Background

Based on Microsoft’s position to protect against cryptographic attacks, they announced that Azure DevOps services would no longer accept connections coming over TLS 1.0 / TLS 1.1 and require TLS 1.2 at a minimum from January 31, 2022. This change applies to all HTTPS connections to Azure DevOps Services including web API, and git connections to https://dev.azure.com/orgname and https://orgname.visualstudio.com/. This does not apply and will not impact the self-hosted product, Azure DevOps Server.

However, it did not happen as planned, and Azure DevOps team needed to partially rollback the previous release of TLS 1.0/1.1 deprecation that was run on Jan 31st, 2022. This was due to unexpected issues caused by the change. Here’s a link to the previous blog post related to that release. However on August 2022, the change finally happened:

[August 2022] Deprecation of TLS 1.0 and 1.1 is complete for the dev.azure.com domain – all HTTPS connections to Azure DevOps for this domain now use TLS 1.2. We have now begun deprecation of TLS 1.0 and 1.1 for the *.visualstudio.com domain.

TLS 1.0/1.1 deprecation applies to all HTTPS connections to Azure DevOps Services including web API, and git connections to https://dev.azure.com/orgname and https://orgname.visualstudio.com. This does not apply and will not impact the Self-Hosted product: Azure DevOps Server.

Are You Affected by This Issue?

If you are receiving the following message in the Spira synchronization log, starting in August 2022, you are affected by this issue:

Unable to connect to Azure DevOps, please check that the connection information is correct (TF400324: Team Foundation services are not available from server https://dev.azure.com/xyz.
Technical information (for administrator):
The underlying connection was closed: A connection that was expected to be kept alive was closed by the server.)

The solution is to enable TLS 1.2 on the server running the synchronization service as described below:

  • Install the Microsoft .NET Framework 4.7 or later
  • Make sure you are running Windows Server 2012 or later
  • Check the flags in the registry listed above:

How to enable TLS 1.2?

To manually configure and enable TLS 1.2 at the operating system level, you can add the following DWORD values.

For Windows 2012 R2, Windows 8.1, and later OS, TLS 1.2 is enabled by default. Thus, the following registry values are not required unless they were set with different values.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
    • "DisabledByDefault": 00000000
    • "Enabled": 00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
    • "DisabledByDefault": 00000000
    • "Enabled": 00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    • "SchUseStrongCrypto": 00000001

It is key that on the OS one of the four TLS 1.2 cipher suites below is enabled:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (*)
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (*)

NOTE: (*) Cipher suites supported by Windows Server 2012 R2