none
TLS 1.0 issues with service bus queue RRS feed

  • Question

  • Hi. I posted the following query to the Azure Support Twitter team and they responded with what looks to be a very promising link: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-resource-explorer

    I'm wondering a few things:

    We don't have a Microsoft.Web->Hostingenvironments node. We want to make this change for a particular Resource Group associated with a service Bus. Can that be done? I tried to do this by adding the ClusterSettings json for Disable TLS 1.0 directly to our "PlusTest2" Resource Group (in properties, as suggested). When I "Put"/save this, it seems as though it has worked, but then it doesn't show up. So can we do this, or do we need to create an "App Service Environment" and associate this Resource Group with that and then make changes that way?

    Original message:

    We are using an Azure Service Bus Queue to send messages to from a .Net app. This has worked for a few years. We are now needing to disable TLS 1.0 on our server. When we do this from our test server, we are getting TLS negotiation errors. I've examined the details using several tools. Netmon shows us that communication from http://ns-sb2-prod-ch3-003.cloudapp.net  (which is where our queue,sb://plus-relocation-test.servicebus.windows.net,must resolve to) is trying to send a TLS 1.0 handshake. It tries several times and then fails with "Exception: A call to SSPI failed". I've tried to look into various Azure settings to see if we can change the TLS version for our resource group or something, but I don't see anything. Any ideas would be greatly appreciated as I've spent a great deal of time on this. Thanks!

    Thanks for your help!

    Ben

    Friday, January 27, 2017 10:23 PM

Answers

  • Hi Ben,

    Microsoft does not allow tenants to control the TLS version or cipher suites on Azure Service Bus. 

    The legacy SBMP protocol is based on a WCF implementation that default to TLS 1.0 and will not work without TLS 1.0 support. We are aware of this and are considering options to enable 1.1 ansd 1.2 for SBMP, but the general direction is to miograte complete to AMQP.

    All AMQPS and HTTPS endpoints are TLS 1.1 and TLS 1.2 enabled.

    To switch to AMQP, please use the latest .NET client and follow this guidance:

    https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-dotnet 

    Please not the unsupported features; this is a gap we will close in the near future. 

    Best Regards
    Clemens

     

    • Proposed as answer by clemensv Wednesday, February 1, 2017 2:01 PM
    • Marked as answer by bseems Monday, February 6, 2017 5:10 AM
    Wednesday, February 1, 2017 1:43 PM

All replies

  • Hi Ben,

    The query posted by you has not reached the right forum. In order to assist best on your query, I am moving the query to the right forum.

    This will assist you with a faster reply to your query.

    Meanwhile, refer the thread which addressed similar query and try the steps as suggested.

    Regards,
    Ashok

    Saturday, January 28, 2017 4:11 PM
    Moderator
  • Thanks Ashok. I did look at that other thread and it looks similar, but there's no resolution there. Also, the one suggestion doesn't apply to me (or the original poster for that matter), because: 1. I already am using 4.6.1 of the .net framework 2. The .net framework on the client is not relevant when TLS 1.2 (or at least >1.0) is being forced and Azure is still responding only with TLS 1.0. This situation is very odd, because it's not only that the Azure service bus is still able to make TLS 1.0 connections (that'd be one thing that'd be nice to close, but certainly not urgent in my case), but it's that it's not even able to make >1.0 connections. I.e. It seems only able to make 1.0 connections. Thanks, Ben
    Saturday, January 28, 2017 5:10 PM
  • Hi,

    Greetings!

    We are checking on the query and will get back to you soon on this with an update.

    I appreciate your time and patience in this matter.

    Regards,
    Nayana

    Sunday, January 29, 2017 11:37 AM
  • Thanks, Nayana. I'm eagerly awaiting your reply. Cheers, Ben
    Wednesday, February 1, 2017 2:54 AM
  • Hi Ben,

    Microsoft does not allow tenants to control the TLS version or cipher suites on Azure Service Bus. 

    The legacy SBMP protocol is based on a WCF implementation that default to TLS 1.0 and will not work without TLS 1.0 support. We are aware of this and are considering options to enable 1.1 ansd 1.2 for SBMP, but the general direction is to miograte complete to AMQP.

    All AMQPS and HTTPS endpoints are TLS 1.1 and TLS 1.2 enabled.

    To switch to AMQP, please use the latest .NET client and follow this guidance:

    https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-amqp-dotnet 

    Please not the unsupported features; this is a gap we will close in the near future. 

    Best Regards
    Clemens

     

    • Proposed as answer by clemensv Wednesday, February 1, 2017 2:01 PM
    • Marked as answer by bseems Monday, February 6, 2017 5:10 AM
    Wednesday, February 1, 2017 1:43 PM
  • Thank you for the reply clemensv! I will attempt to change to AMQP. Cheers, Ben
    • Edited by bseems Wednesday, February 1, 2017 4:14 PM
    Wednesday, February 1, 2017 4:14 PM
  • Yes, that seems to have worked! Thanks so much! Cheers, Ben
    Monday, February 6, 2017 4:39 AM
  • Hi Clemens, is it still the case that SBMP only supports TLS 1.0 or have 1.1 and 1.2 been enabled now?

    Thanks,

    Dan

    Wednesday, January 3, 2018 10:51 PM