Scoop: Support TLS 1.2 - "Could not create SSL/TLS secure channel"
- [X]
set-executionpolicy remotesigned -s currentuserhas been ran - [X] PowerShell 3 or greater is installed
PS C:\WINDOWS\system32> $PSVersionTable.PSVersion
Major Minor Build Revision
----- ----- ----- --------
5 1 16299 248
iex : Exception calling "DownloadFile" with "2" argument(s): "The request was aborted: Could not create SSL/TLS secure
channel."
At line:1 char:1
+ iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-Expression], MethodInvocationException
+ FullyQualifiedErrorId : WebException,Microsoft.PowerShell.Commands.InvokeExpressionCommand
The scoop directory is created within the user profile folder, as well as the %USERPROFILE%\scoop\apps\scoop\current directory, however, they are both empty.
crazy4cs
All 38 comments
My colleague has just tried to install Scoop and also got this problem. I installed it last week and it was fine.
hss-dev
on 23 Feb 2018
What's the output of Get-ExecutionPolicy -List?
r15ch13
on 23 Feb 2018
My colleagues settings were
Scope ExecutionPolicy ----- ---------------MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser RemoteSigned
LocalMachine RemoteSigned
hss-dev
on 23 Feb 2018
Hello I'm having the same issue
ghost
on 23 Feb 2018
Whats the output of [Net.ServicePointManager]::SecurityProtocol?
r15ch13
on 23 Feb 2018
PS C:\Users\chere> [Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls
PS C:\Users\chere>
ghost
on 23 Feb 2018
And if I try to install it again it says:
PS C:\Users\chere> iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
Initializing...
Scoop is already installed. Run 'scoop update' to get the latest version.
PS C:\Users\chere> scoop update
scoop : The term 'scoop' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
- scoop update
~
- CategoryInfo : ObjectNotFound: (scoop:String) [], ParentContainsErrorRecordException
- FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\chere>
ghost
on 23 Feb 2018
I just ran into this as well on a 'fresh' install of Windows 10 (it was installed from a base image provided by the IT dept, for whatever that's worth). I found that I was able to delete the ~/scoop directory, run the command:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
directly in my prompt, and then re-install with the standard method. That being said, it seems I need to re-run that command in each new powershell window, or I see a bunch of SSL/TLS errors any time I use scoop.
covertcj
on 23 Feb 2018
You can put [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls" in your Powershell profile (notepad $PROFILE) as a workaround. It seems like something's changed on github's side so they no longer accept TLSv1, which winhttp uses by default. There's also stuff you can fiddle with in the registry to get winhttp to use TLSv1.2 instead.
EDIT: Looks like installing .NET 4.6.1 also changes the default TLS scheme to 1.2.
masaeedu
on 24 Feb 2018
Just updated Windows 10 today and I'm receiving this. I've tried the above suggestions without much luck, although the symptoms are the same, my error is a bit different.
PS C:\Users\Tres> scoop update
Updating Scoop...
fatal: unable to access 'https://github.com/lukesampson/scoop/': error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Update failed.
I've tried setting the registry flag to force WinHttp to a higher TLS version, but it's not working on my machine or perhaps my steps are incorrect.
The suggestion to use notepad $PROFILE doesn't seem to work on my installation, I'm not sure what that does. My scoop version is ef058e9 Update fnproject to version 0.4.34.
tresf
on 25 Feb 2018
@tresf notepad $PROFILE doesn't do anything by itself, it's just supposed to open your Powershell profile file for editing. In that file you need to add [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls". Before adding it to your profile file, you can test out whether the incorrect TLS version is causing your issue by just running this command in a powershell session right before scoop update.
masaeedu
on 25 Feb 2018
you can test out whether the incorrect TLS version is causing your issue by just running this command in a powershell session right before scoop update.
I wasn't able to get either proposal to help...
[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
I also removed ~/scoop and reinstalled through the iex ... command from scoop.sh, which worked, but once scoop update was run, the tlsv1 alert protocol version error comes back.
@tresf
notepad $PROFILEdoesn't do anything by itself, it's just supposed to open your Powershell profile file for editing.
Thanks for explaining. The command didn't work on my machine. I'm happy to know it's the same effect as setting the properties via PowerShell command line, so I won't worry about it at this time.
tresf
on 25 Feb 2018
PS C:\Users\Tres> scoop update
Updating Scoop...
fatal: unable to access 'https://github.com/lukesampson/scoop/': error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Update failed.
Apologies... My issue was a botched git-scm after the Windows 10 updates. The fix was to completely purge all git versions and reinstall. Interestingly enough, the default git location changed from C:\Program Files (x86)\ to C:\Program Files\ but my system did not reflect it, so this seems to be unrelated to the original bug report and fixed by repairing git through some manual steps. The symptoms and timing were very close to the original bug report, so I thought they were related, but they appear to be different.
tresf
on 25 Feb 2018
@masaeedu Is there a work around for this when using the command prompt? Having to use scoop exclusively in PowerShell is inconvenient.
jordanbtucker
on 25 Feb 2018
Scoop has the following functions to enable every available protocol when downloading apps:
https://github.com/lukesampson/scoop/blob/f8f08db7e53f624b4c81f5d61e8d16c8176a13a7/lib/install.ps1#L117-L133
Currently they are only used in do_dl(), checkver.ps1 and checkurls.ps1
https://github.com/lukesampson/scoop/blob/f8f08db7e53f624b4c81f5d61e8d16c8176a13a7/lib/install.ps1#L135-L149
Adding them to all other commands that require downloading something could fix it.
