(chocolatey#2902) Ensure PowerShell tasks use SystemDefault TLS

vexx32 · vexx32 · commit 5bf790a9be16 · 2023-05-11T17:10:55.000-04:00
In chocolatey#3123 we changed our default TLS handling to defer to SystemDefault. Subsequently, we have discovered that some versions of Windows PowerShell are explicitly setting the TLS settings away from the SystemDefault. As covered in the previous PR, this is a potential security hazard, and also complicates matters for users in terms of being able to communicate with servers that need TLS 1.3 for example. Rather than tolerate the default from Windows PowerShell, we can inject our own default setting here for our PowerShell host similar to how we clear out culture settings before running PowerShell tasks.
diff --git a/src/chocolatey/infrastructure.app/services/PowershellService.cs b/src/chocolatey/infrastructure.app/services/PowershellService.cs
@@ -185,7 +185,7 @@ public string WrapScriptWithModule(string script, IEnumerable<string> hookPreScr
             // many issues in existing packages, including upgrading
             // Chocolatey from older POSH client due to log errors
             //$ErrorActionPreference = 'Stop';
-            return "[System.Threading.Thread]::CurrentThread.CurrentCulture = '';[System.Threading.Thread]::CurrentThread.CurrentUICulture = ''; & import-module -name '{0}';{2} & '{1}' {3}"
+            return "[System.Threading.Thread]::CurrentThread.CurrentCulture = '';[System.Threading.Thread]::CurrentThread.CurrentUICulture = '';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::SystemDefault; & import-module -name '{0}';{2} & '{1}' {3}"
                 .FormatWith(
                     installerModule,
                     scriptRunner,
