2

Got this problem with me for 2 weeks so far and still not figure it out yet, been trying to test on multiple computer and here is the symptom.

When setup Agent on any Computer that is using Corporation Network got SSL exception:

System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception
 ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..
 ---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.
....
Attempt 1 of GET request to https://dev.azure.com/{org}/_apis/connectionData?connectOptions=1&lastChangeId=366981152&lastChangeId64=366981152 failed (Socket Error: ConnectionReset)

Below is what i had tried:

1). Pass the GET request directly to Browser / Postman > working fine and receive the connectionData from Azure Devops: *Note: no proxy and no web filter applied to the site

https://dev.azure.com/{org}/_apis/connectionData?connectOptions=1&lastChangeId=366981152&lastChangeId64=366981152

2). Telnet from cmd > working fine as well

> Telnet test.dev.azure.com 443

3). Follow the instruction here https://stackoverflow.com/a/71667810/9391928 and run Debugging Script and Mitigation Script (Modify Registry) to Enforce TLS1.2 and so far all check is green but still Unknown ISSUE FOUND:

Probing: status.dev.azure.com
ISSUE FOUND: This may be TLS compatibility issue!
Probe failed when TLS-negotiating to 13.107.6.183:443. Error: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
***
TLS 1.2 client usage enabled.
***
Cipher Suite check passed: at least one of the TLS 1.2 cipher suites supported by Azure DevOps is enabled.
***
Key Exchange check passed.
***
Elliptic curve check passed: at least one elliptic curve supported by Azure DevOps is enabled
***
.NET Framework release is 4.7+ (release 528372)
TLS 1.2 enforced for applications targetting .NET Framework 4.0/4.5.x
TLS 1.2 enforced for applications targetting .NET Framework 4.0/4.5.x (32bit app on 64bit OS)
TLS 1.2 enforced for applications targetting .NET Framework 3.5
TLS 1.2 enforced for applications targetting .NET Framework 3.5 (32bit app on 64bit OS)
All mitigations required to ensure TLS 1.2-compatibility of legacy .NET applications are in place.

4). Prepare a Laptop and test register/run agent with vs without corporation network, fail whenever connect to corporation network (using non-corporation network work fine)

5). Running Client SSL check from postman / browser for both case with vs without corporation network and got return the same TLS1.3 with all similar cipher suites supported (included "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" & "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" which is used by Azure Devops)

request : https://www.howsmyssl.com/a/check

response: "given_cipher_suites": [
    "TLS_AES_128_GCM_SHA256",
    "TLS_AES_256_GCM_SHA384",
    "TLS_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
    "TLS_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_RSA_WITH_AES_128_CBC_SHA",
    "TLS_RSA_WITH_AES_256_CBC_SHA",
    "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
],
"ephemeral_keys_supported": true,
"session_ticket_supported": true,
"tls_compression_supported": false,
"unknown_cipher_suite_supported": false,
"beast_vuln": false,
"able_to_detect_n_minus_one_splitting": false,
"insecure_cipher_suites": {},
"tls_version": "TLS 1.3",
"rating": "Probably Okay"

6). Change the Probing Script to probe www.google.com and fail as well (of-courses success in normal network ^_V)

7). Double check DNS resolver to IP Address > resolver work fine, azure devops ip address is and same between both networks.

8). Write a .net console app to run a test (similar to the Probing Script) and always got Exception "An existing connection was forcibly closed by the remote host" when in Corporation Network. When out of Corporation Network the run is fine and Stream return NegotiatedCipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for test.dev.azure.com (and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for www.google.com)

client.Connect(connectHost, 443); // Success
...
var askedProtocols = System.Security.Authentication.SslProtocols.Tls12;
stream.AuthenticateAsClient(connectHost, null, askedProtocols, false); // Always throw exception "An existing connection was forcibly closed by the remote host."
return new(connectHost, true, remoteEndpoint, null);
...

Any suggestion will be much appreciate guys !

Dien Vu
  • 21
  • 3
  • Have you discussed the issue with your network operations staff? They may be able to inspect the traffic and help pinpoint the issue. – Daniel Mann May 23 '22 at 03:54
  • Please use Wireshark to capture the TLS handshake attempt when connecting powershell client to https://status.dev.azure.com via Corp network. Attach the full content of ClientHello message please (in Wireshark GUI unwrap *all* the tree items under ClientHello and do "Copy all visible items") – on-the-ray May 26 '22 at 12:16

0 Answers0