Windows?  Where is it used?  Why is it used?  

    To understand this and the answers to these questions you will need to learn computer engineering and network engineering as a pre-requisite,

    Since you are an end user and not an engi9ineer or trained technician I can only say that you have hit a common wall.  The world changes,  Things in technology change.  Companies hire trained and certified or degreed technical professionals to keep the company in sync with these world changes.  

    Have you tried talking to the people responsible for your network?  Do you have a network engineer in the company or does your company rely on consultants?  Either would be able to help you.

    Also you failed to tell us what stopped working with your script.  Code that worked on Windows 7 still works on Windows 7 assuming you didn't change the code.  ON Windows 7 and Windows 10 the code could be written to fail on both the same way. Turn off the default security protocols on Windows 10 and the script will fail the same way.  The cause of the failure has nothing to do with Windows.  What was the code doing?  What changed and why did Win10 keep working?

    This is the kind of rut you get into by blaming others for failures that are not really failure but are the result of change.  Learning the basics of networking and Windows are the first step to understanding change.

    To demonstrate what is happening you can do the following:

    On both Win10 and Win7 run the following at a prompt

    [enum]::GetNames([System.Net.SecurityProtocolType])

    Now run the following line on both systems:

    [Net.ServicePointManager]::SecurityProtocol

    Notice the difference.

    Now read the following: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi

    Notice that Microsoft published that article years ago. 

    PowerShell 3 is a very old version of PowerShell.  It was written before these changes.  PowerShell 5.1 on Windows 7 can use the protocols but was not written to set the system default.  This was for compatibility.  Windows 10 came with the protocols enabled and the SystemDefault set for the future.  Y

    The future arrived for you in January 2020.  You stumbled into the future like someone who only new about horse and crossed paths with a horseless carriage.

    Microsoft an al other vendors warn us constantly about changes (breaking changes) but companies require either trained technicians, a consultant or a Microsoft support contract to keep up with the changes since desktop people in companies are not trained beyond the basic GUI.

    AS to why your script stopped you will have to determine what the script was doing when it failed.  This would be part of the complete error message but not part of a conversion of the error to a string.  Conversion or errors to string removes all of the information required to troubleshoot the problem.  From you question I can assume that you didn't write the script or that you copied a script and edited it without any training in PowerShell.

    The full error will tell you exactly what caused it to fail.  Once you klnow what failed then you know thee source of the failure.  I guarantee that it is not Windows 7 and not PowerShell. It is some external force.  Have you noticed any Klingons around.  They are know to cause this kind of issue.

    Anyway follow the above instructions and you will eventually rack down who changed what.


    \_(ツ)_/

    Wednesday, February 12, 2020 8:09 AM
  • Sorry but currently with ESU you will still receive security updates until 2023.

    As I am not responsible for such things at my workplace this does not answer my question in any way!

    I am just asking for the reason for this behavior, as I do not know how and why it just should be changed to standard TLS 1.0. This would be fairly a security risk to everyone using it.

    I know that windows 7 is "old", but just randomly killing it with bugs can't be a serious thing.


    Into VBA, Batch and a bit of Powershell! The possibilities are endless...

    Just as a note - SSL-1 SSL-2, TLS1 has been unsupported everywhere for years.  Nothing was removed from Windows 7.  The protocols were disabled for the browser gradually over time.  TLS1.x was disabled some time ago for IE.  TLS 1.1-3 all work with TLS1 servers.  TLS 1.0 ios due to eol for browsers in MArch 2020.

    What you are saying doesn't make much sense.   I suspect that the remote has dropped TLS1.0 support as was required over a year ago. Without the full error there is no way to know what the issue is.  Without the script there is no way to know if it is written correctly.

    Using "SystemDefault" is designed to overcome some of the issues with changing protocols that all vendors face.


    \_(ツ)_/


    • Edited by jrv Wednesday, February 12, 2020 9:05 AM
    Wednesday, February 12, 2020 9:02 AM
  • So to begin with.

    I know what tls is. I am in an aprenticeship as automation engineer. We have an ESU contract.

    I know that the version is old. I know that on Windows 7 the standard TLS now 1.0 is if I run the command you've written, I don't know what it was back in 2019.

    But the thing is it was NOT like that before. And on Windows 10 the standard is 1.2 I think. It's been a month since testing around.

    You wrote this was publiced years ago, I am relatively new into powershell and wasn't using it before. I have never received any information of this.
    Also just saying I don't know things and the question is nonsense you could have told me this right away.

    How should people learn if noone want to teach?

    Of course I have googled around to find inspiration for my scripts but in the end I have written the scripts on my own but yeah anyway.

    The code truly worked in 2019 and just stopped working this january. I had not done anything.

    Heres the code which worked in 2019 with the tls 1.2 enforcement I had to add: (Comments in german)

    # Auslesen des Pfades aus der Registry
    [String]$MainHome
    $MainHome = (Get-ItemProperty "Registry::HKEY_CURRENT_USER\Software\xxx" -Name "HomeDir")."HomeDir"
    
    # Definieren der Umgebung
    [String]$Homepath = Get-Location
    [String]$LinkSource = $MainHome + "Resources\Sources.txt"
    [String]$Downloadpath = (Get-Content -Path $LinkSource -TotalCount 5)[-1]
    [String]$Temp = $Homepath + "\Temp\Application.zip"
    [String]$Storepath = $MainHome # + "Versions"
    [String]$Element = $MainHome + "Application"
    
    #Altes Element entfernen
    If((test-path $Element))
    {
          Remove-Item –path $Element –recurse
    }
    
    #Ausgabe der Pfade
    Write-Output $Downloadpath
    Write-Output $Temp
    
    #Anlegen der Ordner
    If(!(test-path $Storepath))
    {
          New-Item -ItemType Directory -Force -Path $Storepath
    }
    
    $Temppath = ".\Temp"
    If(!(test-path $Temppath))
    {
          New-Item -ItemType Directory -Force -Path $Temppath
    }
    
    #Tls 1.2 erzwingen da sonst download auf Windows 7 nicht funktioniert.
    # -|- This is the part I had to add to get it working again -|-
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    
    #Download der Dateien
    $client = new-object System.Net.WebClient
    $client.DownloadFile($Downloadpath, $Temp)
    
    #Altes Element entfernen
    If((test-path $Element))
    {
          Remove-Item –path $Element –recurse
    }
    
    #Entpacken der Zip
    Add-Type -AssemblyName System.IO.Compression.FileSystem
    [System.IO.Compression.ZipFile]::ExtractToDirectory($Temp, $Storepath)
    
    #Verschieben in den richtigen Ordner
    Move-Item -Path $Storepath\Application\* -Destination $MainHome -Force 
    
    If(!($error.Count -eq 0)){
    Write-Output "Download fehlgeschlagen, bitte versuchen sie es erneut!"
    Start-Sleep -s 10
    }
    
    #Downloadordner löschen
    Remove-Item –path “.\Temp" -recurse

    This just does not work anymore without the tls1.2 enforcement, it did before. Of course it wont work on Windows 10 if I deactivate the tls 1.2 setting...

    I read the error it gave out and found this as solution so I think I understood the problem and solved it.

    I stumbled upon this while researching the problem:
    https://web.archive.org/web/20180513223442/https://johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

    But I was interested in the reason of it and from what part of the system it came. I was not sure if it is really the thing in the Link above.

    Somewhat changed after an Update in January. And I wanted to know if someone had the same issue and maybe knows what exactly happened.

    But yeah let it be like that.

    Have a nice day.




    Into VBA, Batch and a bit of Powershell! The possibilities are endless...


    • Edited by AleDev Wednesday, February 12, 2020 9:11 AM Grammatics
    Wednesday, February 12, 2020 9:04 AM
  • This is Microsoft's warning about TLS1.0/1.1 for dropping support.

    https://techcommunity.microsoft.com/t5/enterprise-mobility-security/end-of-support-for-tls-1-0-and-1-1-in-microsoft-cloud-app/ba-p/770507

    Here is a discussion of removal of TL1.0/1.1 from all major browsers and services that is form last yeaar.

    https://www.zdnet.com/article/chrome-edge-ie-firefox-and-safari-to-disable-tls-1-0-and-tls-1-1-in-2020/

    This issue has been front and center in the news for years.  No changes to Windows 7 were made.  Here is an article published by Microsoft over a year ago noting the changes required and the system prep required to correctly support apps when the servers on the Internet drop- support for the protocols.  

    https://docs.microsoft.com/en-us/security/solving-tls1-problem

    This is why it is critical that those wanting to work in technology need to get training that informs them of how to use the technology and how to keep up with change.  MS releases newsletters almost daily noting changes to Windows and all of the Windows subsystems like Exchange, SCCM, SharePoint etc.  Every MS product site contains links to newsletters, blogs and forums that techs need to keep up with.


    \_(ツ)_/

    Wednesday, February 12, 2020 9:19 AM
  • As I don't think the change happened at server-side I thought it must be on the client side.

    Also this article let me in that believe:

    https://web.archive.org/web/20180513223442/https://johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

    ->could have happened with a late .net update? this was what I thought might have happened.

    As far as I know noone updated or changed something during the suspected time.

    Thanks for the Links!


    Into VBA, Batch and a bit of Powershell! The possibilities are endless...



    • Edited by AleDev Wednesday, February 12, 2020 9:38 AM
    Wednesday, February 12, 2020 9:30 AM
  • So to begin with.

