{"id":70622,"date":"2025-04-01T11:04:32","date_gmt":"2025-04-01T19:04:32","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=70622"},"modified":"2025-04-01T13:17:33","modified_gmt":"2025-04-01T21:17:33","slug":"sni-mandatory-for-azdo-services","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/sni-mandatory-for-azdo-services\/","title":{"rendered":"Important Update: Server Name Indication (SNI) Now Mandatory for Azure DevOps Services"},"content":{"rendered":"<p>Earlier this year, we announced an upgrade to our network infrastructure and the new IP addresses you need to allow list in your firewall &#8211; <a href=\"https:\/\/devblogs.microsoft.com\/devops\/update-to-ado-allowed-ip-addresses\/\" target=\"_blank\">Update to Azure DevOps Allowed IP addresses &#8211; Azure DevOps Blog<\/a>.<\/p>\n<p>This is our second blog post to inform you that starting from <strong>April 23rd, 2025, we will be requiring <a href=\"https:\/\/en.wikipedia.org\/wiki\/Server_Name_Indication\" target=\"_blank\">Server Name Indication (SNI)<\/a> on all incoming HTTPS connections to Azure DevOps Services.<\/strong><\/p>\n<p>SNI is an extension to the TLS protocol that allows clients to specify the hostname they are connecting to. All modern browsers and client software support SNI and use it by default, ensuring a seamless transition for most users. In fact, more than 99.995% of the customer traffic reaching our servers is SNI-ready.<\/p>\n<p>However, some client software may be incompatible with SNI due to various factors, such as outdated or misconfigured networking libraries, runtimes, or operating systems. Issues may also arise from proxies or NGFW firewalls. The following tools used with Azure DevOps may be impacted by SNI issues:<\/p>\n<ul>\n<li>Git clients <\/li>\n<li>IDE plugins and extensions (e.g., Team Explorer Everywhere)<\/li>\n<li>Software running on older Java versions which do not support SNI (Java 6 and earlier) or do not have SNI enabled by default (some versions of Java 7 and 8)<\/li>\n<li>Old browser versions (see <a href=\"https:\/\/caniuse.com\/sni\" target=\"_blank\">https:\/\/caniuse.com\/sni<\/a>)<\/li>\n<\/ul>\n<p>SNI issues usually manifest by connection errors, such as:<\/p>\n<ul>\n<li><code>ERR_SSL_PROTOCOL_ERROR<\/code>, <code>ERR_CERT_COMMON_NAME_INVALID<\/code><\/li>\n<li><code>javax.net.ssl.SSLHandshakeException<\/code>, <code>javax.net.ssl.SSLException<\/code><\/li>\n<li><code>Could not establish trust relationship for the SSL\/TLS secure channel<\/code><\/li>\n<\/ul>\n<h1>How to test the SNI compatibility<\/h1>\n<p>You can validate the SNI-compatibility of your system by calling the status endpoint of Azure DevOps, which we have configured to require SNI. If this call is successful, it indicates that the host, including its operating system and networking environment, is SNI-compatible.<\/p>\n<h3>Windows<\/h3>\n<pre><code class=\"powershell\">Invoke-WebRequest -Method GET -Uri https:\/\/status.dev.azure.com\/_apis\/health<\/code>\n<\/pre>\n<h3>Linux<\/h3>\n<pre><code class=\"bash\">curl -X GET https:\/\/status.dev.azure.com\/_apis\/health<\/code>\n<\/pre>\n<h3>Browser<\/h3>\n<pre><code class=\"text\">https:\/\/status.dev.azure.com\/<\/code>\n<\/pre>\n<h3>Software<\/h3>\n<p>Legacy software may have its own SNI compatibility issues, independent of the hosting computer. If you have a program that connects to Azure DevOps, you can test the SNI readiness by temporarily overriding DNS settings. This will ensure the program connects to Azure DevOps through an endpoint that requires SNI.<\/p>\n<p>Follow these steps:<\/p>\n<p><strong>1&#46; Resolve an IP address of status.dev.azure.com<\/strong><\/p>\n<p><strong>Windows:<\/strong><\/p>\n<pre><code class=\"powershell\">(Resolve-DnsName status.dev.azure.com -Type A).IP4Address<\/code>\n<\/pre>\n<p><strong>Linux:<\/strong><\/p>\n<pre><code class=\"bash\">dig +short status.dev.azure.com<\/code>\n<\/pre>\n<p><strong>2&#46; Open the Hosts File.<\/strong><\/p>\n<p><strong>Windows:<\/strong> <code>C:\\Windows\\System32\\drivers\\etc\\hosts<\/code><\/p>\n<p><strong>Linux:<\/strong> <code>\/etc\/hosts<\/code><\/p>\n<p><strong>3&#46; Add DNS overrides. Add the following lines to the <em>hosts<\/em> file, replacing <code>&lt;ipaddress&gt;<\/code> with the IP address returned in Step 1.<\/ipaddress><\/strong><\/p>\n<pre><code class=\"text\">&lt;ipaddress&gt; &lt;account-name&gt;.visualstudio.com\n&lt;ipaddress&gt; dev.azure.com\n&lt;ipaddress&gt; feeds.dev.azure.com\n&lt;ipaddress&gt; vsrm.dev.azure.com\n&lt;ipaddress&gt; pkgs.dev.azure.com\n<\/code><\/pre>\n<p><strong>4&#46; Restart the program being validated to allow it to pick up the DNS overrides. Test that it connects to Azure DevOps and works as expected.<\/strong><\/p>\n<p><strong>5&#46; After validating, remove the lines you added in Step 3 and save the <em>hosts<\/em> file.<\/strong><\/p>\n<h1>Conclusion<\/h1>\n<p>We appreciate your cooperation in making this transition as smooth as possible. By taking the necessary actions, you can avoid experiencing connection issues.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Earlier this year, we announced an upgrade to our network infrastructure and the new IP addresses you need to allow list in your firewall &#8211; Update to Azure DevOps Allowed IP addresses &#8211; Azure DevOps Blog. This is our second blog post to inform you that starting from April 23rd, 2025, we will be requiring [&hellip;]<\/p>\n","protected":false},"author":179849,"featured_media":70212,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,251],"tags":[],"class_list":["post-70622","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-security"],"acf":[],"blog_post_summary":"<p>Earlier this year, we announced an upgrade to our network infrastructure and the new IP addresses you need to allow list in your firewall &#8211; Update to Azure DevOps Allowed IP addresses &#8211; Azure DevOps Blog. This is our second blog post to inform you that starting from April 23rd, 2025, we will be requiring [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/70622","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/179849"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=70622"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/70622\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/70212"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=70622"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=70622"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=70622"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}