@TravisEz13 It looks like macOS does not support multiple protocols being set at once. This is not surprising as the entire SSL/TLS/Certificate implementation in CoreFX is flakey on macOS where some things work sometimes, not at all, or only partially.

I'm going to logic gate the multi-protocol test cases so they don't run on macOS.

$handler = [System.Net.Http.HttpClientHandler]::new() 
$handler.SslProtocols = [System.Security.Authentication.SslProtocols]::Tls -bor [System.Security.Authentication.SslProtocols]::Tls11
$HttpClient = [System.Net.Http.HttpClient]::New($handler) 
$Response = $HttpClient.GetAsync("https://httpbin.org/user-agent").GetAwaiter().GetResult()

result

Exception calling "GetResult" with "0" argument(s): "The requested security protocol is not supported."
At line:1 char:1
+ $Response = $HttpClient.GetAsync("https://httpbin.org/user-agent").Ge ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : NotSupportedException

ErrorRecord                 : Exception calling "GetResult" with "0" argument(s): "The requested security protocol is not supported."
WasThrownFromThrowStatement : False
Message                     : Exception calling "GetResult" with "0" argument(s): "The requested security protocol is not supported."
Data                        : {System.Management.Automation.Interpreter.InterpretedFrameInfo}
InnerException              : System.NotSupportedException: The requested security protocol is not supported.
                                 at System.Net.Http.CurlHandler.SslProvider.SetSslVersion(EasyRequest easy)
                                 at System.Net.Http.CurlHandler.SslProvider.SetSslOptions(EasyRequest easy, ClientCertificateOption clientCertOption)
                                 at System.Net.Http.CurlHandler.EasyRequest.InitializeCurl()
                                 at System.Net.Http.CurlHandler.MultiAgent.ActivateNewRequest(EasyRequest easy)
                              --- End of stack trace from previous location where exception was thrown ---
                                 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                                 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                                 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
                                 at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
                              --- End of stack trace from previous location where exception was thrown ---
                                 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                                 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                                 at CallSite.Target(Closure , CallSite , Object )
TargetSite                  : Void ConvertToMethodInvocationException(System.Exception, System.Type, System.String, Int32, System.Reflection.MemberInfo)
StackTrace                  :    at System.Management.Automation.ExceptionHandlingOps.ConvertToMethodInvocationException(Exception exception, Type typeToThrow, String meth
                              odName, Int32 numArgs, MemberInfo memberInfo)
                                 at CallSite.Target(Closure , CallSite , Object )
                                 at System.Dynamic.UpdateDelegates.UpdateAndExecute1[T0,TRet](CallSite site, T0 arg0)
                                 at System.Management.Automation.Interpreter.DynamicInstruction`2.Run(InterpretedFrame frame)
                                 at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
HelpLink                    :
Source                      : System.Management.Automation
HResult                     : -2146233087

Hmm. It looks like the 'Tls, Tls12' failure on Linux is a possible CoreFX bug. It appears it doesn't honor the Tls12 property when it is supplied with Tls and instead tries to use Tls only. All the other combinations work, including 'Tls, Tls11, Tls12', 'Tls11, Tls12', and 'Tls12'.

$url = Get-WebListenerUrl -Test Get -Https -SslProtocol Tls12
$handler = [System.Net.Http.HttpClientHandler]::new() 
$handler.ServerCertificateCustomValidationCallback = [System.Net.Http.HttpClientHandler]::DangerousAcceptAnyServerCertificateValidator
$handler.SslProtocols = [System.Security.Authentication.SslProtocols]::Tls -bor [System.Security.Authentication.SslProtocols]::Tls12
$HttpClient = [System.Net.Http.HttpClient]::New($handler) 
$Response = $HttpClient.GetAsync("$url").GetAwaiter().GetResult()

Message        : An error occurred while sending the request.
Data           : {}
InnerException : System.Net.Http.CurlException: SSL connect error
                    at System.Net.Http.CurlHandler.ThrowIfCURLEError(CURLcode error)
                    at System.Net.Http.CurlHandler.MultiAgent.FinishRequest(StrongToWeakReference`1 easyWrapper, CURLcode messageResult)
TargetSite     : Void Throw()
StackTrace     :    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
                    at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at CallSite.Target(Closure , CallSite , Object )
HelpLink       :
Source         : System.Private.CoreLib
HResult        : 35

I'll logic this one out of being run on both linux and macOS. When I get some time I will open an issue with CoreFX.

