Cannot connect with TLS 1.1 or 1.2 when TLS 1.0 is disabled with .NET 4.5.2

[tonycoelho]

We are using the StackExchange.Redis client to connect to a VNET joined instance of Azure Redis and when disabling TLS 1.0 and enabling TLS 1.1/1.2 on the PaaS instance, we cannot connect to Redis and instead receive the exception below. We are using .NET 4.5.2 and setting the SecurityProtocol to Tls11|Tls12.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11;

An exception occurred while getting the Redis server information: StackExchange.Redis.RedisConnectionException: No connection is available to service this operation: INFO; The client and server cannot communicate, because they do not possess a common algorithm;
at StackExchange.Redis.RedisServer.ExecuteSync[T](Message message, ResultProcessor`1 processor, ServerEndPoint server)
at StackExchange.Redis.RedisServer.Info(RedisValue section, CommandFlags flags)
at CallSite.Target(Closure , CallSite , Object , Object , Object )

To reproduce this issue, disable TLS 1.0 (sample posh script below)
# Disable TLS 1.0 for client and server SCHANNEL communications New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Log-Message "TLS 1.0 has been disabled."

Enabled TLS 1.1/1.2 (code omitted, but similar to above) and then connect to Redis and execute a cmd.

[JonCole]

On your client machine, did you set 'SchUseStrongCrypto' to 1 in the two registry keys mentioned here? https://www.johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

Once I did that, I was able to connect to Azure Redis with TLS 1.2 successfully. Without that change, my windows 10 machine only seemed to allow TLS 1.0 by default.

Also, I have sent a pull request to add support for configuring this directly on the client is here: #603

[tonycoelho]

Jon, thanks for providing the article, very informative. After setting those two registry keys, I can now connect to Azure Redis with TLS 1.2.

[gustavomoutella]

Thank you Jon!
It fixed my issue related to the StackExchange.Redis trying to connect to the Azure.

StackExchange.Redis.RedisConnectionException: 'No connection is available to service this operation: PING; The client and server cannot communicate, because they do not possess a common algorithm; IOCP: (Busy=0,Free=1000,Min=8,Max=1000), WORKER: (Busy=1,Free=8190,Min=8,Max=8191), Local-CPU: n/a'
RedisConnectionException: InternalFailure on xxxxxxxxx.redis.cache.windows.net:6380/Subscription, Initializing/NotStarted, last: NONE, origin: ConnectedAsync, outstanding: 0, last-read: 0s ago, last-write: 0s ago, keep-alive: 60s, state: Connecting, mgr: 10 of 10 available, last-heartbeat: never, global: 66s ago, v: 2.0.601.3402
Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm