Today I had a interesting issue. I could not connect to the PowerShell Gallery anymore. The horror, the horror...
Here's the thing; I'm working on hardening Windows servers, and one of the settings I'm implementing is disabling TLS 1.0. It's known for quite a while that Microsoft is working on disabling TLS 1.0 everywhere. So I want to be a good boy and follow the industry moves.
But if you're disabling TLS 1.0, and your .NET application is using a .NET framework older than 4.7, then akward issues can arise. For example, I had the following issues (which I assume is not a definitive list):
- Could not connect to the PowerShell gallery with for example Find-Module;
- Could not use my MSI enabled Azure Virtual Machine anymore (which has Commvault Proxy Agent installed, which can make use of the MSI functionality).
It turns out the problem is that strong cryptography is not enabled in .NET versions older than 4.7 by default. And because of this, some .NET applications that uses a .NET version older than 4.7, and TLS 1.0 is disabled, it can cause issues when connecting to ssl endpoints.
My goal was to keep TLS 1.0 disabled, so I needed to implement a fix. It turned out that it's quite easy to do so. You will need to enable the 'SchUseStrongCrypto' flag in the registry of the Windows OS you're on:
With above fix you can keep TLS 1.0 disabled while still having the functionality you need.