In previous years, we had a simple logic when we started with a highest protocol and fallback at a lower.
After it has been recognized as a security hole, I guess the setting of several protocols is irrelevant and we should block it.

@iSazonov Your recommendation is to switch it to a Non-Flags Enum?

My plan was to not document the possibility of multiple protocols and leave as an exercise for advanced users. They don't show up in intellisense and unless someone advanced enough in the l;language took a good look at the Enum, they wouldn't really know.

Multiple protocols work 100% on windows , 99% on linux and 0% on macOS. The linux one is a bug and macOS curl is a known trouble spot in CoreFX that they have been steadily improving.

I'd rather leave it in and let advanced users give it a try than take the option away.

If there is a concern, it could be documented that "setting multiple protocols is possible, though not supported on all platforms".

Thinking about security I believe we lost nothing if remove Flags. @PaulHigin Could you please comment?

@iSazonov you are right in that there is no security loss. But, lets say a user has a contractual agreement to use TLS 1.1 at minimum, they could supply 'Tls11, Tls12' and ensure the endpoint isn't using TLS 1.0. That works perfect on Windows and Linux. Now we take the Flags away the user must now call first with TLS 1.1 and then try again with TLS 1.2.

So no, security loss, but, we do make it harder for the user.

Since POODLE attacks TLS fallbacks was disabled. Currently only client moderated fallbacks is allowed by means of TLS_FALLBACK_SCSV fake cipher suite.
I'm sure this is a lower level API than PowerShell. I don't know if CoreFX support this. If no so there's no point in specifying multiple protocols.
If CoreFX could support this, we could indicate Tls12,Tls11, which would mean: try to connect with Tls12, if server reply with TLS_FALLBACK_SCSV then use Tls11.

@iSazonov I'm not exactly sure what is being done, but I know for a fact from the tests in This PR, that if you supply Tls12, Tls11 to a Tls12 endpoint it works, to a Tls11 endpoints it works, to a Tls endpoint it fails. So at the very least it is allow for only Tls12 and Tls11 endpoints.

This design is similar to most browsers. I don't think we need to remove fallback. The user can of course specify just one protocol. We are giving the user the control.

The design - yes, most of browsers has check boxes to select some protocols. But its behavior is secure - all of browsers disable fallback since POODLE discovered. Currently client and server must support TLS_FALLBACK_SCSV to do moderated fallback. If PowerShell and .Net Core allow to select some protocols and don't support TLS_FALLBACK_SCSV - it is security hole, an user using PowerShell can be redirected to a fake (Azure) server.

@iSazonov I do not follow your logic.

User has a requirement to NOT use TLS 1.0. The user supplies -SslProtocol 'Tls11, Tls12'. Here are the conditions of the endpoint:

I'm not sure how POODLE is even a problem since SSL 3.0 is not even supported in CoreFX by the HttpClient.

When HttpClientHandler.SslProtocols is not set, supplied None, or supplied Tls, Tls11, Tls12 they act exactly the same except for the logic to determine which Flags were supplied. So if this is insecure, for some reason, it is already insecure and supplying multiple Flags doesn't change that. At the very least, it offers enhanced security because at least the user can disallow a specific protocol.

@markekraus Currently not only TLS->SSL fallback is security hole, TLS high level -> TLS low level also is security hole and is under the prohibition. If PowerShell is trying to connect with TLS 1.2 and server reject the connection, PowerShell shouldn't fallback to TLS 1.1 in classic way (only by supporting TLS_FALLBACK_SCSV).
So main question is - do underline system (CoreFX) implement the fallback on TLS_FALLBACK_SCSV? If yes I am fine with setting many protocols, if no I believe we shouldn't violate security and the modern standard for the TLS_FALLBACK_SCSV fallback.

