-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot connect with TLS 1.1 or 1.2 when TLS 1.0 is disabled with .NET 4.5.2 #596
Comments
On your client machine, did you set 'SchUseStrongCrypto' to 1 in the two registry keys mentioned here? https://www.johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications Once I did that, I was able to connect to Azure Redis with TLS 1.2 successfully. Without that change, my windows 10 machine only seemed to allow TLS 1.0 by default. Also, I have sent a pull request to add support for configuring this directly on the client is here: #603 |
Jon, thanks for providing the article, very informative. After setting those two registry keys, I can now connect to Azure Redis with TLS 1.2. |
Thank you Jon! StackExchange.Redis.RedisConnectionException: 'No connection is available to service this operation: PING; The client and server cannot communicate, because they do not possess a common algorithm; IOCP: (Busy=0,Free=1000,Min=8,Max=1000), WORKER: (Busy=1,Free=8190,Min=8,Max=8191), Local-CPU: n/a' |
We are using the StackExchange.Redis client to connect to a VNET joined instance of Azure Redis and when disabling TLS 1.0 and enabling TLS 1.1/1.2 on the PaaS instance, we cannot connect to Redis and instead receive the exception below. We are using .NET 4.5.2 and setting the SecurityProtocol to Tls11|Tls12.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11;
An exception occurred while getting the Redis server information: StackExchange.Redis.RedisConnectionException: No connection is available to service this operation: INFO; The client and server cannot communicate, because they do not possess a common algorithm;
at StackExchange.Redis.RedisServer.ExecuteSync[T](Message message, ResultProcessor`1 processor, ServerEndPoint server)
at StackExchange.Redis.RedisServer.Info(RedisValue section, CommandFlags flags)
at CallSite.Target(Closure , CallSite , Object , Object , Object )
To reproduce this issue, disable TLS 1.0 (sample posh script below)
# Disable TLS 1.0 for client and server SCHANNEL communications New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null Log-Message "TLS 1.0 has been disabled."
Enabled TLS 1.1/1.2 (code omitted, but similar to above) and then connect to Redis and execute a cmd.
The text was updated successfully, but these errors were encountered: