I am loocking for an option to disable the SSL cert validation for a single websocket connection. My server in question uses a self-signed certificate only.
This is the Powershell code that I have so far:
$server = 'server1'
$cred = Get-Credential -Message "Credentials to access '$server'"
# setting credentials for any required proxy-authentication:
[System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
# define settings for http-client:
Add-Type -AssemblyName System.Net.Http
$handler = [System.Net.Http.HttpClientHandler]::new()
$ignoreCerts = [System.Net.Http.HttpClientHandler]::DangerousAcceptAnyServerCertificateValidator
$handler.ServerCertificateCustomValidationCallback = $ignoreCerts
$handler.Credentials = $cred
$handler.PreAuthenticate = $true
$client = [System.Net.Http.HttpClient]::new($handler)
# generate websocket-key:
$init = [guid]::NewGuid().Guid.Substring(0,16)
$bytes = [System.Text.Encoding]::UTF8.GetBytes($init)
$key = [Convert]::ToBase64String($bytes)
# request protocol switch:
$url = [string]::Concat('https://', $server)
$client.DefaultRequestHeaders.Add('Connection', 'Upgrade,Keep-Alive')
$client.DefaultRequestHeaders.Add('Upgrade', 'WebSocket')
$client.DefaultRequestHeaders.Add('Sec-WebSocket-Version', '13')
$client.DefaultRequestHeaders.Add('Sec-WebSocket-Key', $key)
$client.DefaultRequestHeaders.Add('Origin', "wss://$server")
$response = $client.GetAsync($url).result
if ($response.StatusCode -eq 'BadGateway'){break}
Here I need a better solution than this "big bang" approach. In best case I am able to disable the cert validation only for this single websocket client/connection like I could do it for the above http-handler:
# skip SSL-Validation for websocket communication:
add-type #"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"#
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
If cert-validation is disabled, then we can do a quick connection-test to the server:
$ws = [System.Net.WebSockets.ClientWebSocket]::new()
$ct = [System.Threading.CancellationToken]::new($false)
$url = [string]::Concat('wss://', $server)
# connect to server:
$conn = $ws.ConnectAsync($url, $ct)
$null = [Threading.Tasks.Task]::WaitAll($conn)
# check websocket-status:
$ws | ft -AutoSize
Related
How do I programmatically change the Enabled Purposes of a Certificate Authority, in the relevant Windows Certificate Store, using PowerShell?
This is possible to do in the Certificates MMC snap-in
Is this only possible using P/Invoke with CertSetCertificateContextProperty as per StackOverflow: How to set certificate purposes? {C#}
Ideally, I want to import a custom Trusted Root Certificate Authority and only enable it for the purpose of Client Authentication.
A PowerShell Cmdlet that uses CertSetCertificateContextProperty at it's core. Thank you to Crypt32 and their answer on another post for guidance.
Example Usage:
Set-CertificateEku -StoreLocation 'CurrentUser' -StoreName 'Root' -CertificateThumbprint 'ffffffffffffffffffffffffffffffffffffffff' -Oids #("1.3.6.1.5.5.7.3.2") # Client Authentication
Function Set-CertificateEku {
[CmdletBinding()]
Param(
[Parameter(Mandatory)]
[ValidateSet('CurrentUser', 'LocalMachine')]
$StoreLocation,
[Parameter(Mandatory)]
$StoreName,
[Parameter(Mandatory)]
$CertificateThumbprint,
[Parameter(Mandatory)]
$Oids
)
$StoreLocation = switch($StoreLocation) {
'CurrentUser' {
[System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
}
'LocalMachine' {
[System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine
}
}
try {
$CertificateStore = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$CertificateStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite -bor [System.Security.Cryptography.X509Certificates.OpenFlags]::OpenExistingOnly)
} catch {
Write-Error "Could not Open Certificate Store $StoreName in $StoreLocation"
return $false
}
$Certificates = $CertificateStore.Certificates.Find(
[System.Security.Cryptography.X509Certificates.X509FindType]::FindByThumbprint,
$CertificateThumbprint,
$false
)
if($Certificates.Count -eq 0) {
Write-Error "Could not find Certificate $CertificateThumbprint in $StoreName in $StoreLocation"
return $false
}
$Certificate = $Certificates[0]
$PKICrypt32 = #"
[DllImport("Crypt32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern bool CertSetCertificateContextProperty(
IntPtr pCertContext,
uint dwPropId,
uint dwFlags,
IntPtr pvData
);
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
public struct CRYPTOAPI_BLOB {
public uint cbData;
public IntPtr pbData;
}
"#
Add-Type -MemberDefinition $PKICrypt32 -Namespace 'PKI' -Name 'Crypt32'
$OIDs = [Security.Cryptography.OidCollection]::new()
foreach($Oid in $Oids) {
[void]$OIDs.Add([Security.Cryptography.Oid]::new($Oid))
}
$EKU = [Security.Cryptography.X509Certificates.X509EnhancedKeyUsageExtension]::new($OIDs, $false)
$pbData = [Runtime.InteropServices.Marshal]::AllocHGlobal($EKU.RawData.Length)
[Runtime.InteropServices.Marshal]::Copy($EKU.RawData, 0, $pbData, $EKU.RawData.Length)
$Blob = New-Object PKI.Crypt32+CRYPTOAPI_BLOB -Property #{
cbData = $EKU.RawData.Length;
pbData = $pbData;
}
$pvData = [Runtime.InteropServices.Marshal]::AllocHGlobal([Runtime.InteropServices.Marshal]::SizeOf([type][PKI.Crypt32+CRYPTOAPI_BLOB]))
[Runtime.InteropServices.Marshal]::StructureToPtr($Blob, $pvData, $false)
$Result = [PKI.Crypt32]::CertSetCertificateContextProperty($Certificate.Handle, 9, 0, $pvData)
[Runtime.InteropServices.Marshal]::FreeHGlobal($pvData)
[Runtime.InteropServices.Marshal]::FreeHGlobal($pbData)
$CertificateStore.Close()
return $Result
}
Ive tried connecting to an ftp with the following powershell script:
#FTP Server Information - SET VARIABLES
$ftp = "ftp://XXX.com/"
$user = 'UserName'
$pass = 'Password'
$folder = 'FTP_Folder'
$target = "C:\Folder\Folder1\"
#SET CREDENTIALS
$credentials = new-object System.Net.NetworkCredential($user, $pass)
function Get-FtpDir ($url,$credentials) {
$request = [Net.WebRequest]::Create($url)
$request.Method = [System.Net.WebRequestMethods+FTP]::ListDirectory
if ($credentials) { $request.Credentials = $credentials }
$response = $request.GetResponse()
$reader = New-Object IO.StreamReader $response.GetResponseStream()
while(-not $reader.EndOfStream) {
$reader.ReadLine()
}
#$reader.ReadToEnd()
$reader.Close()
$response.Close()
}
#SET FOLDER PATH
$folderPath= $ftp + "/" + $folder + "/"
$files = Get-FTPDir -url $folderPath -credentials $credentials
$files
$webclient = New-Object System.Net.WebClient
$webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass)
$counter = 0
foreach ($file in ($files | where {$_ -like "*.txt"})){
$source=$folderPath + $file
$destination = $target + $file
$webclient.DownloadFile($source, $target+$file)
#PRINT FILE NAME AND COUNTER
$counter++
$counter
$source
}
But i keep getting 530 error (authentication error) when connecting. I know the username and password is working cause i've tested it in other ftp clients.
So, i think it might be a problem because the webapp demands a certain protocol, which isnt used in this script.
Ive been doing some research and i found something called Posh-SSH which might work. But is there a way to modify my script instead? When im connecting with winscp i use FTP protocol with TLS/SSL implicit encryption to port 990.
