Azure DevOps Services to require TLS 1.2 (Updated)

Justin Chung

Justin

March 6 Update: Based on feedback from our customers, we have decided to postpone this change. We will not disable, temporarily or permanently, TLS 1.0/1.1 for Azure DevOps Services until further notice.

You can read more details in this post. We apologize for the inconvenience this might have caused to our customers.

The original, retracted announcement continues below.

Due to the potential for future protocol downgrade attacks and other Transport Layer Security (TLS) protocol versions 1.0 and 1.1 vulnerabilities not specific to Microsoft’s implementation, it is required that dependencies on all security protocols older than TLS 1.2 be removed where possible. Per Microsoft’s position to protect against cryptographic attacks, Azure DevOps is announcing the disablement of TLS 1.0 and TLS 1.1 on March 31, 2020. This applies to all connections to Azure DevOps Services; it will not impact self-hosted product, Azure DevOps Server.

Approximately 95% of connections made to Azure DevOps Services use TLS 1.2 and will not be affected. This includes currently-shipping clients used by Azure DevOps users. Some connections made to Azure DevOps Services are using TLS 1.0 and TLS 1.1 by default based on client configuration or OS version used. Most commonly, this includes clients built using older versions of the .NET Framework, as well as clients built on operating systems bundled with an older version of Windows, macOS and Linux.

To help mitigate this, we will temporarily disable support for the TLS 1.0 and TLS 1.1 for one hour on March 10, 2020 at 00:00 to 01:00 UTC, and again at 14:00 to 15:00 UTC. By disabling support for a small window, these systems will temporarily fail to connect to Azure DevOps Services. We will then restore support for TLS 1.0 and TLS 1.1 and provide a three weeks of grace period for these systems to upgrade to TLS 1.2 before we disable support for TLS 1.0 and 1.1 permanently on March 31, 2020 at 00:00 UTC.

How to enable TLS 1.2

Due to TLS 1.0 and TLS 1.1 disablement, connections to Azure DevOps Services may fail if using XAML build, Visual Studio 2010, Visual Studio 2012, and Visual Studio 2013. For Visual Studio, you are required to use .NET Framework 4.5.2 version or higher for TLS 1.2. We strongly recommend an upgrade to the latest .NET Framework version. In addition, you need to execute the following script from the PowerShell to set the registry key for TLS 1.2. After running the script, you need to restart.

  New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name SchUseStrongCrypto -Value 1 -PropertyType 'Dword' -Force | Out-Null 

  New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name SystemDefaultTlsVersions -Value 1 -PropertyType 'Dword' -Force | Out-Null 

If ([System.Environment]::Is64BitOperatingSystem) { 

  New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name SchUseStrongCrypto -Value 1 -PropertyType 'Dword' -Force | Out-Null 

  New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name SystemDefaultTlsVersions -Value 1 -PropertyType 'Dword' -Force | Out-Null 
}

General information about solving the TLS 1.0 and TLS 1.1 problem here.

Reporting Issues

If you experience any issues with accessing your Azure DevOps Services organization after TLS 1.0 and TLS 1.1 disablement, please post an update on this open developer community item.

Conclusion

We apologize for any disruption this may cause and thank you for making the changes to improve our security posture.

As usual, feel free to reach out to us on Developer Community or on Twitter if you have questions.

0 comments

Comments are closed.