Lightworks - can't download version

[majkinetor]

I made AU installer for lightworks in its own branch, however, I can't make it to the version because of this:

> $releases = 'https://www.lwks.com/index.php?option=com_lwks&view=download&Itemid=206&tab=0'
> iwr $releases

Exception calling "GetResponse" with "0" argument(s): 
"The underlying connection was closed: An unexpected error occurred on a send."

It happens if you want to download a page using whatever method - I tried iwr, webclient, webrequest.

Also:

> curl -k $releases
curl: (35) Unknown SSL protocol error in connection to www.lwks.com:443

Wget works on the other hand

> wget $releases
--2016-11-01 11:12:06--  https://www.lwks.com/index.php?option=com_lwks&view=download&Itemid=206&tab=0
Resolving www.lwks.com (www.lwks.com)... 52.203.187.110, 52.44.210.184
Connecting to www.lwks.com (www.lwks.com)|52.203.187.110|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.php@option=com_lwks&view=download&Itemid=206&tab=0'

index.php@option=com_lwks&view=download&It     [  <=>                                                                                   ]  66.71K   260KB/s   in 0.3s

2016-11-01 11:12:08 (260 KB/s) - 'index.php@option=com_lwks&view=download&Itemid=206&tab=0' saved [68312]

So, I can't get a version now in update.ps1 without using wget. I could take a dependency on it but looks like meh. I would appreciate any help

[jberezanski]

"An unexpected error occurred on a send", "Unknown SSL protocol error" - these errors usually indicate a mismatch of SSL parameters (allowed SSL/TLS versions, enabled cipher suites etc.) between the client and the server.

According to Qualsys SSL test, lwks.com has quite strict SSL configuration - they disable all protocols older than TLS 1.1. On the other hand, for backward compatibility reasons, .NET (and, by extension, PowerShell) has only SSL 3.0 and TLS 1.0 enabled by default(*):

PS C:\> [System.Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls
PS C:\> iwr 'https://www.lwks.com/index.php?option=com_lwks&view=download&Itemid=206&tab=0'
iwr : The underlying connection was closed: An unexpected error occurred on a send.
(...)

.NET applications need to explicitly opt-in to newer TLS version support by setting the SecurityProtocol property of ServicePointManager, for example:

PS C:\> [System.Net.ServicePointManager]::SecurityProtocol = 'Ssl3,Tls,Tls11,Tls12'
PS C:\> iwr 'https://www.lwks.com/index.php?option=com_lwks&view=download&Itemid=206&tab=0'

StatusCode        : 200
StatusDescription : OK
(...)

(my testing environment: Windows 10 1607, .NET 4.6.2, PowerShell 5.1)

(*) Note: although this article claims that starting with .NET 4.6 all TLS protocols should be enabled by default (and I verified it by whipping up a quick C# app), I'm guessing that PowerShell is still compiled against .NET 4.5 (as suggested by its system requirements), which causes it to use the older defaults.

[gep13]

@ferventcoder should be able to provide some input here as well. Fairly sure he has ran into the same thing within the choco client.

[majkinetor]

@jberezanski , thanks for elaborate and epic answer.

[ferventcoder]

Note that if you are using Chocolatey 0.10.1+ with the built-in PowerShell host it is already set appropriately.

https://github.com/chocolatey/choco/blob/e447414d7a49223771a310ef01e9bc24744809ab/src/chocolatey/infrastructure/registration/SecurityProtocol.cs#L36-L38

chocolatey/choco#458

[ferventcoder]

Just adding for awareness that you don't need to do anything special in Chocolatey or chocolateyInstall.ps1 files to take advantage of TLS 1.2.

[gep13]

@ferventcoder said....
Just adding for awareness that you don't need to do anything special in Chocolatey or chocolateyInstall.ps1 files to take advantage of TLS 1.2.

The problem that @majkinetor was having was within the update.ps1 script for AU, in order to find out the latest version of a piece of software. i.e. outside of chocolatey.

[ferventcoder]

I know. I was just saying that this is not an issue in the PowerShell that Chocolatey runs, before anyone gets an ideas about messing with ServicePointManager in there.

[gep13]

Ah, I see, gotcha.