    I know what tls is. I am in an aprenticeship as automation engineer. We have an ESU contract. I read the error it gave out and found this as solution so I think I understood the problem and solved it.

    But I was interested in the reason of it and from what part of the system it came. I was not sure if it is really the thing in the Link above.

    Somewhat changed after an Update in January. And I wanted to know if someone had the same issue and maybe knows what exactly happened.

    But yeah let it be like that.

    Have a nice day.


    You may be learning automation but you are clearly not an engineer.  That may be the difference.  Learning networking is what is needed here.

    The reason for you issue is in the error message which you have yet to post.  

    Windows 7 didn't change.  The network changed.  Windows 10 was set to enforce protocol strength from its first day and that has been enhanced.  Windows 7 has been being removed from service for years but MS has delayed that due to many large corps demanding more time to adapt.

    My main design here is to address your internship/apprenticeship.  I want you and others trying to break into computer technology to understand the need to do constant research and training.  Blaming Microsoft or others is a habit that will only keep you from becoming a good experienced professional.  

    You still haven't understood that the issue has existed for years and the warning have gone out repeatedly.  The network has changed.  Your script had you locked out of the changes.  Using PS 3 instead of upgrading also locked you out.  It is also likely that you failed to install Net 4.7 and its updates which would have further locked you out.  Why?  Because the release nots for the upgrades would have given you the exact answers you needed.

    I am not sure what you mean by "automation engineer".  My guess is that it means you are learning how to script management tasks.  Without fundamental systems engineering no amount of scripting will help you.  You must know the technology you are automating.

    By the way...all coding/programming in any language is automation engineering of some kind.  Formerly we call it software engineering.  The new term is just a thing the industry has latched onto.  Every company sees it somewhat differently.  In correct usage it would be targeted at a specific system such as IIS management or desktop provisioning.  System Center products are all referred to as automation engineering tools.

    In your case with this issue your first stop should have been to research the issue.  You just assumed that MS had done something.  There was never any evidence for that assumption.  You just liked that it explained the unknown.


    \_(ツ)_/

    Wednesday, February 12, 2020 10:02 AM
  • As I don't think the change happened at server-side I thought it must be on the client side.

    Also this article let me in that believe:

    https://web.archive.org/web/20180513223442/https://johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

    ->could have happened with a late .net update? this was what I thought might have happened.

    As far as I know noone updated or changed something during the suspected time.

    Thanks for the Links!


    Into VBA, Batch and a bit of Powershell! The possibilities are endless...



    Again that was delivered in the release notes and has been a discussion around what was going to happen when all of the net servers dropped TLS1 encryption.  The changes to the Windows OS needed were not done automatically as they could be breaking changes.  The emails and blogs from MS  posted this info over wo years ago when the SSL protocols were being dropped by web servers and email systems.  Many, like you, blamed MS or other vendors.  The issue was done for security reasons and even made it to the evening news.

    To be a tech you need to get and read all documentation, release notes and vendor/industry newsletters or this thing will happen repeatedly.


    \_(ツ)_/

    Wednesday, February 12, 2020 10:08 AM
  • Looking at your script it tells me that whoever is t4eaching you PowerShell doesn't know much about programming, scripting or PowerShell.  You should get one of teh many excellent books written by the designers of PowerShell and learn it correctly.  The direction you are headed in will only cause you many headaches.

    Here are two resources that can help to clarify you understanding.


    \_(ツ)_/

    Wednesday, February 12, 2020 10:21 AM
  • As an example this is a cleaner way to write this and will prevent run-on errors which can be destructive and make debugginng difficult.

    Much of you code is unnecessary which you will understand when you  learn basic PowerShell correctly.

    $ErrorActionPreference = 'Stop'
    Try{
        # Auslesen des Pfades aus der Registry
        $mainHome = (Get-ItemProperty 'HKCU:\Software\xxx' -Name HomeDir).HomeDir
    
        # Definieren der Umgebung
        $linkSource = Join-Path $mainHome Resources\Sources.txt
        $downloadpath = (Get-Content -Path $linkSource -TotalCount 5)[-1]
        $temp = Join-Pat $pwd Temp\Application.zip
        $storepath = Join-Path $mainHome Versions
        $element = Join-Path $mainHome Application
    
        #Altes Element entfernen
        if(test-path $Element){
            Remove-Item –path $Element –recurse -Force
        }
    
        #Ausgabe der Pfade
        Write-Output $downloadpath
        Write-Output $temp
    
        #Anlegen der Ordner
        New-Item $storepath -ItemType Directory -Force
        $Temppath = New-Item .\Temp -ItemType Directory -Force
    
        #Tls 1.2 erzwingen da sonst download auf Windows 7 nicht funktioniert.
        # -|- This is the part I had to add to get it working again -|-
        [Net.ServicePointManager]::SecurityProtocol = 'Tls12'
    
