Correction TLS/SSL pour connexion aux automates Eclypse

- Remplacement de la validation de certificat par ICertificatePolicy avec activation TLS 1.0/1.1/1.2
- ajout d'un fallback curl.exe -k pour les cas ou la négociation TLS .NET échoue
This commit is contained in:
2026-07-15 08:29:54 +02:00
parent 3ca397d518
commit 3025e97263
2 changed files with 43 additions and 6 deletions
+38 -5
View File
@@ -92,8 +92,10 @@ function Write-Log {
# FONCTION : Initialize-ApiClient
# Force TLS 1.2 et accepte les certificats auto-signes (equivalent curl -k)
# =====================================================================
$script:CurlAvailable = $false
function Initialize-ApiClient {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls
if (-not ([System.Management.Automation.PSTypeName]'TrustAllCertsPolicy').Type) {
Add-Type @"
@@ -109,6 +111,27 @@ public class TrustAllCertsPolicy : ICertificatePolicy {
"@
}
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$script:CurlAvailable = [bool](Get-Command curl.exe -ErrorAction SilentlyContinue)
}
function Test-SslError {
param([System.Exception]$Exception)
$msg = $Exception.Message
return ($msg -match "SSL" -or $msg -match "TLS" -or $msg -match "confiance" -or $msg -match "trust" -or $msg -match "certificate" -or $msg -match "envoi")
}
function Invoke-CurlGet {
param(
[string]$Url,
[string]$Username,
[AllowEmptyString()][string]$Password
)
$output = & curl.exe -s -k -u "${Username}:${Password}" -H "Accept: text/csv, application/json, text/plain, */*" $Url 2>&1
if ($LASTEXITCODE -ne 0) {
throw "curl GET erreur (exit code $LASTEXITCODE): $output"
}
return ($output | Out-String)
}
# =====================================================================
@@ -202,7 +225,17 @@ function Invoke-AuditLogGet {
[AllowEmptyString()][string]$Password
)
$headers = Get-AuthHeader -Username $Username -Password $Password
return Invoke-WebRequest -Uri $Url -Method GET -Headers $headers -UseBasicParsing -TimeoutSec 30
try {
$response = Invoke-WebRequest -Uri $Url -Method GET -Headers $headers -UseBasicParsing -TimeoutSec 30
return $response.Content
}
catch {
if ((Test-SslError -Exception $_.Exception) -and $script:CurlAvailable) {
Write-Log -Message "Bascule sur curl.exe -k (echec TLS .NET)" -Level WARN
return Invoke-CurlGet -Url $Url -Username $Username -Password $Password
}
throw
}
}
# =====================================================================
@@ -261,17 +294,17 @@ foreach ($automate in $automates) {
Write-Log -Message "[$hostname] GET $url (user: $($creds.Username))" -Level INFO
$response = Invoke-AuditLogGet -Url $url -Username $creds.Username -Password $creds.Password
$content = Invoke-AuditLogGet -Url $url -Username $creds.Username -Password $creds.Password
if ($OutputFormat -eq "PerAutomate") {
$filePath = Join-Path $outputDir "$ip.csv"
Set-Content -Path $filePath -Value $response.Content -Encoding UTF8
Set-Content -Path $filePath -Value $content -Encoding UTF8
Write-Log -Message "[$hostname] Journal d'audit ecrit : $filePath" -Level OK
}
else {
# Suppose une reponse API au format CSV (comme le .bat d'origine qui
# ecrit directement la reponse brute dans un fichier .csv)
$rows = @($response.Content | ConvertFrom-Csv)
$rows = @($content | ConvertFrom-Csv)
foreach ($row in $rows) {
$obj = [ordered]@{ Hostname = $hostname; IP = $ip }
foreach ($prop in $row.PSObject.Properties) { $obj[$prop.Name] = $prop.Value }