(chocolatey#2902) Ensure PowerShell tasks use SystemDefault TLS

In chocolatey#3123 we changed our default TLS handling to defer to SystemDefault. Subsequently, we have discovered that some versions of Windows PowerShell are explicitly setting the TLS settings away from the SystemDefault. As covered in the previous PR, this is a potential security hazard, and also complicates matters for users in terms of being able to communicate with servers that need TLS 1.3 for example. Rather than tolerate the default from Windows PowerShell, we can inject our own default setting here for our PowerShell host similar to how we clear out culture settings before running PowerShell tasks.
vexx32 · May 11, 2023 · 5bf790a · 5bf790a
1 parent 29a0163
commit 5bf790a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/chocolatey/infrastructure.app/services/PowershellService.cs b/src/chocolatey/infrastructure.app/services/PowershellService.cs
@@ -185,7 +185,7 @@ public string WrapScriptWithModule(string script, IEnumerable<string> hookPreScr
             // many issues in existing packages, including upgrading
             // Chocolatey from older POSH client due to log errors
             //$ErrorActionPreference = 'Stop';
-            return "[System.Threading.Thread]::CurrentThread.CurrentCulture = '';[System.Threading.Thread]::CurrentThread.CurrentUICulture = ''; & import-module -name '{0}';{2} & '{1}' {3}"
+            return "[System.Threading.Thread]::CurrentThread.CurrentCulture = '';[System.Threading.Thread]::CurrentThread.CurrentUICulture = '';[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::SystemDefault; & import-module -name '{0}';{2} & '{1}' {3}"
                 .FormatWith(
                     installerModule,
                     scriptRunner,