ssl Powershell调用-通过HTTPS调用REST方法

hjzp0vay  于 2022-12-27  发布在  Shell
关注(0)|答案(4)|浏览(210)

我试图通过powershell与一个服务进行通信,但失败得很惨,我怀疑是证书的问题,我在谷歌上搜索了答案,找到了两个选项,没有一个对我有效,我也试图将两者结合起来,但没有成功。

    • 备选案文1:**
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

$urlJSON = "https://internal.ad.local/path/api_jsonrpc.php"

#Create authentication JSON object using ConvertTo-JSON
$objAuth = (New-Object PSObject | Add-Member -PassThru NoteProperty jsonrpc '2.0' |
Add-Member -PassThru NoteProperty method 'user.authenticate' |
Add-Member -PassThru NoteProperty params @{user="user";password="password"} |
Add-Member -PassThru NoteProperty id '2') | ConvertTo-Json

Invoke-RestMethod -Uri $urlJSON -body $objAuth -method "Post"
    • 备选案文2:**
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

$urlJSON = "https://internal.ad.local/path/api_jsonrpc.php"

#Create authentication JSON object using ConvertTo-JSON
$objAuth = (New-Object PSObject | Add-Member -PassThru NoteProperty jsonrpc '2.0' |
Add-Member -PassThru NoteProperty method 'user.authenticate' |
Add-Member -PassThru NoteProperty params @{user="user";password="password"} |
Add-Member -PassThru NoteProperty id '2') | ConvertTo-Json

Invoke-RestMethod -Uri $urlJSON -body $objAuth -method "Post"

下面是错误消息:

Invoke-RestMethod : The underlying connection was closed: An unexpected error occurred on a send.
At C:\Users\user\AppData\Local\Temp\46eaa6f7-62a0-4c10-88d1-79212d652bc9.ps1:24 char:1
+ Invoke-RestMethod -Uri $urlJSON -body $objAuth -method "Post"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

我可以补充一句:

  • 使用Web浏览器直接浏览服务
  • 我也试着打开HTTP,效果很好
  • 服务使用的证书是自签名的,但我的机器通过根证书信任(IE或Chrome中没有警告问题)
  • 我已经完成了网络捕获,并确保数据包确实到达了服务器。

欢迎提出任何建议!
此致帕特里克
更新后的建议所作的树先生如下:

Name                       : lambda_method
DeclaringType              :
ReflectedType              :
Module                     : RefEmit_InMemoryManifestModule
MethodHandle               :
Attributes                 : PrivateScope, Public, Static
CallingConvention          : Standard
IsSecurityCritical         : False
IsSecuritySafeCritical     : False
IsSecurityTransparent      : True
ReturnType                 : System.Boolean
ReturnParameter            :
ReturnTypeCustomAttributes : System.Reflection.Emit.DynamicMethod+RTDynamicMethod+EmptyCAHolder
MemberType                 : Method
MethodImplementationFlags  : NoInlining
IsGenericMethodDefinition  : False
ContainsGenericParameters  : False
IsGenericMethod            : False
IsPublic                   : True
IsPrivate                  : False
IsFamily                   : False
IsAssembly                 : False
IsFamilyAndAssembly        : False
IsFamilyOrAssembly         : False
IsStatic                   : True
IsFinal                    : False
IsVirtual                  : False
IsHideBySig                : False
IsAbstract                 : False
IsSpecialName              : False
IsConstructor              : False
CustomAttributes           :
MetadataToken              :

更新2基于Mr Tree的评论:

Invoke-RestMethod : The underlying connection was closed: An unexpected error occurred on a send.
At C:\Users\user\AppData\Local\Temp\ff47910e-fd8e-4be8-9241-99322144976a.ps1:13 char:1
+ Invoke-RestMethod -Uri $urlJSON -body $objAuth -method "Post"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
e3bfsja2

e3bfsja21#

我在排除另一件事的故障时解开了谜团。有问题的Web服务器只支持TLS1. 1和TLS1. 2。Powershell似乎不支持这一点。如果我启用TLS1. 0,它就能工作。
要强制TLS1.2,可以使用以下行:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
bxjv4tth

