(chocolatey#17) Add TLS option for bootstrapping

Previously, the TLS configuration was set to allow both TLS 1.1 and TLS 1.2. WIth this change, users can explicitly set the TLS versions they want to allow during bootstrapping. The default settings are to allow TLS 1.1 through 1.3, according to the TLS verisons available on the client.
vexx32 · Jun 30, 2022 · 3d9f8ec · 3d9f8ec
1 parent 85ee7fd
commit 3d9f8ec
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 26 deletions.
diff --git a/chocolatey/plugins/module_utils/Packages.psm1 b/chocolatey/plugins/module_utils/Packages.psm1
@@ -950,21 +950,26 @@ function Install-Chocolatey {
 
         [Parameter()]
         [string]
-        $BootstrapScript
+        $BootstrapScript,
+
+        [Parameter()]
+        [string[]]
+        $BootstrapTlsVersion
     )
 
     $chocoCommand = Get-ChocolateyCommand -IgnoreMissing
     if ($null -eq $chocoCommand) {
         # We need to install chocolatey
-        # Enable TLS1.1/TLS1.2 if they're available but disabled (eg. .NET 4.5)
+        # Enable necessary TLS versions if they're available but disabled.
+        # Default for win_chocolatey is to allow TLS 1.1, 1.2, and 1.3 (if available)
         $protocols = [System.Net.ServicePointManager]::SecurityProtocol -bor [System.Net.SecurityProtocolType]::SystemDefault
 
-        if ([System.Net.SecurityProtocolType].GetMember("Tls11").Count -gt 0) {
-            $protocols = $protocols -bor [System.Net.SecurityProtocolType]::Tls11
-        }
-
-        if ([System.Net.SecurityProtocolType].GetMember("Tls12").Count -gt 0) {
-            $protocols = $protocols -bor [System.Net.SecurityProtocolType]::Tls12
+        foreach ($version in $BootstrapTlsVersion) {
+            # If the TLS version isn't available on the system, this will evaluate to $null and be skipped
+            $value = $version -as [System.Net.SecurityProtocolType]
+            if ($value) {
+                $protocols = $protocols -bor $value
+            }
         }
 
         [System.Net.ServicePointManager]::SecurityProtocol = $protocols

diff --git a/chocolatey/plugins/modules/win_chocolatey.ps1 b/chocolatey/plugins/modules/win_chocolatey.ps1
@@ -33,6 +33,13 @@ function Get-ModuleSpec {
             allow_multiple        = @{ type = "bool"; default = $false }
             allow_prerelease      = @{ type = "bool"; default = $false }
             bootstrap_script      = @{ type = "str"; aliases = "install_ps1", "bootstrap_ps1" }
+            bootstrap_tls_version = @{
+                type = "list"
+                elements = "str"
+                choices = "tls11", "tls12", "tls13"
+                default = "tls11", "tls12", "tls13"
+                aliases = "tls_version", "tls_versions", "bootstrap_tls_versions"
+            }
             architecture          = @{ type = "str"; default = "default"; choices = "default", "x86" }
             choco_args            = @{ type = "list"; elements = "str"; aliases = "licensed_args" }
             force                 = @{ type = "bool"; default = $false }
@@ -89,6 +96,7 @@ $source_username = $module.Params.source_username
 $source_password = $module.Params.source_password
 $state = $module.Params.state
 $timeout = $module.Params.timeout
+$bootstrap_tls_version = $module.Params.bootstrap_tls_version
 $validate_certs = $module.Params.validate_certs
 $version = $module.Params.version
 
