ServerCertificateValidationCallback has no effect on Invoke-WebRequest

[snobu]

As stated in Example 2 here,

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }

has no effect on Invoke-WebRequest or Invoke-RestMethod, establishing the TLS session will still fail if the remote presents a self-signed certificate.

PS> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
PS> Invoke-RestMethod -URI https://selfsigned.badssl.com

Invoke-RestMethod : The underlying connection was closed:
An unexpected error occurred on a send.

At line:1 char:1
+ invoke-restmethod -uri https://selfsigned.badssl.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest)
[Invoke-RestMethod],WebException    + FullyQualifiedErrorId : WebCmdletWebResponseException,
Microsoft.PowerShell.Commands.InvokeRestMethodCommand

PS> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.15063.138
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.15063.138
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Looks like it only works when calling straight into the assembly:

$apiReq = [System.Net.HttpWebRequest]::CreateHttp($url)
$apiRes = $apiReq.GetResponse()

The TLS handshake is successful now.

This is not kosher, definitely needs to be addressed.

[thezim]

@snobu This is what I typically use for non-core versions of PowerShell as @markekraus mentioned.

Add-Type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
             ServicePoint srvPoint, X509Certificate certificate,
             WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

Perhaps you could verify the above and submit a PR to correct the 5.1 documentation.

[markekraus]

This has been removed from the documentation in #1870

[jfaltys]

Sorry to add on to this. I cannot seem to get it to work in any way whatsoever. Here is my script and output. http returns the expected outcome, but https does not.

$url = "https://10.1.135.20/getxml?location=/Status"
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$True}
    $webclient = [System.Net.HttpWebRequest]::CreateHttp($url)
    $webclient.Credentials = Import-Clixml cred.xml
    $response = $webclient.GetResponse()
    $psversiontable

Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: An unexpected error occurred on a send."
At line:6 char:5
+     $response = $webclient.GetResponse()
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
 

Name                           Value                                                                                                                                                        
----                           -----                                                                                                                                                        
PSVersion                      5.1.15063.1155                                                                                                                                               
PSEdition                      Desktop                                                                                                                                                      
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                      
BuildVersion                   10.0.15063.1155                                                                                                                                              
CLRVersion                     4.0.30319.42000                                                                                                                                              
WSManStackVersion              3.0                                                                                                                                                          
PSRemotingProtocolVersion      2.3                                                                                                                                                          
SerializationVersion           1.1.0.1     

[snobu]

I can't repro on PSVersion 5.1.17134.112, unfortunately i don't have your exact build handy.
Try this as target URL: https://selfsigned.badssl.com, you should get a HTTP 421 if TLS is successful.

If that works maybe there's something more to it, maybe the TLS version should be higher and that's why it breaks, not because of the chain verify - see this section here for a workaround.

[joeyaiello]

Closing due to changes in #1870