Deprecating weak cryptographic standards (TLS 1.0 and TLS 1.1) in Azure DevOps

Rajesh

Due to the potential for future protocol downgrade attacks and other Transport Layer Security (TLS) protocol versions 1.0 and 1.1 vulnerabilities not specific to Microsoft’s implementation, it is required that dependencies on all security protocols older than TLS 1.2 be removed wherever possible. Per Microsoft’s position to protect against cryptographic attacks, we are announcing that Azure DevOps services will no longer accept connections coming over TLS 1.0 / TLS 1.1 and require TLS 1.2 at a minimum from January 31, 2022. This applies to all HTTPS connections to Azure DevOps Services including web API, and git connections to https://dev.azure.com/orgname and https://orgname.visualsdtudio.com/. This does not apply and will not impact the self-hosted product, Azure DevOps Server.

We anticipate minimal impacts to our customers as almost 99.5% of connections made to Azure DevOps Services already use TLS 1.2. Clients that are connecting to Azure DevOps services over TLS 1.0 / TLS 1.1 are doing so because of the client configurations or OS version used. Most commonly, this includes clients built using older versions of the .NET Framework, as well as clients built on operating systems bundled with an older version of Windows, macOS and Linux.

To help mitigate this, we will temporarily disable support for TLS 1.0 / TLS 1.1 for one hour on December 7, 2021, 02:00 to 03:00 UTC, and at 08:00 to 09:00 UTC, and at 18:00 to 19:00 UTC. We will repeat this again on January 11, 2022, 02:00 to 03:00 UTC, and at 08:00 to 09:00 UTC, and at 18:00 to 19:00 UTC. By disabling support for a small window, these systems will temporarily fail to connect to Azure DevOps Services. We will then restore support for TLS 1.0 / TLS 1.1 and provide a grace period of 3 weeks for these systems to upgrade to TLS 1.2 before we disable support permanently on January 31, 2022, at 00:00 UTC.

How to enable TLS 1.2?

Due to TLS 1.0 / TLS 1.1 disablement, connections to Azure DevOps Services may fail if using XAML build, Visual Studio 2010, Visual Studio 2012, and Visual Studio 2013. For Visual Studio, you are required to use .NET Framework 4.5.2 version or higher for TLS 1.2. We strongly recommend an upgrade to the latest .NET Framework version.

This may impact Git operations in Visual Studio 2017 against Azure DevOps. The recommended solution to this problem is simply to upgrade to the latest release of Visual Studio 2017. The latest version of Visual Studio 2017 includes the necessary updates to components that support connecting to TLS 1.2 Git servers.

You may see errors like:

fatal: HttpRequestException encountered. An error occurred while sending the request. while fetching or pushing to a Git repository.

If your Visual Studio client machine is affected, follow the instructions below to get things working again.

First, please upgrade to the latest release of Visual Studio 2022 by clicking on the in-product notification flag or by checking for an update directly from the IDE.

If you cannot upgrade your instance to Visual Studio 2022, please install the latest Git for Windows component from https://gitforwindows.org/, especially if you are running a version of Git in the 1.x series and are seeing an error message that looks like:

error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

If you cannot upgrade to one of the above current releases, then there are two machine-wide registry keys you can set that affect all .NET-based applications on the client machine as detailed here.

Note: Once you’ve set these machine-wide .NET registry keys, then for other .NET apps on the machine that attempt to connect to servers that do NOT support TLS 1.2 and are unable to automatically negotiate down to TLS 1.0 / TLS 1.1 (broken server implementations), another per-executable registry key is available for the app to opt-out of the TLS 1.2 behavior. More information can be found in KB3154520. On Windows 8 and later versions of the client operating systems, or Windows Server 2012 server and later versions of the server operating systems, TLS 1.2 is available and used as the default protocol version.

If you are using Windows 7 or Windows Server 2008 R2, the TLS 1.2 protocol will need to be enabled at the operating system level for .NET Framework (and therefore Visual Studio and Git Credential Manager) to be able to make use of it. Check the documentation here to enable this.

Conclusion

We apologize for any disruption this may cause and appreciate your support to improve our security posture. As always, if you have any questions or concerns related to this announcement, please do not hesitate to reach out to us on Developer Community or by posting your comments below.

3 comments

Leave a comment

  • Rajesh Ramamurthy (MSFT)Microsoft employee

    We are pushing out the temporary disablement of TLS 1.0/1.1 from Dec 7th to Dec 9th. The times for temporarily disabling TSL 1.0/1.1 remains the same. We will now do it for one hour on December 9, 2021, 02:00 to 03:00 UTC, and at 08:00 to 09:00 UTC, and at 18:00 to 19:00 UTC.

  • Rohit-BatraMicrosoft employee

    Temporary disablement of TLS 1.0/1.1 planned for December has been canceled. We will attempt disabling on Jan 11 on specified timings as noted above.

    • dewo web

      We are pushing out the temporary disablement of TLS 1.0/1.1 from Dec 7th to Dec 9th. The times for temporarily disabling TSL 1.0/1.1 remains the same. We will now do it for one hour on December 9, 2021, 02:00 to 03:00 UTC, and at 08:00 to 09:00 UTC, and at 18:00 to 19:00 UTC.
      dewoweb