        #Download der Dateien
        $client = new-object System.Net.WebClient
        $client.DownloadFile($downloadpath, $temp)
    
        #Entpacken der Zip
        Add-Type -AssemblyName System.IO.Compression.FileSystem
        [System.IO.Compression.ZipFile]::ExtractToDirectory($temp, $storepath)
    
        #Verschieben in den richtigen Ordner
        Move-Item -Path $storepath\Application\* -Destination $mainHome -Force 
    
        if($error.Count){
            Write-Output "Download fehlgeschlagen, bitte versuchen sie es erneut!"
            Start-Sleep -s 10
        }
        #Downloadordner löschen
        Remove-Item .\Temp -recurse
    }
    Catch{
        Throw $_
    }

    FYI - I have 40+ years of programming and computer engineering experience.  I do not make these suggestions lightly or from the perspective of a junior scripter.  Most things I post are based on years of tough experience.

    Studying a technology is never ending.  There is no such thing as knowing enough.  For the first few years you will be learning only the very basics.  At some point you will see more and then you will be able to do amazing things.


    \_(ツ)_/


    • Edited by jrv Wednesday, February 12, 2020 10:45 AM
    Wednesday, February 12, 2020 10:44 AM
  • As I don't think the change happened at server-side I thought it must be on the client side.

    Also this article let me in that believe:

    https://web.archive.org/web/20180513223442/https://johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

    ->could have happened with a late .net update? this was what I thought might have happened.

    As far as I know noone updated or changed something during the suspected time.

    Thanks for the Links!


    Into VBA, Batch and a bit of Powershell! The possibilities are endless...



    Wrong.  If you had to change the protocol then the change was server side.   No matter what you had set in Windows - this is the default - SSL3,TLS.  THe server dropped support for TLS as required by the industry and that caused your script to fail.  W10 uses TLS1.2 by default.  The server was set for TLS 1.2 and TLS1.0 so when the 1.0 was dropped W10 kept working and Win7 stopped.

    If you had been following the messages, emails and tv news reports you would have known this was going to happen.  

    Also the server might have dropped SSL3 support which is also a security risk.  It was supposed to be dropped a year ago.  
    The registry hacks were only necessary to force a behavior that made applications of all kinds more resilient to the pending changes.  PowerShell 3 would not have been affected since it didn't use "SystemDefault" on Windows 7.  PowerShell would have used "SystemDefault" and it would have worked correctly assuming you included TLS1.2/1,3 into the settings.

    Understanding this is why I noted that you need to learn networking and the Internet and its protocols.  Also understanding how Windows implements things affected by standards and how all of networking is implemented in Windows would help you continuously.  A WIndows computer is a netowrk device.  The OS is a netowrk OS.  They cannot be separated.

    The old hack was "the network is the computer" and now it has expanded to "the cloud is the computer".  Be prepared.


    \_(ツ)_/

    Wednesday, February 12, 2020 11:01 AM
  • Thank you for the further explanation. I think in todays tech-world theres so much to learn you can't know erverything.

    As everything is evolving and getting more complex with the aim to be better than the last version of it.

    Also thanks a lot  for the code example! I will have a look at it and compare the differences to see what u did there. ^^

    Have a nice week!


    Into VBA, Batch and a bit of Powershell! The possibilities are endless...

    Wednesday, February 12, 2020 11:38 AM
  • I will definitively have a look at the free book that really looks worth the time!

    Into VBA, Batch and a bit of Powershell! The possibilities are endless...

    Wednesday, February 12, 2020 11:55 AM
  • Thank you for the further explanation. I think in todays tech-world theres so much to learn you can't know erverything.

    As everything is evolving and getting more complex with the aim to be better than the last version of it.

    Also thanks a lot  for the code example! I will have a look at it and compare the differences to see what u did there. ^^

    Have a nice week!


    Into VBA, Batch and a bit of Powershell! The possibilities are endless...

    We have never been able to know everything that is why we constantly strive to know more.  The most important thing is to get the basics aced.  That is true of the whole concept of computing and networking.  It can be done with some studying in a relatively short period of time.  After that adding to the pile i much easier.  Intime the knowledge accumulates and the brain starts to put together more and leads us to ask more and better questions that point towards new areas that are interesting and important.

    Remember that the desktop is disappearing.  The cloud will be all that is left in only a few years.  What will be in from t of the user will just be a device that displays what the cloud is producing.  In the cloud the concept of a proce4ssor becomes unnecessary.  Things like disks and cables will cease to exist for all but the engineers that work in the cloud.  Cloud engineers will be highly specialized and will be required to have advanced training.  Higher forms of engineering will be required.

    Get into it now while it is still a new thing.  (Actually the cloud is almost 20 years old and is just reaching the V2 stage.  V3 will be the killer.


    \_(ツ)_/

    Wednesday, February 12, 2020 12:30 PM