On OS X powershell loads the system libcurl which fails custom SSL certificate validation

[atanasa]

Steps to reproduce

Install powershell
Run any code/cmdlet that tries to validate ssl certificates through HttpClientHandler.ServerCertificateCustomValidationCallback

Expected behavior

Certificates are validated

Actual behavior

Error:
"One or more errors occurred. (The libcurl library in use (7.43.0) and its SSL backend ("SecureTransport") do not support custom handling of certificates. A libcurl built with OpenSSL is required.)"

Environment data

> $PSVersionTable

Name                           Value                                           
----                           -----                                           
PSVersion                      6.0.0-alpha                                     
PSEdition                      Core                                            
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                         
BuildVersion                   3.0.0.0                                         
GitCommitId                    v6.0.0-alpha.9                                  
CLRVersion                                                                     
WSManStackVersion              3.0                                             
PSRemotingProtocolVersion      2.3                                             
SerializationVersion           1.1.0.1 

The output of

otool -L /usr/local/microsoft/powershell/6.0.0-alpha.9/System.Net.Http.Native.dylib
/usr/local/microsoft/powershell/6.0.0-alpha.9/System.Net.Http.Native.dylib:
    @rpath/System.Net.Http.Native.dylib (compatibility version 0.0.0, current version 0.0.0)
    /usr/lib/libcurl.4.dylib (compatibility version 7.0.0, current version 8.0.0)
    /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 120.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1213.0.0)

Note the path where libcurl is being loaded from.

If I manually patch it by running:

brew install curl --with-openssl
sudo install_name_tool -change /usr/lib/libcurl.4.dylib /usr/local/opt/curl/lib/libcurl.4.dylib /usr/local/microsoft/powershell/6.0.0-alpha.9/System.Net.Http.Native.dylib

Then it is ok.

This bug is more for corefx, but until it is fixed there it would be good to have some workaround for powershell.

cc @ffeldhaus

[andyleejordan]

We already have some working-arounds for .NET Core's OpenSSL problems. I agree, this should be added. Please do so 😄 (download.sh, installation documentation, and probably Start-PSBootstrap will need to be touched, my aforementioned workarounds are in #2157).

[andyleejordan]

Just to reference, the upstream bug for this is https://github.com/dotnet/corefx/issues/9394

[atanasa]

With alpha 10 this is still broken. The System.Security.Cryptography.Native.dylib is also broken in addition to System.Net.Http.Native.dylib.

Steps to reproduce for "System.Security.Cryptography.Native.dylib":

Invoke-RestMethod -Method Get -Uri "https://google.com"

Output:

The type initializer for 'System.Net.Http.CurlHandler' threw an exception.
In an inner exception: Unable to load DLL 'System.Security.Cryptography.Native': The specified module could not be found. (HRESULT: 0x8007007E)

The above is ok after I run:

sudo install_name_tool -add_rpath /usr/local/opt/openssl/lib /usr/local/microsoft/powershell/6.0.0-alpha.10/System.Security.Cryptography.Native.dylib

To test the System.Net.Http.Native.dylib redirection here is a small script:

$handler = new-object "System.Net.Http.HttpClientHandler"
$handler.ServerCertificateCustomValidationCallback = { $true }
$client = new-object "System.Net.Http.HttpClient" -Arg @($handler)
$client.GetStringAsync("https://google.com").GetAwaiter().GetResult()

It still fails with:

Exception calling "GetResult" with "0" argument(s): "The libcurl library in use 
(7.43.0) and its SSL backend ("SecureTransport") do not support custom handling 
of certificates. A libcurl built with OpenSSL is required."

If I run the workaround it is ok (note that it would report an error that it couldn't execute the script block which is an indicator that the callback was called - so it got redirected ok).

[atanasa]

Has the fix been introduced in Alpha 10?

[andyleejordan]

@vors did you re-run Start-PSBootstrap on your Mac before building the alpha.10 package? If not, this fix wouldn't have been picked up.