UPDATE: WORKS
I made the following work:
#FTP Server Information - SET VARIABLES
$ftp = "ftp://waws-prod-xxx.ftp.azurewebsites.windows.net"
$user = 'xxxxx\xxxxx#email.com'
$pass = '$FRnqxxpxxxxxxx'
$folder = 'site/wwwroot/wwwroot/images/uploaded'
$target = "C:\Folder\Folder1\"
#SET CREDENTIALS
$credentials = new-object System.Net.NetworkCredential($user, $pass)
function Get-FtpDir ($url,$credentials) {
$request = [Net.WebRequest]::Create($url)
$request.Method = [System.Net.WebRequestMethods+FTP]::ListDirectory
if ($credentials) { $request.Credentials = $credentials }
$response = $request.GetResponse()
$reader = New-Object IO.StreamReader $response.GetResponseStream()
while(-not $reader.EndOfStream) {
$reader.ReadLine()
}
#$reader.ReadToEnd()
$reader.Close()
$response.Close()
}
#SET FOLDER PATH
$folderPath= $ftp + "/" + $folder + "/"
$files = Get-FTPDir -url $folderPath -credentials $credentials
Write-Host($files)
$files
$webclient = New-Object System.Net.WebClient
$webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass)
$counter = 0
foreach ($file in ($files)){
$source=$folderPath + $file
$destination = $target + $file
$webclient.DownloadFile($source, $target+$file)
#PRINT FILE NAME AND COUNTER
$counter++
$counter
$source
}
I ended up adding a new credential to the web app, and changing sftp in hostname to ftp, and now it works. Using the credentials from webpublish file works too.
I also made WinSCP work and im able to download the full folder with children.
#FTP Server Information - SET VARIABLES
$ftp = "waws-prod-xxx-xxx.ftp.azurewebsites.windows.net"
$user = 'xxxxxx\xxxx#xxxxx.no'
$pass = '$xxxxxxxxx'
$folder = 'site/wwwroot/wwwroot/images/uploaded/*'
$target = "C:\Folder\Folder1\*"
# Load WinSCP .NET assembly
Add-Type -Path "WinSCPnet.dll"
# Setup session options
$sessionOptions = New-Object WinSCP.SessionOptions -Property #{
Protocol = [WinSCP.Protocol]::Ftp
HostName = $ftp
UserName = $user
Password = $pass
}
$session = New-Object WinSCP.Session
try
{
# Connect
$session.Open($sessionOptions)
# Download files
$session.GetFiles($folder, $target).Check()
}
finally
{
# Disconnect, clean up
$session.Dispose()
}
FtpWebRequest (nor any other built-in .NET FTP API) does not support implicit TLS/SSL encryption.
See Does .NET FtpWebRequest Support both Implicit (FTPS) and explicit (FTPES)?
Posh-SSH is SSH/SFTP library. It has nothing to do with FTP.
And as you get an "authentication error", I believe your problem is actually different. Double check your credentials. You are probably using wrong ones in your code.
Also, if WinSCP works for you, you can use WinSCP .NET assembly from the PowerShell. WinSCP GUI can even generate a code template for you, based on your working GUI session.
I have written a script that will extract a large number of URLs from an excel spreadsheet and then make a web request and fetch the certificate information.
I am very new to powershell and have never worked to debug or process exception/error handling.
In my process there are certain points the script will just hang, no error is thrown and it does not terminate, just hangs for and indefinite period of time. Sometimes its a couple minutes other times a couple seconds.
I am trying to figure out if I can correct something in my code or if this hang is simply because of the servers I am contacting.
function GetCertificates($url) {
# // create a request
$req = [System.Net.WebRequest]::create($url)
$req.Method = "GET"
$req.Timeout = 600000 # = 10 minutes
# // set the proxy for connection
$proxy = New-Object System.Net.WebProxy "proxy.com:8000"
$req.Proxy = $proxy
# // Set if you need a username/password to access the resource
$Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
#$req.Credentials = New-Object Net.NetworkCredential("username", "password");
$req.Credentials = $Credentials
$req.UserAgent = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT; Windows NT 6.1; en-US)"
try {
[Net.HttpWebResponse] $result = $req.GetResponse()
}
catch {}
# // define the cert
$cert = ''
$cert = $req.ServicePoint.Certificate
$httpstatuscode = [int]$result.StatusCode
try {
[IO.Stream] $stream = $result.GetResponseStream()
[IO.StreamReader] $reader = New-Object IO.StreamReader($stream)
[string] $output = $reader.readToEnd()
$stream.flush()
$stream.close()
}
catch {}
# // write the results
Write-host $url
Write-host "Issued By : " $cert.Issuer
#Write-host "Subject : " $cert.Subject
#Write-host "Issued On : " $cert.GetEffectiveDateString()
#Write-host "Expires On : " $cert.GetExpirationDateString()
}
function GetExcel{
# // import the csv file
$xcel = import-csv C:\Users\Desktop\excel.csv
# // extract and run the URLs for only required TYPEs
$xcel | foreach{
if
($_.TYPE -like "u_external_url" -or "qa_url" -or "u_load_balancing_url")
{GetCertificates $_.URL}
return $_.APP_ID
}
}
I am currently trying to send an email through powershell with a populated mileage field in order for outlook to pick up on.
The email goes through fine but I am unable to get a value through for the 'Mileage' Field.
$SMTPName = ''
$EmailMessage = new-object Net.Mail.MailMessage
$SMTPServer = new-object Net.Mail.SmtpClient($SMTPName)
$EmailMessage.Headers.Add("Mileage", "HB")
$EmailMessage.From = ''
$EmailMessage.To.Add('')
$EmailMessage.Subject = $sub
$EmailMessage.Body = $body
$EmailMessage.Priority = [System.Net.Mail.MailPriority]::High
$SMTPServer.Send($EmailMessage)
Mileage is a MAPI property so you will need to send the message with either Outlook or EWS eg the following should work to send a message with that property set in EWS
## Get the Mailbox to Access from the 1st commandline argument
$MailboxName = $args[0]
## Load Managed API dll
Add-Type -Path "C:\Program Files\Microsoft\Exchange\Web Services\1.2\Microsoft.Exchange.WebServices.dll"
## Set Exchange Version
$ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP2
## Create Exchange Service Object
$service = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($ExchangeVersion)
## Set Credentials to use two options are availible Option1 to use explict credentials or Option 2 use the Default (logged On) credentials
#Credentials Option 1 using UPN for the windows Account
$psCred = Get-Credential
$creds = New-Object System.Net.NetworkCredential($psCred.UserName.ToString(),$psCred.GetNetworkCredential().password.ToString())
$service.Credentials = $creds
#Credentials Option 2
#service.UseDefaultCredentials = $true
## Choose to ignore any SSL Warning issues caused by Self Signed Certificates
## Code From http://poshcode.org/624
## Create a compilation environment
$Provider=New-Object Microsoft.CSharp.CSharpCodeProvider
$Compiler=$Provider.CreateCompiler()
$Params=New-Object System.CodeDom.Compiler.CompilerParameters
$Params.GenerateExecutable=$False
$Params.GenerateInMemory=$True
$Params.IncludeDebugInformation=$False
$Params.ReferencedAssemblies.Add("System.DLL") | Out-Null
$TASource=#'
namespace Local.ToolkitExtensions.Net.CertificatePolicy{
public class TrustAll : System.Net.ICertificatePolicy {
public TrustAll() {
}
public bool CheckValidationResult(System.Net.ServicePoint sp,
System.Security.Cryptography.X509Certificates.X509Certificate cert,
System.Net.WebRequest req, int problem) {
return true;
}
}
}
'#
$TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
$TAAssembly=$TAResults.CompiledAssembly
