You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently users only have 2 options for dealing with Server SSL/TLS Certificates with Invoke-WebRequest and Invoke-RestMethod: the default validation and to skip validation. Some scenarios warrant tighter security on web requests where a certificate is not fully trusted by the host environment but is known to be trusted by the user. This could include internal web APIs that use a self signed certificate with a specific thumbprint or from a known CA that is not trusted by the host. Or if a user wishes to ensure a certain CA/Thumbprint/Subject is blocked (a known bad actor).
Also [System.Net.ServicePointManager]::ServerCertificateValidationCallback has no effect in Core and HttpClient only uses the settings provided by HttpClientHandler.
Proposal
Add a parameter of type Func<HttpRequestMessage,X509Certificate2,X509Chain,SslPolicyErrors,Boolean> that accepts a ScriptBlock to both Web Cmdlets. This is to be set on HttpClientHandler.ServerCertificateCustomValidationCallback. The -SkipCertificateCheck would have priority, meaning if both were supplied either a parameter exception is thrown or -SkipCertificateCheck would be applied and the callback ignored.
The Parameter will be named CertificateValidationScript
For consideration
What to name this parameter?
Throw or no throw on clash with -SkipCertificateCheck?
Problem
Currently users only have 2 options for dealing with Server SSL/TLS Certificates with
Invoke-WebRequestandInvoke-RestMethod: the default validation and to skip validation. Some scenarios warrant tighter security on web requests where a certificate is not fully trusted by the host environment but is known to be trusted by the user. This could include internal web APIs that use a self signed certificate with a specific thumbprint or from a known CA that is not trusted by the host. Or if a user wishes to ensure a certain CA/Thumbprint/Subject is blocked (a known bad actor).Also
[System.Net.ServicePointManager]::ServerCertificateValidationCallbackhas no effect in Core andHttpClientonly uses the settings provided byHttpClientHandler.Proposal
Add a parameter of type
Func<HttpRequestMessage,X509Certificate2,X509Chain,SslPolicyErrors,Boolean>that accepts a ScriptBlock to both Web Cmdlets. This is to be set onHttpClientHandler.ServerCertificateCustomValidationCallback. The-SkipCertificateCheckwould have priority, meaning if both were supplied either a parameter exception is thrown or-SkipCertificateCheckwould be applied and the callback ignored.The Parameter will be named
CertificateValidationScriptFor consideration
-SkipCertificateCheck?