Azure app service client not picking up TLS1.2 to connect to other Azure app service RRS feed

  • Question

  • I have 2 azure app service, client is running on 4.6.1 and already on TLS 1.2 as per the Azure SSL/TLS setting in the azure portal. Server app service is on 4.5.2 and running on TLS 1.0  as per the Azure SSL/TLS setting in the azure portal. This configuration is working fine. But when I upgrade Server app service TLS version to 1.2 client service is not able to connect to server service and failing with below Socket exception. 

    An error occurred while sending the request. The underlying connection was closed: An unexpected error occurred on a send. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. An existing connection was forcibly closed by the remote host

    When I try hard-coding TLS version to 1.2 in client's code it works perfectly fine, but I don't want to hard-code the TLS version. 

    I tried setting DontEnableSystemDefaultTlsVersions AppContext switch as per this https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#if-your-app-targets-a-net-framework-version-earlier-than-47, but it didn't work.

    Any reason why this might be happening? Or any workaround if we don't want to upgrade to 4.7 or later.

    Tuesday, December 17, 2019 7:19 PM

All replies

  • Any update on this?
    Thursday, December 19, 2019 7:41 PM
  • Hi,

    I am investigating this issue and will update you here.

    Saturday, December 21, 2019 7:46 AM
  • Hi,

    Could you please send an email to AzCommunity[at]Microsoft[dot]com referencing this thread, we would like to work closer with you on this matter

    Tuesday, December 24, 2019 11:52 AM
  • Hi Shraddha,

    The TLS setting in the Azure portal is a minimum TLS setting. And as far as I know, TLS 1.2 is backwards compatible with 1.1 and 1.0. TLS 1.2 is opt-in in on .NET 4.5 and I'm thinking that setting the minimum on the app service is causing the mismatch between the app service instance and your code base since 4.5.1 defaults to 1.1. I don't see any workaround as these recommendations (the same link in your post) aren't available to Azure app services. DontEnableSystemDefaultTlsVersions only works for 4.6, not 4.5.1 that your server code is running. I have reached out to the product team for clarification on the TLS mismatch between your app service and your codebase, but I would recommend setting ServicePoint.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

    Could you further elaborate on the reluctance to setting this in code?

    EDIT: I was incorrect, TLS 1.2 is not backwards compatible. Using TLS 1.2 means that communication must be done using that version. Furthermore, the setting on the Azure portal is for inbound traffic only. If your client and server are on TLS 1.2, you'll have to explicitly set your server to TLS 1.2 as instructed above since .NET 4.5.1 runs 1.0 by default.

    Thanks in advance, Ryan

    Tuesday, January 7, 2020 4:27 AM