It has to be set manually for the initial scoop installation to work.
r15ch13
on 25 Feb 2018
https://github.com/blog/2507-weak-cryptographic-standards-removed
Does the change of GitHub affect this issue?
AFAIK, the scoop installer script is hosted by GitHub.
chawyehsu
on 25 Feb 2018
@h404bi that is the main cause of this issue 😁
https://get.scoop.sh redirects to https://raw.githubusercontent.com/lukesampson/scoop/master/bin/install.ps1
r15ch13
on 25 Feb 2018
Currently using this in a .bat on fresh installed systems:
@echo off
COLOR 1F
set filePath="%userprofile%\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1"
IF EXIST $filePath (GOTO appendTLS) else (GOTO newTLS)
:appendTLS
(
echo.
echo [Net.ServicePointManager]::SecurityProtocol = ^"tls12, tls11, tls^"
) >> "%filePath%"
:newTLS
mkdir "%userprofile%\Documents\WindowsPowerShell\"
(
echo [Net.ServicePointManager]::SecurityProtocol = ^"tls12, tls11, tls^"
) > "%filePath%"
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -InputFormat None -ExecutionPolicy RemoteSigned -Command "iex (new-object net.webclient).downloadstring('https://get.scoop.sh')"
But obviously need Set-ExecutionPolicy RemoteSigned -s cu
kvnklk
on 25 Feb 2018
@tresf notepad $PROFILE doesn't do anything by itself, it's just supposed to open your Powershell profile file for editing.
Turns out this command fails on systems without a ~/PowerShell folder.
I ran into this today with Windows 7 SP1. Here's a little script that should help.
mkdir $PROFILE\..
echo '[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"' >> $PROFILE
& $PROFILE
# thats it
Prepare, do this in
PowerShell:
set-executionpolicy remotesigned -s currentuser
And input Y to ensure.
Open https://get.scoop.sh in your browser to download the shellscript, save as install.ps1:
#requires -v 3
# remote install:
# iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
$erroractionpreference = 'stop' # quit if anything goes wrong
if(($PSVersionTable.PSVersion.Major) -lt 3) {
Write-Output "PowerShell 3 or greater is required to run Scoop."
Write-Output "Upgrade PowerShell: https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell"
break
}
# show notification to change execution policy:
if((get-executionpolicy) -gt 'RemoteSigned') {
Write-Output "PowerShell requires an execution policy of 'RemoteSigned' to run Scoop."
Write-Output "To make this change please run:"
Write-Output "'Set-ExecutionPolicy RemoteSigned -scope CurrentUser'"
break
}
# get core functions
$core_url = 'https://raw.github.com/lukesampson/scoop/master/lib/core.ps1'
Write-Output 'Initializing...'
Invoke-Expression (new-object net.webclient).downloadstring($core_url)
# prep
if(installed 'scoop') {
write-host "Scoop is already installed. Run 'scoop update' to get the latest version." -f red
# don't abort if invoked with iex——that would close the PS session
if($myinvocation.mycommand.commandtype -eq 'Script') { return } else { exit 1 }
}
$dir = ensure (versiondir 'scoop' 'current')
# download scoop zip
$zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
$zipfile = "$dir\scoop.zip"
Write-Output 'Downloading...'
dl $zipurl $zipfile
'Extracting...'
unzip $zipfile "$dir\_tmp"
Copy-Item "$dir\_tmp\scoop-master\*" $dir -r -force
Remove-Item "$dir\_tmp" -r -force
Remove-Item $zipfile
Write-Output 'Creating shim...'
shim "$dir\bin\scoop.ps1" $false
ensure_robocopy_in_path
ensure_scoop_in_path
success 'Scoop was installed successfully!'
Write-Output "Type 'scoop help' for instructions."
find $zipurl:
$zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
Find zipurl: https://github.com/lukesampson/scoop/archive/master.zip, download it, and unzip it in the scoop's dir:
%USERPROFILE%\scoop\apps\scoop\current
Or you can change the install.ps1 script, to see where scoop dir is:
Write-Output 'Downloading...'
# this will print scoop dir
Write-Output '$dir'
Then modify the install.ps1,it should be below:
#requires -v 3
# remote install:
# iex (new-object net.webclient).downloadstring('https://get.scoop.sh')
$erroractionpreference = 'stop' # quit if anything goes wrong
if(($PSVersionTable.PSVersion.Major) -lt 3) {
Write-Output "PowerShell 3 or greater is required to run Scoop."