## We now create an instance of the TrustAll and attach it to the ServicePointManager
$TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
[System.Net.ServicePointManager]::CertificatePolicy=$TrustAll
## end code from http://poshcode.org/624
## Set the URL of the CAS (Client Access Server) to use two options are availbe to use Autodiscover to find the CAS URL or Hardcode the CAS to use
#CAS URL Option 1 Autodiscover
$service.AutodiscoverUrl($MailboxName,{$true})
"Using CAS Server : " + $Service.url
#CAS URL Option 2 Hardcoded
#$uri=[system.URI] "https://casservername/ews/exchange.asmx"
#$service.Url = $uri
## Optional section for Exchange Impersonation
#$service.ImpersonatedUserId = new-object Microsoft.Exchange.WebServices.Data.ImpersonatedUserId([Microsoft.Exchange.WebServices.Data.ConnectingIdType]::SmtpAddress, $MailboxName)
$EmailMessage = New-Object Microsoft.Exchange.WebServices.Data.EmailMessage -ArgumentList $service
$EmailMessage.Subject = "Message Subject"
#Add Recipients
$EmailMessage.ToRecipients.Add("user#domain.com")
$EmailMessage.Body = New-Object Microsoft.Exchange.WebServices.Data.MessageBody
$EmailMessage.Body.BodyType = [Microsoft.Exchange.WebServices.Data.BodyType]::HTML
$EmailMessage.Body.Text = "Body"
$Mileage = New-Object Microsoft.Exchange.WebServices.Data.ExtendedPropertyDefinition([Microsoft.Exchange.WebServices.Data.DefaultExtendedPropertySet]::Common,34100,[Microsoft.Exchange.WebServices.Data.MapiPropertyType]::String);
$EmailMessage.SetExtendedProperty($Mileage,"HB")
$EmailMessage.SendAndSaveCopy() enter code here
This in continuation to one of my previous queries Invoke-WebRequest equivalent in PowerShell v2
Im trying to run the below script, it ran 2-3 timed but after that im repeatedly getting the below timed out error
Exception calling "GetRequestStream" with "0" argument(s): "The operation has timed out"
Here's the script
function Invoke_Workflow {
param(
[Parameter(Mandatory=$True)]
[string]$arg,
[Parameter(Mandatory=$True)]
[string]$whostname,
[Parameter(Mandatory=$True)]
[string]$uuid,
[Parameter(Mandatory=$True)]
[string]$wfname,
[Parameter(Mandatory=$True)]
[string]$wpassword,
[Parameter(Mandatory=$True)]
[string]$wusername
)
$body =
"<wInput>
<userInputValues>
<userInputEntry value='$arg' key='stringArgument'/>
</userInputValues>
<executionDateAndTime></executionDateAndTime>
<comments></comments>
</wInput>"
# Disable certificate validation using certificate policy that ignores all certificates
add-type #"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class IDontCarePolicy : ICertificatePolicy {
public IDontCarePolicy() {}
public bool CheckValidationResult(
ServicePoint sPoint, X509Certificate cert,
WebRequest wRequest, int certProb) {
return true;
}
}
"#
[System.Net.ServicePointManager]::CertificatePolicy = new-object IDontCarePolicy
$password = ConvertTo-SecureString $wfapassword -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($wfausername, $password)
$request = [System.Net.WebRequest]::Create($URI1)
$request.ContentType = "application/xml"
$request.Method = "POST"
$request.Credentials = $credential
# $request | Get-Member for a list of methods and properties
try
{
$request.ServicePoint.MaxIdleTime = 5000;
$request.ServicePoint.ConnectionLeaseTimeout = 5000;
$requestStream = $request.GetRequestStream()
$streamWriter = New-Object System.IO.StreamWriter($requestStream)
$streamWriter.Write($body)
}
finally
{
if ($null -ne $streamWriter) { $streamWriter.Dispose() }
if ($null -ne $requestStream) { $requestStream.Dispose() }
}
$res = $request.GetResponse()
$request.Abort()
}
Problem is most likely related to the default Servicepoint connection limit which is 2.
You can increase it (10 as an example below) and if you are making many requests in a single powershell session then adding a check of the currentconnection count and clearing them (8 as an example below) prior to reaching the set connection limit:
$request.ServicePoint.ConnectionLimit =10;
$conn=$request.ServicePoint.CurrentConnections
If ($conn -ge 8) {
$request.ServicePoint.CloseConnectionGroup("")
}