We have an internal PowerShell module used for interacting with our own internal software during deployment/testing. Alot of our installations use self-signed certificates, as they are internal-only systems for testing - we override ServerCertificateValidationCallback in our scripts, so that PowerShell won't run into issues with the self-signed certificates.
Recently, I've noticed that overriding ServerCertificateValidationCallback is breaking GET requests to a REST api for some reason. I've reproduced this on multiple versions of Windows with PowerShell 5.1, and I cannot see that I am doing anything wrong to cause this. Below is a very simple script that can reproduce the issue:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { return $true }
Invoke-RestMethod -Method Get -UseBasicParsing -Uri https://reqres.in/api/users
Invoke-RestMethod -Method Post -UseBasicParsing -Uri https://reqres.in/api/users -Body (@{ Name = "Bob Smith"; job = "CEO" } | ConvertTo-Json) -ContentType "application/json"
Invoke-RestMethod -Method Get -UseBasicParsing -Uri https://reqres.in/api/users
- The first Invoke-RestMethod (ie, the GET) will fail
- The second request (the POST) will be successful
- After the POST is successful, it seems that the session is cached and therefore the GET is successful
- If the session is left to go idle for a while, the GET request will once again fail
- If the POST request had been issued first (even without the GET), it would still have been successful ... ie the problem is not just a simple case of the first request failing
- The issue is reproducible with boke Invoke-RestMethod and Invoke-WebRequest
- The issue is only reproducible with PowerShell 5.1 ... PowerShell 7.1 (on the same Machine) does not reproduce the issue
- I have reproduced this on multiple Machines running Windows 10, Server 2019 and Server 2022
- Closing the session and creating a new session without the first line (ie, not overriding ServerCertificateValidationCallback) will not reproduce the issue either
- reqres.in is not our actual production site, it's just a sample REST API site that I'm using to reproduce the issue easily
- The issue occurs with systems which are using valid (CA issued) Certificates, and on systems which have self-signed certificates
As far as I understand, both IRM and IWR use the same (HttpWebRequest) C# class. I've not tried creating a C# project, but I have tried briefly testing the class in C# but cannot reproduce the issue there. Below is the code that I used:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { return $true }
[System.Net.HttpWebRequest]$wr = [System.Net.WebRequest]::Create("https://reqres.in/api/users")
$stream = $wr.GetResponse().GetResponseStream()
$sr = New-Object -TypeName System.IO.StreamReader -ArgumentList $stream
$sr.ReadToEnd() | ConvertFrom-Json
Obviously this was only as a troubleshooting step however. I'd appreciate any advice anybody can give me on this issue and how to resolve it.