Write-Output "Upgrade PowerShell: https://docs.microsoft.com/en-us/powershell/scripting/setup/installing-windows-powershell"
break
}
# show notification to change execution policy:
if((get-executionpolicy) -gt 'RemoteSigned') {
Write-Output "PowerShell requires an execution policy of 'RemoteSigned' to run Scoop."
Write-Output "To make this change please run:"
Write-Output "'Set-ExecutionPolicy RemoteSigned -scope CurrentUser'"
break
}
# get core functions
$core_url = 'https://raw.github.com/lukesampson/scoop/master/lib/core.ps1'
Write-Output 'Initializing...'
Invoke-Expression (new-object net.webclient).downloadstring($core_url)
# prep
$dir = ensure (versiondir 'scoop' 'current')
Write-Output "$dir"
# download scoop zip
# $zipurl = 'https://github.com/lukesampson/scoop/archive/master.zip'
$zipfile = "$dir\scoop.zip"
# Write-Output 'Downloading...'
# comment dl command, download zipfile yourself.
# dl $zipurl $zipfile
'Extracting...'
# notice to comment unzip, otherwise there will be an error of unzip. You should unzip with winrar yourself
# the zip file should unzip in $dir\_tmp yourself
# unzip $zipfile "$dir\_tmp"
Copy-Item "$dir\_tmp\scoop-master\*" $dir -r -force
Remove-Item "$dir\_tmp" -r -force
Remove-Item $zipfile
Write-Output 'Creating shim...'
shim "$dir\bin\scoop.ps1" $false
ensure_robocopy_in_path
ensure_scoop_in_path
success 'Scoop was installed successfully!'
Write-Output "Type 'scoop help' for instructions."
save install.ps1, * then drag it *into PowerShell, and then press enter, after a moment:
Scoop was installed successfully!
sharh
on 28 Feb 2018
One line PowerShell command for new installation, if someone is looking for workaround:
set-executionpolicy remotesigned -s currentuser; [System.Net.ServicePointManager]::SecurityProtocol = 3072 -bor 768 -bor 192 -bor 48; iwr https://get.scoop.sh -UseBasicParsing | iex
If I had to guess, the schoop.sh website is probably using a certificate from StartSSL. As they are no longer a trusted cert authority, the download is failing. If you browse to https://scoop.sh you'll get a security warning about the certificate. Should be easy to fix with a new certificate using letsencrypt or something similar.
danielgary
on 1 Mar 2018
@danielgary nope, scoop.sh didn't have ssl, it's a CNAME of scoop's gh-pages. And https://get.scoop.sh redirects to https://raw.githubusercontent.com/lukesampson/scoop/master/bin/install.ps1
GitHub drops TLSv1 support cause this issue.
chawyehsu
on 1 Mar 2018
@danielgary ugh, thanks for pointing this out. I contacted @lukesampson about this.
r15ch13
on 1 Mar 2018
@h404bi I don't think the one line solution will work, scoop frequently consults the buckets (which are on github), post-install. This means you need to have the TLS settings in every powershell instance you start; i.e. you need to put it in your profile.
masaeedu
on 1 Mar 2018
@masaeedu I said that's a workaround for fresh installation. Though I have tested on a fresh install windows 10, fresh install scoop with that command, then just install git-with-openssh, every thing seems fine, scoop update, scoop search, scoop status...
The Windows 10 ServicePointManager:
$ [System.Net.ServicePointManager]::SecurityProtocol
Ssl3, Tls
Besides, I search that we could modify the registry of ServicePointManager to permanently force to use strong cryptography, but that's inconvenient and it needs elevated privileges, which is worse.[1]
chawyehsu
on 1 Mar 2018
Besides, I search that we could modify the registry of ServicePointManager to permanently force to use strong cryptography, but that's inconvenient and it needs elevated privileges, which is worse.1
Do you mean for all users? For the current user, https://github.com/lukesampson/scoop/issues/2040#issuecomment-368145842, @covertcj's solution works great. I've adapted @r15ch13's proposal to make it permanent for the current user and this technique was tested on Windows 7.
Is the concern that this won't scale for multiple users? I would propose that the scoop library internally nudges this since it makes no sense to attempt to continue functioning otherwise.
Even the set-executionpolicy remotesigned -s currentuser, I don't entirely understand as this is part of the base scoop.sh install, this command should already have been run 100% of the time adding it to this thread seems like it will only confuse first time users.
tresf
on 1 Mar 2018
@h404bi While I agree that scoop should just work, setting ServicePointManager to only use TLS 1.1 and higher is something you should do anyway since SSLv3 and TLSv1.0 are deprecated due to POODLE. (Although, this could break other .NET applications and libraries.)
Here's how to do that in PowerShell:
# set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
# set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Plus, this will allow scoop to work in Command Prompt instead of just PowerShell.
jordanbtucker
on 1 Mar 2018
Was not sure if every site supports TLS 1.2 therefore I created a script to checks all the URLs.
Every single hosts supports it, so it's safe to just enable it I guess.
Script:
protocol-test.ps1
param(
[String]$Dir = "$PSScriptRoot\..\bucket",
[String]$App = '*'
)
. "$PSScriptRoot\..\lib\core.ps1"
. "$PSScriptRoot\..\lib\buckets.ps1"
. "$PSScriptRoot\..\lib\manifest.ps1"
. "$PSScriptRoot\..\lib\json.ps1"
# https://www.sysadmins.lv/blog-en/test-web-server-ssltls-protocol-support-with-powershell.aspx
function Test-ServerSSLSupport($HostName) {
$Port = 443
$RetValue = New-Object psobject -Property @{
Host = $HostName
Port = $Port
ssl2 = $false
ssl3 = $false
tls = $false
tls11 = $false
tls12 = $false
KeyExhange = $null
HashAlgorithm = $null
}
# "ssl2", "ssl3",
"tls", "tls11", "tls12" | ForEach-Object {
$TcpClient = New-Object Net.Sockets.TcpClient
$TcpClient.Connect($RetValue.Host, $RetValue.Port)
try {
$SslStream = New-Object Net.Security.SslStream $TcpClient.GetStream()
}
catch {
write-host $_.Message
return $RetValue
}
$SslStream.ReadTimeout = 15000
$SslStream.WriteTimeout = 15000
try {
$SslStream.AuthenticateAsClient($RetValue.Host, $null, $_, $false)
$RetValue.KeyExhange = $SslStream.KeyExchangeAlgorithm
$RetValue.HashAlgorithm = $SslStream.HashAlgorithm
$status = $true
} catch {
$status = $false
}
$RetValue.$_ = $status
# dispose objects to prevent memory leaks
$TcpClient.Dispose()
$SslStream.Dispose()
}
return $RetValue
}
function Test-Url($url) {
$url = [System.Uri]$url
if(!$url) {
return
}
if($url.Scheme -ne "https") {
write-host -f DarkYellow "$($url.Host.PadRight(40, " "))" -NoNewline
write-host " | http"
return
}
$result = Test-ServerSSLSupport $url.Host
write-host "$($url.Host.PadRight(40, " ")) | " -NoNewline
if($result.tls) {
write-host -f DarkGreen "$($result.tls.ToString().PadRight(6, " "))" -NoNewline
} else {
write-host -f DarkRed "$($result.tls.ToString().PadRight(6, " "))" -NoNewline
}
write-host " | " -NoNewline
if($result.tls11) {
write-host -f DarkGreen "$($result.tls11.ToString().PadRight(6, " "))" -NoNewline
} else {
write-host -f DarkRed "$($result.tls11.ToString().PadRight(6, " "))" -NoNewline
}
write-host " | " -NoNewline
if($result.tls12) {
write-host -f DarkGreen "$($result.tls12.ToString().PadRight(6, " "))" -NoNewline
} else {
write-host -f DarkRed "$($result.tls12.ToString().PadRight(6, " "))" -NoNewline
}
write-host ""
}
function Get-ManifestUrls($file) {
$urls = @()
if(!$file) {
return $urls
}
$json = parse_json $file.FullName
if(!$json) {
return $urls
}
if ($json.url -is [System.Array]) {
$json.url | ForEach-Object {
$urls += [System.Uri]$_
}
} elseif($json.url) {
$urls += [System.Uri]$json.url
} else {
$arch_url = (arch_specific 'url' $json '64bit')
if(!$arch_url) {
$arch_url = (arch_specific 'url' $json '32bit')
}
if($arch_url -is [System.Array]) {
$arch_url | ForEach-Object {
$urls += [System.Uri]$_
}
} else {
$urls += [System.Uri]$arch_url
}
}
return $urls
}
# get apps to check
write-host "Host | TLSv10 | TLSv11 | TLSv12"
write-host "-------------------------------------------------------------------"
$urls = @()
Get-ChildItem -Path $Dir "$App.json" | ForEach-Object {
Get-ManifestUrls($_) | ForEach-Object {
$urls += $_
}
}
$urls | Sort-Object -Property @{Expression={$_.Host}} -Unique | ForEach-Object {
Test-Url $_
}
Results:
Main Bucket Hosts
Main Bucket Hosts | TLSv10 | TLSv11 | TLSv12
-------------------------------------------------------------------
7-zip.org | True | True | True
adoxa.altervista.org | http
amazon-eks.s3-us-west-2.amazonaws.com | True | True | True
archive.apache.org | True | True | True
archive.mozilla.org | True | True | True
azuredraft.blob.core.windows.net | True | True | True
beyondgrep.com | True | True | True
bin.equinox.io | True | True | True
binaries.cockroachdb.com | False | True | True
binaries.sonarsource.com | False | False | True
bitbucket.org | False | False | True
blog.alivate.com.au | http
cdn.mysql.com | True | True | True
cdn.theunarchiver.com | True | True | True
chromedriver.storage.googleapis.com | True | True | True
cmake.org | False | True | True
constexpr.org | http
cran.rstudio.com | False | True | True
curl.haxx.se | False | False | True
cygwin.com | True | True | True
dev.mysql.com | False | False | True
developers.yubico.com | False | False | True
digi.bib.uni-mannheim.de | True | True | True
dist.nuget.org | True | True | True
dl.bintray.com | False | False | True
dl.google.com | True | True | True
dl.influxdata.com | True | True | True
dl.minio.io | False | True | True
dotnetcli.blob.core.windows.net | True | True | True
download.handbrake.fr | False | False | True
download.jetbrains.com | True | True | True
download.linuxaudio.org | True | True | True
download.microsoft.com | True | True | True
download.mono-project.com | True | True | True
download.qt.io | False | False | True
download.rethinkdb.com | True | True | True
download.savannah.gnu.org | True | True | True
download.videolan.org | True | True | True
downloads.dlang.org | http
downloads.kitenet.net | True | True | True
downloads.mariadb.org | True | False | False
downloads.plex.tv | True | True | True
downloads.puppetlabs.com | True | True | True
downloads.rclone.org | False | False | True
downloads.sourceforge.net | False | True | True
downloads.typesafe.com | False | True | True
downloads.xiph.org | True | True | True
doxygen.nl | http
drive.google.com | True | True | True
erlang.org | http
eternallybored.org | True | True | True
eventstore.org | True | True | True
farmanager.com | False | False | True
fastdl.mongodb.org | False | True | True
ffmpeg.zeranoe.com | True | True | True
files.genshin.org | http
fossies.org | True | True | True
frippery.org | True | True | True
ftp.equation.com | http
ftp.fau.de | True | True | True
ftp.gnome.org | True | True | True
ftp.gnu.org | False | False | True
ftp.isc.org | True | True | True
get.enterprisedb.com | False | True | True
get.gravitational.com | True | True | True
getcomposer.org | True | True | True
github.com | False | False | True
gitlab-runner-downloads.s3.amazonaws.com | True | True | True
gittup.org | http
go.microsoft.com | True | True | True
graphviz.gitlab.io | True | True | True
hashcat.net | True | True | True
haskell.org | True | True | True
invisible-island.net | False | False | True
iperf.fr | False | False | True
jfrog.bintray.com | False | False | True
julialang-s3.julialang.org | False | False | True
khudob.in.s3-website-us-west-2.amazonaws.com | http
mark0.net | http
master.dockerproject.org | True | True | True
mediaarea.net | True | True | True
megatools.megous.com | True | True | True
mran.blob.core.windows.net | True | True | True
nekovm.org | False | True | True
neon.se | True | True | True
nginx.org | True | True | True
nim-lang.org | True | True | True
nmap.org | True | True | True
nodejs.org | True | True | True
nssm.cc | False | False | True
nuget.org | True | True | True
packages.chocolatey.org | True | True | True
pngquant.org | True | True | True
potrace.sourceforge.net | http
projects.giacomodrago.com | True | True | True
qemu.weilnetz.de | True | True | True
r15ch13.keybase.pub | True | True | True
raw.githubusercontent.com | True | True | True
releases.hashicorp.com | False | False | True
releases.llvm.org | False | False | True
repo.maven.apache.org | False | False | True
repo.msys2.org | http
repo1.maven.org | False | False | True
rtmpdump.mplayerhq.hu | True | True | True
s3.amazonaws.com | True | True | True
scholarlymarkdown.com | http
selenium-release.storage.googleapis.com | True | True | True
services.gradle.org | True | True | True
shellcheck.storage.googleapis.com | True | True | True
sliksvn.com | True | True | True
slproweb.com | True | True | True
sourceforge.net | False | True | True
static.red-lang.org | True | True | True
static.rust-lang.org | False | True | True
storage.googleapis.com | True | True | True
strawberryperl.com | http
svtplay-dl.se | True | True | True
sysprogs.com | True | True | True
tukaani.org | False | True | True
unbound.net | True | True | True
win.rustup.rs | False | True | True
windows.php.net | False | True | True
www.andre-simon.de | http
www.apache.org | False | False | True
www.autoitscript.com | True | True | True
www.benf.org | True | True | True
www.chrysocome.net | http
www.cjmweb.net | False | True | True
www.cs.utah.edu | True | True | True
www.dropbox.com | True | True | True
www.engr.mun.ca | True | False | False
www.fossil-scm.org | True | True | True
www.glob.com.au | True | True | True
www.gnupg.org | True | True | True
www.guysalias.tk | True | True | True
www.imagemagick.org | True | True | True
www.mercurial-scm.org | True | True | True
www.mls-software.com | True | True | True
www.nano-editor.org | True | True | True
www.nasm.us | http
www.nirsoft.net | True | True | True
www.nuget.org | True | True | True
www.pdflabs.com | True | True | True
www.python.org | False | False | True
www.rarewares.org | http
www.rarlab.com | True | True | True
www.sentex.net | http
www.sqlite.org | True | True | True
www.syncany.org | True | True | True
www.tortall.net | http
www.videohelp.com | True | True | True
www-us.apache.org | False | False | True
xpdfreader-dl.s3.amazonaws.com | True | True | True
yarnpkg.com | True | True | True
Extras Bucket Hosts
Extras Bucket Hosts | TLSv10 | TLSv11 | TLSv12
-------------------------------------------------------------------
1.eu.dl.wireshark.org | True | True | True
3rvx.com | True | True | True
abstractspoon.pbwiki.com | False | False | False
aezay.dk | http
antibody-software.com | True | True | True
api.nuget.org | True | True | True
app.pc.kakao.com | http
app.prntscr.com | True | True | True
apps.ankiweb.net | True | True | True
archive.apache.org | True | True | True
artifacts.elastic.co | False | False | True
azurecliprod.azureedge.net | False | False | True
binaries.mpc-hc.org | True | True | True
bit.ly | True | True | True
bitbucket.org | False | False | True
bliskcloudstorage.blob.core.windows.net | True | True | True
buildbot.libretro.com | True | True | True
camunda.org | True | True | True
cdn.chuyu.me | http
cdn.gogs.io | False | False | True
cdn09.foxitsoftware.com | True | True | True
cdnverify.eta-lang.org | True | True | True
central.github.com | True | True | True
chocolatey.org | True | True | True
ci.appveyor.com | True | True | True
cli.run.pivotal.io | False | True | True
cli-assets.heroku.com | True | True | True
clis.ng.bluemix.net | False | False | True
cmake.org | False | True | True
codeload.github.com | False | False | True
crawl.develz.org | True | True | True
dbeaver.io | False | False | True
desktop.icons8.com | True | True | True
developer.arm.com | False | True | True
developers.yubico.com | False | False | True
dist.ipfs.io | False | False | True
dist.torproject.org | True | True | True
dl.4players.de | http
dl.bandisoft.com | True | True | True
dl.bintray.com | False | False | True
dl.discordapp.net | http
dl.eagleget.com | http
dl.enpass.io | False | True | True
dl.google.com | True | True | True
dl.hexchat.net | True | True | True
dl.nwjs.io | True | True | True
dl.pstmn.io | True | True | True
dl.slic3r.org | True | True | True
dl.winsshterm.net | http
dl.yat.qa | True | True | True
dl5.oo-software.com | True | False | False
dl-canary.discordapp.net | http
dl-ptb.discordapp.net | http
dlsrc.getmonero.org | True | True | True
download.aida64.com | http
download.anydesk.com | True | True | True
download.bleachbit.org | True | True | True
download.blender.org | True | True | True
download.ccleaner.com | True | True | True
download.cdburnerxp.se | False | False | True
download.cpuid.com | http
download.deluge-torrent.org | http
download.filezilla-project.org | True | True | True
download.geany.org | http
download.gimp.org | True | True | True
download.gnome.org | True | True | True
download.handbrake.fr | False | False | True
download.jetbrains.com | True | True | True
download.kde.org | False | False | True
download.knime.org | True | True | True
download.linqpad.net | http
download.microsoft.com | True | True | True
download.mobatek.net | True | True | True
download.mozilla.org | True | True | True
download.mp3tag.de | True | True | True
download.msi.com | http
download.nirsoft.net | True | True | True
download.nomacs.org | http
download.robomongo.org | True | True | True
download.sourcegear.com | http
download.springsource.com | True | True | True
download.sublimetext.com | True | True | True
download.svcat.sh | True | True | True
download.sysinternals.com | True | True | True
download.teamviewer.com | True | True | True
download.videolan.org | True | True | True
download.virtualbox.org | True | True | True
download.visualstudio.microsoft.com | True | True | True
download.zotero.org | True | True | True
download1.operacdn.com | True | True | True
download1.rstudio.org | True | True | True
download2.mikrotik.com | True | True | True
downloadarchive.documentfoundation.org | http
download-eu2.guru3d.com | True | True | True
downloads.arduino.cc | True | True | True
downloads.mongodb.com | False | True | True
downloads.ortussolutions.com | True | True | True
downloads.plex.tv | True | True | True
downloads.slack-edge.com | True | True | True
downloads.sourceforge.net | False | True | True
downloads.tuxfamily.org | True | True | True
downloads.vivaldi.com | True | True | True
encdn.ldmnq.com | True | True | True
enclose.io | http
endpoint920510.azureedge.net | True | True | True
fastcopy.jp | True | True | True
fastglacier.com | True | True | True
files.gpg4win.org | True | True | True
files.kde.org | False | False | True
files.vbox.me | http
findandreplace.io | http
fishcodelib.com | True | True | True
flatassembler.net | True | True | True
fmedia.firmdev.com | http
foicica.com | True | False | False
fossies.org | True | True | True
freecommander.com | True | True | True
friedrich-folkmann.de | http
fritzing.org | http
ftp.musicbrainz.org | http
ftp.ncftp.com | http
ftpmirror.gnu.org | True | True | True
geekuninstaller.com | True | True | True
gist.github.com | False | False | True
gist.githubusercontent.com | True | True | True
git-fork.com | True | True | True
github.com | False | False | True
glogg.bonnefon.org | True | True | True
go.microsoft.com | True | True | True
graphicsgale.com | True | True | True
hammultiplayer.org | http
iamfutureproof.com | http
icon-icons.com | True | True | True
inkscape.org | True | True | True
installer.jdownloader.org | http
jdownloader.org | http
jigsaw.w3.org | True | True | True
justgetflux.com | True | True | True
kindlegen.s3.amazonaws.com | True | True | True
lechnology.com | True | True | True
leomoon.com | True | True | True
lighttpd.dtech.hu | http
lockhunter.com | True | True | True
lpb.canb.auug.org.au | http
media2.steampowered.com | http
mediaarea.net | True | True | True
mega.nz | True | True | True
mh-nexus.de | True | True | True
mirror.httrack.com | True | True | True
mkvtoolnix.download | False | False | True
mpv.srsfckn.biz | False | False | True
multicommander.com | http
mupdf.com | True | True | True
nimbletext.com | http
nl1-dl.techpowerup.com | http
notepad-plus-plus.org | True | True | True
oneget.org | True | True | True
openhardwaremonitor.org | True | True | True
openresty.org | True | True | True
osdn.net | True | True | True
out7.hex-rays.com | False | False | True
packages.chef.io | True | True | True
packages.chocolatey.org | True | True | True
pcem-emulator.co.uk | True | True | True
p-nand-q.com | http
public.dhe.ibm.com | True | True | True
quiterss.org | True | True | True
r15ch13.keybase.pub | True | True | True
rammichael.com | True | True | True
raw.githubusercontent.com | True | True | True
redirector.gvt1.com | True | True | True
rei.to | http
release.gitkraken.com | True | True | True
release.tinymediamanager.org | http
releases.mattermost.com | True | True | True
renderdoc.org | True | True | True
repo.continuum.io | True | True | True
repo.spring.io | False | False | True
reshade.me | False | True | True
riot.im | True | True | True
rm-eu.palemoon.org | http
s3.amazonaws.com | True | True | True
s3-us-west-2.amazonaws.com | True | True | True
search.maven.org | http
sites.google.com | True | True | True
slobs-cdn.streamlabs.com | True | True | True
snapshots.mitmproxy.org | False | True | True
soft.rubypdf.com | http
software-download.microsoft.com | True | True | True
sourceforge.net | False | True | True
sqlitestudio.pl | True | True | True
static.azul.com | http
static.rust-lang.org | False | True | True
steamcdn-a.akamaihd.net | True | True | True
storage.googleapis.com | True | True | True
storage-waterfox.netdna-ssl.com | True | True | True
swupdate.openvpn.org | True | True | True
sysprogs.com | True | True | True
taiga.moe | True | True | True
telerik-fiddler.s3.amazonaws.com | True | True | True
the.earth.li | True | True | True
totalcommander.ch | http
typora.io | True | True | True
updates.signal.org | True | True | True
us.basilisk-browser.org | http
vibrancegui.com | True | True | True
vps2.highrez.co.uk | True | True | True
vscode-update.azurewebsites.net | False | False | True
wavebox.pro | True | True | True
web.whatsapp.com | True | True | True
winaero.com | True | True | True
windirstat.mirror.wearetriple.com | True | True | True
www.1space.dk | http
www.2brightsparks.com | True | True | True
www.9bis.net | True | True | True
www.advancedrenamer.com | False | False | True
www.alcpu.com | http
www.almico.com | http
www.angusj.com | http
www.apache.org | False | False | True
www.archimatetool.com | True | True | True
www.bahraniapps.com | http
www.baremetalsoft.com | False | True | True
www.claws-mail.org | True | True | True
www.cockos.com | True | True | True
www.crystalidea.com | True | True | True
www.cuetools.net | http
www.dbvis.com | http
www.dependencywalker.com | http
www.dhcpserver.de | http
www.digimezzo.com | False | True | True
www.dotpdn.com | True | True | True
www.eclipse.org | True | True | True
www.faststonesoft.net | http
www.firstobject.com | http
www.flos-freeware.ch | http
www.freeclipboardviewer.com | http
www.getcodetrack.com | http
www.giuspen.com | False | False | True
www.haskell.org | True | True | True
www.heidisql.com | True | True | True
www.heidoc.net | True | True | True
www.hwinfo.com | True | True | True
www.iographica.com | http
www.irfanview.info | True | True | True
www.jrsoftware.org | http
www.kymoto.org | False | True | True
www.libsdl.org | True | True | True
www.linuxliveusb.com | True | True | True
www.listary.com | True | True | True
www.makemkv.com | True | True | True
www.mediafire.com | True | True | True
www.mega-nerd.com | http
www.mersenne.org | True | True | True
www.microsip.org | True | True | True
www.nattyware.com | http
www.naturaldocs.org | http
www.ocenaudio.com | False | True | True
www.pcfreetime.com | http
www.pci-z.com | True | True | True
www.phraseexpress.com | True | True | True
www.piriform.com | False | False | True
www.portablefreeware.com | True | True | True
www.ppsspp.org | True | True | True
www.prime-expert.com | True | True | True
www.proxifier.com | True | True | True
www.pspad.com | True | True | True
www.rapidee.com | True | True | True
www.rarlab.com | True | True | True
www.realvnc.com | False | True | True
www.reaper.fm | True | True | True
www.scootersoftware.com | False | False | True
www.skytopia.com | http
www.slsknet.org | True | True | True
www.softwareok.com | True | True | True
www.sordum.org | True | True | True
www.sourcetreeapp.com | True | True | True
www.sql-workbench.eu | True | True | True
www.strokesplus.com | True | True | True
www.stunnel.org | True | True | True
www.sumatrapdfreader.org | False | False | True
www.swi-prolog.org | http
www.texmacs.org | http
www.tt-solutions.com | http
www.uderzo.it | http
www.uwamp.com | True | True | True
www.videohelp.com | True | True | True
www.voidtools.com | True | True | True
www.wagnardsoft.com | False | False | True
www.willuhn.de | True | True | True
www.xiles.net | http
www.xm1math.net | http
www.xmedia-recode.de | True | True | True
www.xmind.net | True | True | True
www.xyplorer.com | True | True | True
www.yworks.com | http
xdebug.org | False | False | True
xmlsoft.org | http
Version Bucket Hosts
Version Bucket Hosts | TLSv10 | TLSv11 | TLSv12
-------------------------------------------------------------------
archive.apache.org | True | True | True
artifacts.elastic.co | False | False | True
beta.rclone.org | False | False | True
bitbucket.org | False | False | True
cocl.us | False | True | True
dev.mysql.com | False | False | True
digi.bib.uni-mannheim.de | True | True | True
dist.nuget.org | True | True | True
dl.bintray.com | False | False | True
download.elastic.co | False | False | True
download.springsource.com | http
downloads.mongodb.org | http
downloads.sourceforge.net | False | True | True
downloads.vivaldi.com | True | True | True
fastdl.mongodb.org | False | True | True
files.emule-project.net | True | True | True
get.enterprisedb.com | False | True | True
github.com | False | False | True
megatools.megous.com | True | True | True
nodejs.org | True | True | True
packages.chocolatey.org | True | True | True
r.windows.random.supplies | http
repo.continuum.io | True | True | True
repo.spring.io | False | False | True
services.gradle.org | True | True | True
slproweb.com | True | True | True
windows.php.net | False | True | True
www.apache.org | False | False | True
www.python.org | False | False | True
www.stunnel.org | True | True | True
www.vordweb.co.uk | http
xdebug.org | False | False | True
/Edit: Updated script and results (20190410)
r15ch13
on 1 Mar 2018
I'm not sure what's more impressive... the speed in which you valided every script mirror supports TLS12, or the neat GitHub hide huge codeblock trick.
tresf
on 1 Mar 2018
An easy fix could be to add this neat little line to core.ps1.
Mentioned by @masaeedu in https://github.com/lukesampson/scoop/pull/2065#issuecomment-369669048
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
Sadly the initial install oneliner has to change.
r15ch13
on 1 Mar 2018
@r15ch13 @lukesampson The install oneliner doesn't need to change unless Amazon CloudFront drops support for TLSv1.0 or GitHub drops support for TLSv1.0 on raw.githubusercontent.com.
get.scoop.sh is served from Amazon CloudFront servers, then redirects to raw.githubusercontent.com. GitHub only dropped support for TLSv1.0 on github.com and api.github.com.
The install oneliner doesn't have trouble downloading the install script, it just has trouble accessing api.github.com during the install.
TLDR; install.ps1 and core.ps1 need to be updated, but the oneliner doesn't need to change... yet.
That being said, the following oneliner is shorter, but suffers from the same problem.
iwr https://get.scoop.sh | iex
I didn't see a commit related to this but I am no longer receiving the error after updating scoop.
dsbert
on 1 Mar 2018
@dsbert What happens when you run this:
scoop search --no-cache
@jordanbtucker There it is
dsbert
on 2 Mar 2018
This is fixed for me, but I left a comment about it leaving side effects. It's probably not a big deal though.
jordanbtucker
on 2 Mar 2018
rtgsd
jatalocks
on 26 May 2019
@h404bi While I agree that scoop should _just work_, setting ServicePointManager to only use TLS 1.1 and higher is something you _should_ do anyway since SSLv3 and TLSv1.0 are deprecated due to POODLE. (Although, this could break other .NET applications and libraries.)
Here's how to do that in PowerShell:
# set strong cryptography on 64 bit .Net Framework (version 4 and above) Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord # set strong cryptography on 32 bit .Net Framework (version 4 and above) Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWordPlus, this will allow scoop to work in Command Prompt instead of just PowerShell.
This finally let me install boxstarter on windows7 via azure-arm/packer.
wbrewer
on 17 Apr 2020
Related issues
nitrocode
·
3Comments
ShivanshuKantPrasad
·
3Comments
mpro7
·
3Comments
klauern
·
3Comments
jpoehls
·
3Comments
Most helpful comment
I just ran into this as well on a 'fresh' install of Windows 10 (it was installed from a base image provided by the IT dept, for whatever that's worth). I found that I was able to delete the ~/scoop directory, run the command:
directly in my prompt, and then re-install with the standard method. That being said, it seems I need to re-run that command in each new powershell window, or I see a bunch of SSL/TLS errors any time I use scoop.