Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

PowerShell and SHA512 SSL Certificates

0
0

It’s a beautiful weekend, and I thought hey lets get something quick done in the home-lab before going out to the movies %). The other guy on the other end (the lab) says: DREAM ON!!!

I’m tinerking with vCloud Director 9.5 and I needed to connect with the cells via PowerCLI (simple, right?). I launched PowerShell, typed Connect-CIServer fqdn and all thoughts of going to the movies splintered into smithereens.

Connect-CIServer : 12/22/2018 1:29:42 PM Connect-CIServer No Cloud server was found on https://fqdn:443/api/. I browsed to my vCD cells (two setups) through the browser successfully. All of my cells have CA signed SSL certificates. I tested accessing the API via Postman, GET and SET works fine as well. I updated PowerCLI from 11.0.0 to 11.1.0 and I noticed the same behavior as well. I tried setting the InvalidCertificateAction PowerCLIConfiguration to Ignore (Set-PowerCLIConfiguration) and same results.

After exchausting what could be done, I sent a message over Slack on the PowerCLI group and I got help from Kyle Ruddy and after going through what I did, he pointed me out to this script Resolve-Error ( what turned to be a real gem ), what the script does is that after you run the command-let you’d call out the function and it will output all of the exceptions in details, and here is the output from mine (the output is huge, so I will only show the part which was relevant to resolving the issue):

Status : SecureChannelFailure

Response :

Message : The request was aborted: Could not create SSL/TLS secure channel.

Data : {}

InnerException :

TargetSite : System.Net.WebResponse EndGetResponse(System.IAsyncResult)

StackTrace : at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)

at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)

HelpLink :

Source : System

HResult : -2146233079

Apparently PowerShell had issues with my SSL certificates after all, but it was too shy to tell me directly!! (Thank you Kyle). So I did another round of investigation but now I was keen on something:

I know for a fact that I could connect to my vCenter Server/s with no issues, and those were signed by the same CA server. I am not using SHA1 (apologies for the blasphemy) in my environment. I did a quick comparison between my SSL certificates and found out the following: My vCenter Server/s uses a SHA256 signature. My vCD Cells are using a SHA512 signature.

On my jump box I tend to use Chrome, so I don’t touch on IE that much, on the other hand for the sake of testing things out I attempted to access my vCD cells through IE and surprisingly I couldn’t, so we’re on to something apparently.

I ran a quick research on “Microsoft IE + SHA512 Certificates” and got a this article “ SHA512 is disabled in windows when you use TLS 1.2 ” on top of the search results.

I downloaded the updates, ran them one after the other, rebooted my jump machine, saw a blue screen on one of the restarts, restarted again, life goes on, and the machine is up %). Fired-up PowerShell, invoked the Connect-CIServer command and EURIKA! It worked! Launched IE and attempted to access the vCD cells FQDN and it worked fine as well.

There you have it people, its 11:00PM as of now and my secure channel skills are at +1 :-P.

I hope this was joyful,

(Abdullah)^2

Clip art resource: FCIT

83 Total Views 18 Views Today


Viewing all articles
Browse latest Browse all 12749