@@ -100,6 +108,7 @@ if (-not $validate_certs) {
 
 # get the full path to choco.exe, otherwise install/upgrade to at least 0.10.5
 $installParams = @{
+    BootstrapTlsVersion = $bootstrap_tls_version
     ProxyUrl = $proxy_url
     ProxyUsername = $proxy_username
     ProxyPassword = $proxy_password

diff --git a/chocolatey/plugins/modules/win_chocolatey.py b/chocolatey/plugins/modules/win_chocolatey.py
@@ -81,6 +81,19 @@
     type: str
     version_added: '1.3.0'
     aliases: [ install_ps1, bootstrap_ps1 ]
+  bootstrap_tls_version:
+    description:
+    - Specify the TLS versions used when retrieving and invoking the I(bootstrap_script) to install
+      Chocolatey if it is not already installed on the system.
+    - Does not change the TLS versions used by Chocolatey itself after it has already been installed.
+    - Specified TLS versions may be ignored or unused if the target TLS version is not available on
+      the client.
+    type: list
+    elements: str
+    choices: [ tls11, tls12, tls13 ]
+    default: [ tls11, tls12, tls13 ]
+    version_added: '1.4.0'
+    aliases: [ bootstrap_tls_versions, tls_version, tls_versions ]
   force:
     description:
     - Forces the install of a package, even if it already is installed.

diff --git a/chocolatey/tests/integration/targets/win_chocolatey/tasks/install_tests.yml b/chocolatey/tests/integration/targets/win_chocolatey/tasks/install_tests.yml
@@ -0,0 +1,27 @@
+---
+- name: ensure Chocolatey is not installed
+  win_shell: Get-Item -LiteralPath "C:/ProgramData/chocolatey" -ErrorAction Ignore | Remove-Item -Recurse -Force
+
+- name: install Chocolatey using the test bootstrap script
+  win_chocolatey:
+    name: chocolatey
+    state: present
+    bootstrap_script: "{{ test_choco_bootstrap_script }}"
+
+- name: checking if the bootstrap file has been created
+  win_shell: Get-Content -Path "C:/temp/confirm-bootstrap.txt" -Raw
+  register: bootstrap_file_check
+
+- name: assert bootstrap file has been created
+  assert:
+    that:
+      - (bootstrap_file_check.stdout|from_json).bootstrap
+
+- name: ensure Chocolatey is not installed
+  win_shell: Get-Item -LiteralPath "C:/ProgramData/chocolatey" -ErrorAction Ignore | Remove-Item -Recurse -Force
+
+- name: installing Chocolatey from Community Repository with TLS 1.1 only should fail
+  win_chocolatey:
+    bootstrap_tls_version: [ tls11 ]
+  register: test_tls_version
+  failed_when: not test_tls_version.failed
diff --git a/chocolatey/tests/integration/targets/win_chocolatey/tasks/main.yml b/chocolatey/tests/integration/targets/win_chocolatey/tasks/main.yml
@@ -1,6 +1,9 @@
 ---
 
 - block:
+  - name: run install tests
+    include_tasks: install_tests.yml
+
   - name: run tests
     include_tasks: tests.yml
 

diff --git a/chocolatey/tests/integration/targets/win_chocolatey/tasks/tests.yml b/chocolatey/tests/integration/targets/win_chocolatey/tasks/tests.yml
@@ -694,21 +694,3 @@
     that:
     - not remove_nonexistent_version is changed
     - '"{{ test_choco_package1 }}|0.1.0" in remove_nonexistent_version_result.stdout_lines'
-
-- name: remove existing Chocolatey installation
-  win_shell: Remove-Item -Path "C:/ProgramData/chocolatey" -Recurse -Force
-
-- name: install Chocolatey using the test bootstrap script
-  win_chocolatey:
-    name: chocolatey
-    state: present
-    bootstrap_script: "{{ test_choco_bootstrap_script }}"
-
-- name: checking if the bootstrap file has been created
-  win_shell: Get-Content -Path "C:/temp/confirm-bootstrap.txt" -Raw
-  register: bootstrap_file_check
-
-- name: assert bootstrap file has been created
-  assert:
-    that:
-      - (bootstrap_file_check.stdout|from_json).bootstrap