bxjv4tth2#

您似乎正在尝试使用Invoke-RestMethod调用json API。根据documentation

  • 内容类型
    指定Web请求的内容类型。
    如果省略此参数并且请求方法为POST,则Invoke-RestMethod会将内容类型设置为**“application/x-www-form-urlencoded”**。否则,在调用中不指定内容类型。
    要使用json主体,需要使用Invoke-RestMethod -ContentType 'application/json' <other args>
r8uurelv

r8uurelv3#

最近我经历了很多痛苦,以克服类似的情况。我正在使用试用SaaS服务创建概念验证。该服务具有自签名SSL证书,因此我希望在尝试调用POST方法时忽略证书错误(类似于curl的“-k”参数)。经过一番努力,我发现它需要“两者兼顾”-(a)要求忽略证书验证错误,以及(B)将TLS 1. 2明确设置为安全协议。我认为是后者,因为该服务可能拒绝使用任何其他协议进行连接的尝试。(我花了太多的时间尝试不同的变化,为做每一个建议的各种SOF线程,但独立...)
下面是工作的代码...

重要信息:绕过证书验证纯粹是为了原型/PoC。我们不打算在生产中这样做(你也不应该!)

$defaultSecurityProtocol = $null
try
{   
    #BUGBUG, TODO: Disabling cert validation for the duration of this call...('trial' version cert is self-signed.)
    #Remove this after the PoC.
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } 
    #Cache the previous protocol setting and explicitly require TLS 1.2 
    $defaultSecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol
    [System.Net.ServicePointManager]::SecurityProtocol = `
                [System.Net.SecurityProtocolType]::Tls12

    if (-not [String]::IsNullOrWhiteSpace($authZHeaderValue))
    {
        $response = Invoke-WebRequest `
                    -Uri $webhookUrl `
                    -Method "Post" `
                    -Body $eventJson `
                    -Header @{ $authZHeaderName = $authZHeaderValue} 
    }
    else 
    {
        $response = Invoke-WebRequest `
                    -Uri $webhookUrl `
                    -Method "Post" `
                    -Body $eventJson
    }
}
catch 
{
    $msg = $_.Exception.Message
    $status = $_.Exception.Status
    $hr = "{0:x8}" -f ($_.Exception.HResult)
    $innerException = $_.Exception.InnerException
    #Just issue a warning about being unable to send the notification...
    Write-Warning("`n`t[$status] `n`t[0x$hr] `n`t[$msg] `n`t[$innerException]")
}
finally 
{
    # Set securityProtocol and CertValidation behavior back to the previous state.
    [System.Net.ServicePointManager]::SecurityProtocol = $defaultSecurityProtocol
        [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
}

我还想补充一点,首选的安全协议会随着各种漏洞的发现和修复的实施而不断变化。此外,不同系统(客户端操作系统和服务器/服务中的SSL/TLS堆栈)通常有自己的最新/最安全的选项。因此,确切地说,哪个标志可能起作用将是客户端和服务器系统以及时间的函数(因为TLS1.2在几个月后可能不再是首选)。理想情况下,根本不需要指定标记。更多信息请参见this MSDN document中的“备注”部分。

31moq8wy

31moq8wy4#

这是一个完整的Powershell脚本,为我工作:

try {
    # Configure API request payload
    $url = "https://my.server.com/api/countries"
    $method = "POST"
    $headers = @{
                  "Content-Type" = "application/json"
               }
    $body = '{
              "name": "India"
            }'
    # Reading request body from json file
    # $body = Get-Content request.json | Out-String
    $certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 "C:\ClientCert.pfx", "Password1"
 
    # Call the API
    Invoke-RestMethod -Uri $url -Method $method -Headers $headers -Body $body -Certificate $certificate
    
    Write-Host "`n#################### SUCCESS ####################`n"
} catch {
    Write-Host "`n#################### ERROR ####################`n"

    # Getting response code
    $responseCode = $_.Exception.Message
    
    # Getting response body
    if ($_.Exception.Response -ne $null) {
        $responseStream = $_.Exception.Response.GetResponseStream()
        $streamReader = New-Object System.IO.StreamReader($responseStream)
        $streamReader.BaseStream.Position = 0
        $streamReader.DiscardBufferedData()
        $responseBody = $streamReader.ReadToEnd()
    }
    
    Write-Host "Response Code - " $responseCode
    Write-Host "Response Body - " $responseBody
    
    Write-Host "`n###############################################`n"
}

相关问题