xf.is Blog   Archives  About

Invoke-WebRequest does not support TLS 1.2

2018-06-29

I recently had a issue with Invoke-WebRequest (irw/curl) not connecting to a remote server:

PS C:\> iwr https://www.xf.is
iwr : The request was aborted: Could not create SSL/TLS secure channel.
At line:1 char:1
+ iwr https://www.xf.is
+ ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Reason is that Invoke-WebRequest uses .NET behind the scenes and the default settings of .NET is only to support SSLv3/TLS 1.0 on Windows 10 1803 and older (unless the programmer explicitly enables other TLS versions).

PS C:\> [Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls

To fix the default settings you can set the SchUseStrongCrypto registry entry to 1 which enables TLS 1.1 and TLS 1.2 in all .NET programs.

# 32-bit 
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

# 64-bit 
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

Restart the powershell session and HTTPS connection should work:

PS C:\> [Net.ServicePointManager]::SecurityProtocol
Tls, Tls11, Tls12

PS C:\> iwr https://www.xf.is

StatusCode        : 200
...