Also if today CoreFX don't implement the same behavior for all platforms it is better for script portability to be limited to one protocol.

@iSazonov I doesn't matter. if the user doesn't want TLS 1.0, or TLS 1,1, they specify -SslProtocol 'Tls12' The connection will not work on anything other than TLS 1.2. The test in this PR prove that.

Also if today CoreFX don't implement the same behavior for all platforms it is better for script portability to be limited to one protocol.

Then we should rip out all of our security features for macOS since they are all partially or not supported or only work under the right circumstances. or, we should completely rip out these cmdlets from macOS because the entire CoreFX HttpClient implementation on macOS is riddled with issues. When we go RTM I am expecting macOS users to flood with web cmdlets issue. CoreFX is just weak there.

This kind of thing just needs to be documented and to a degree it will be expected by users. Python, PHP, and other cross-platform languages have plenty of their own cross-platform implementation quirks. Something being either not supported on one platform or partially supported on another never stops other languages from implementing enhancements for a majority of platforms.

Again, multiple protocols works 100% on Windows, 99% on Linux (the one instance that doesn't work appears to be a bug in CoreFX) and not at all on macOS. I don't think throwing the feature out just because macOS and CoreFX have issues with libcurl is worth it, when all windows platforms, and almost all Linux platforms will support it. If we start down that path we will never get to implement anything that is an improvement for most platforms just because one platform happens to be fragile. If this only worked on Windows, then maybe I would agree it's not worth implementing.

CoreFX will have better support for these things in macOS in the future. Their issues are littered with HttpClient implementation issues on macOS. They know it's a weak point and we should acknowledge it as one for ourselves as well.

we should completely rip out these cmdlets from macOS because the entire CoreFX HttpClient implementation on macOS is riddled with issues.

If I were a user of PowerShell on MacOs, I'd feel cheated if I had cmdlets that didn't work.

If I were a user of PowerShell on MacOs, I'd feel cheated if I had cmdlets that didn't work.

I'd rather have a web cmdlets that at least works for the most part with basic web calls than none at all. Even if certain features aren't all supported on my platform, I'd still want it. The point is that partial support is better than none at all.

If we need to remove a disable the cmdlets for macOS file another issue. For the fallback issue, I think fallback is a required feature based on past experience. If we need a more restricted fallback, I think we would need support for .NET to support that.

I'm leaving a note here for those who view this discussion in the future and for clarity to avoid panic:

The issues I have seen with HttpClient on macOS are not reliably reproducible. I am uncertain how much of it relates to an instability of CoreFX on macOS or just consistent bad luck and phantom external issues.

For the most part, simple HTTP calls work to a high rate of success. However, they will randomly fail even in our tests in this project for macOS where they are not failing for the same tests in Windows and Linux. Some of that maybe Travis CI related. However, since I acquired a macOS machine to test with I have seen similar stability issues on my own machine. Again, I don't know how much of that is just bad luck, my lack of experience with macOS in general, or possible stability issues in CoreFX. I cannot reliably reproduce the issues I find, so it is impossible at my skill level to track down a specific root cause.

As such, I can only say, without solid evidence, that I have general distrust for the stability of HttpClient on CoreFX and thus a similar feeling about the Web Cmdlets which use HttpClient. Without being able to quantify my experience, I cannot recommend the Cmdlets be removed from macOS.

It is clear, however, that many of the features relating to security and encryption are not fully implemented CoreFX on macOS. They work at the basic level depending on how the environment is configured. Sometimes they do not work at all, again, depending on how the environment is configured. However, I do not feel it is prudent to cripple these features for all platforms simply because a single platform cannot full implement them.

@markekraus Clould you please open tracking Issue? It wouldd be usefull for documentating the limitations and tracking CoreFX.

@iSazonov #4650 is related I could just update that. The underlying cause is the same.

I'm not sure if we should open a master issue to track all macOS limitations, or just Web Cmdlets. As I recall, there are several other cmdlets that have issues on macOS but I can't recall which ones immediately.

That would be very good if users were given this description (broken cmdlets) in the documentation (release notes). If you open the issue anyone can complete it at any time.

@iSazonov #5443