0

Windows server was updated from 10 to 11. TLS certificates were updated. I've verified that its using 1.2. SSL works as well. Azure DevOps is accessible via the server.

Installing a new agent result in the same issue

attempting to restart/remove the agent via start/setup .cmd files yields no results. Give the same result SSL

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.

---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..

---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.

   --- End of inner exception stack trace ---

I was able to previously restart the agent via .cmd files but do not remember encountering the ssl issue.

I can post additional details if needed. I've explored all avenues that I could think of.

I tried reinstalling the agent and stopping the agent. I was expecting to remove the old agent and create a new connection.

Improve this question

2 Answers 2

Reset to default
1

just an update on where we are with the pipeline fix, and somethings I found.

It seems that PowerShell was using version 5 by default when 7 is available, it gives another error, although a “better” one.

https://devblogs.microsoft.com/devops/deprecating-weak-cryptographic-standards-tls-1-0-and-1-1-in-azure-devops-services/

Essentially running Quick check of TLS 1.2 compatibility throws an error. It had something to do with the cipher suites enabled on the server.

On our server:

TLS_RSA_....

.....

....

In the article:

It is key that on the OS one of the four TLS 1.2 cipher suites below is enabled:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (*)

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (*)

And it doesn’t seem like they are there ( I checked using Get-TlsCipherSuite).

Running this in in powershell 7 give the following issue:

run: (Invoke-WebRequest -Uri status.dev.azure.com -UseBasicParsing).StatusDescription

Result: Invoke-WebRequest: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

So according to the guy: You have the problem if the above fails with “The underlying connection was closed: An unexpected error occurred on a send.”

the fix to add those The sys admin followed these steps:

Using Group Policy

  1. Open the Group Policy Management Console.

  2. Navigate to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.

  3. Double-click SSL Cipher Suite Order and click the Enabled option.

  4. Right-click the SSL Cipher Suites box and select Select all from the pop-up menu.

  5. Right-click the selected text and select Copy from the pop-up menu.

  6. Paste the text into a text editor such as Notepad and update it with the new cipher suite order list.

  7. Replace the list in the SSL Cipher Suites box with the updated ordered list.

  8. Click OK or Apply.

Changes will take effect after a restart. If you need more detailed information, you can find it here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

According to the info you have shared, it seems that TLS 1.2 hasn't been configured successfully.

You can download and run this script Azure DevOps TLS 1.2 transition readiness checker to screen for the TLS-misconfigurations / TLS-incompatibility issues and fix it based on the script’s printed mitigation advice.

Reference:

Improve this answer

1 Comment

thanks for the help, I found my answer in the readme for the readiness script's github page.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.