Deprecating weak cryptographic standards (TLS 1.0 and TLS 1.1) in Azure DevOps

Rajesh Ramamurthy (MSFT)

Due to the potential for future protocol downgrade attacks and other Transport Layer Security (TLS) protocol versions 1.0 and 1.1 vulnerabilities not specific to Microsoft’s implementation, it is required that dependencies on all security protocols older than TLS 1.2 be removed wherever possible. Per Microsoft’s position to protect against cryptographic attacks, we are announcing that Azure DevOps services will no longer accept connections coming over TLS 1.0 / TLS 1.1 and require TLS 1.2 at a minimum from January 31, 2022. This applies to all HTTPS connections to Azure DevOps Services including web API, and git connections to https://dev.azure.com/orgname and https://orgname.visualstudio.com/. This does not apply and will not impact the self-hosted product, Azure DevOps Server.

We anticipate minimal impacts to our customers as almost 99.5% of connections made to Azure DevOps Services already use TLS 1.2. Clients that are connecting to Azure DevOps services over TLS 1.0 / TLS 1.1 are doing so because of the client configurations or OS version used. Most commonly, this includes clients built using older versions of the .NET Framework, as well as clients built on operating systems bundled with an older version of Windows, macOS and Linux.

To help mitigate this, we will temporarily disable support for TLS 1.0 / TLS 1.1 for one hour on December 7, 2021, 02:00 to 03:00 UTC, and at 08:00 to 09:00 UTC, and at 18:00 to 19:00 UTC. We will repeat this again on January 11, 2022, 02:00 to 03:00 UTC, and at 08:00 to 09:00 UTC, and at 18:00 to 19:00 UTC. By disabling support for a small window, these systems will temporarily fail to connect to Azure DevOps Services. We will then restore support for TLS 1.0 / TLS 1.1 and provide a grace period of 3 weeks for these systems to upgrade to TLS 1.2 before we disable support permanently on January 31, 2022, at 00:00 UTC.

How to enable TLS 1.2?

Due to TLS 1.0 / TLS 1.1 disablement, connections to Azure DevOps Services may fail if using XAML build, Visual Studio 2010, Visual Studio 2012, and Visual Studio 2013. For Visual Studio, you are required to use .NET Framework 4.5.2 version or higher for TLS 1.2. We strongly recommend an upgrade to the latest .NET Framework version.

This may impact Git operations in Visual Studio 2017 against Azure DevOps. The recommended solution to this problem is simply to upgrade to the latest release of Visual Studio 2017. The latest version of Visual Studio 2017 includes the necessary updates to components that support connecting to TLS 1.2 Git servers.

You may see errors like:

fatal: HttpRequestException encountered. An error occurred while sending the request. while fetching or pushing to a Git repository.

If your Visual Studio client machine is affected, follow the instructions below to get things working again.

First, please upgrade to the latest release of Visual Studio 2022 by clicking on the in-product notification flag or by checking for an update directly from the IDE.

If you cannot upgrade your instance to Visual Studio 2022, please install the latest Git for Windows component from https://gitforwindows.org/, especially if you are running a version of Git in the 1.x series and are seeing an error message that looks like:

error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

If you cannot upgrade to one of the above current releases, then there are two machine-wide registry keys you can set that affect all .NET-based applications on the client machine as detailed here.

Note: Once you’ve set these machine-wide .NET registry keys, then for other .NET apps on the machine that attempt to connect to servers that do NOT support TLS 1.2 and are unable to automatically negotiate down to TLS 1.0 / TLS 1.1 (broken server implementations), another per-executable registry key is available for the app to opt-out of the TLS 1.2 behavior. More information can be found in KB3154520. On Windows 8 and later versions of the client operating systems, or Windows Server 2012 server and later versions of the server operating systems, TLS 1.2 is available and used as the default protocol version.

If you are using Windows 7 or Windows Server 2008 R2, the TLS 1.2 protocol will need to be enabled at the operating system level for .NET Framework (and therefore Visual Studio and Git Credential Manager) to be able to make use of it. Check the documentation here to enable this.

Conclusion

We apologize for any disruption this may cause and appreciate your support to improve our security posture. As always, if you have any questions or concerns related to this announcement, please do not hesitate to reach out to us on Developer Community or by posting your comments below.

13 comments

Discussion is closed. Login to edit/delete existing comments.

  • Rajesh Ramamurthy (MSFT)Microsoft employee 0

    We are pushing out the temporary disablement of TLS 1.0/1.1 from Dec 7th to Dec 9th. The times for temporarily disabling TSL 1.0/1.1 remains the same. We will now do it for one hour on December 9, 2021, 02:00 to 03:00 UTC, and at 08:00 to 09:00 UTC, and at 18:00 to 19:00 UTC.

  • Rohit-BatraMicrosoft employee 0

    Temporary disablement of TLS 1.0/1.1 planned for December has been canceled. We will attempt disabling on Jan 11 on specified timings as noted above.

    • dewo web 0

      We are pushing out the temporary disablement of TLS 1.0/1.1 from Dec 7th to Dec 9th. The times for temporarily disabling TSL 1.0/1.1 remains the same. We will now do it for one hour on December 9, 2021, 02:00 to 03:00 UTC, and at 08:00 to 09:00 UTC, and at 18:00 to 19:00 UTC.
      dewoweb

  • Jason Warren 0

    Hi Rajesh, this is great info and I appreciate the advanced notice. I just noticed the visualstudio.com URL has a typo in it, orgname.visualsdtudio.com.

    • Rajesh Ramamurthy (MSFT)Microsoft employee 0

      Thanks Jason. We will get that fixed.

  • Supriya Addagada 0

    Rajesh, We ran into issues with our ADO builds/deployments using self-hosted agents on Jan 11 when TLS 1.0/TLS 1.1 are disabled temporarily, we have applied the recommendations provided in the article, Is there any plan to temporarily disable TLS 1.0/TLS 1.1 for some time before Jan 31st, so we could run the tests and make sure we are not impacted on Jan 31st.

    • Smarsh MG ​ 0

      We would like this too. FYI @Rajesh or anyone from Microsoft who might be reading.

      • Rajesh Ramamurthy (MSFT)Microsoft employee 0

        There are no plans to conduct another test. If your self-hosted agents are running on older operating systems (Windows Server 2008 R2, Windows Server 2012, Windows 7), you can follow the instructions given here to configure to use TLS 1.2. That should take care.

  • Meron Hayle 0

    How about TLS 1.3? When shall we expect that to be supported by azure?

  • Maulik Modi 0

    What is the guidance for users on Visual studio 2019 having Git version 2.x series?

    • Rajesh Ramamurthy (MSFT)Microsoft employee 0

      VS 2019 with GIT 2.x should be good here.

  • Shinde Shubham - MRAS-US - external 0

    Hi Team, I would like to know if there is any impact on just using VSTS ( Team Foundation Server) from Visual Studio 2015 to our Project repository on Azure DevOps without any Deployment Pipeline.

    • Chris MannMicrosoft employee 0

      You will be impacted if you are using vs2015 and need to communicate with azure devops.

Feedback usabilla icon