search

Azure / azure-cosmos-dotnet-v3

.NET SDK for Azure Cosmos DB for the core SQL API
MIT License
743 stars 496 forks source link

Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting #1738

Closed vladicapavlovic closed 4 years ago

vladicapavlovic commented 4 years ago

When start Cosmos db emulator last version 2.11.2.0, Win 10, build 20170, and navigate on explorer, got this:

Error while refreshing databases: {"code":403,"body":{"code":"Forbidden","message":"Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.\r\nActivityId: 2cae913d-fd4c-4875-bd49-cda0722b9081, Microsoft.Azure.Documents.Common/2.11.0"},"headers":{"access-control-allow-credentials":"true","access-control-allow-origin":"","content-location":"https://localhost:8081/offers","content-type":"application/json","date":"Thu, 30 Jul 2020 05:16:11 GMT","server":"Microsoft-HTTPAPI/2.0","status":"403","x-ms-activity-id":"2cae913d-fd4c-4875-bd49-cda0722b9081","x-ms-gatewayversion":"version=2.11.0","x-ms-throttle-retry-count":0,"x-ms-throttle-retry-wait-time-ms":0},"activityId":"2cae913d-fd4c-4875-bd49-cda0722b9081"}

Same happen from code running on docker over gateway (certificate exported correctly) "Azure.Cosmos" Version="4.0.0-preview3", code:
cosmosClient = new CosmosClient(connStrCustom, new CosmosClientOptions() { ConnectionMode = ConnectionMode.Gateway });

Exception:

DocDBTrace Information: 0 : Fail to reach global gateway https://192.168.100.3:8081/, Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting. ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1 at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request) at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint) at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList1 locations, Func2 getDatabaseAccountFn) DocDBTrace Error: 0 : Operation will NOT be retried. Current attempt 0, Status Code: Forbidden DocDBTrace Warning: 0 : initializeTask failed System.AggregateException: One or more errors occurred. (Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting. ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1) ---> Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting. ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1 at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request) at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint) at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList1 locations, Func2 getDatabaseAccountFn) at Microsoft.Azure.Cosmos.GatewayAccountReader.InitializeReaderAsync() at Microsoft.Azure.Cosmos.CosmosAccountServiceConfiguration.InitializeAsync() at Microsoft.Azure.Cosmos.DocumentClient.InitializeGatewayConfigurationReaderAsync() at Microsoft.Azure.Cosmos.DocumentClient.GetInitializationTaskAsync(IStoreClientFactory storeClientFactory) at Microsoft.Azure.Cosmos.TaskHelper.<>c__DisplayClass0_0.<b__0>d.MoveNext() --- End of stack trace from previous location where exception was thrown --- at Microsoft.Azure.Documents.BackoffRetryUtility1.ExecuteRetryAsync(Func1 callbackMethod, Func3 callShouldRetry, Func1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action1 preRetryCallback) at Microsoft.Azure.Documents.ShouldRetryResult.ThrowIfDoneTrying(ExceptionDispatchInfo capturedException) at Microsoft.Azure.Documents.BackoffRetryUtility1.ExecuteRetryAsync(Func1 callbackMethod, Func3 callShouldRetry, Func1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action1 preRetryCallback) at Microsoft.Azure.Cosmos.DocumentClient.EnsureValidClientAsync() --- End of inner exception stack trace ---

ty

j82w commented 4 years ago

Related issues: https://github.com/Azure/azure-cosmos-dotnet-v3/issues/1551 https://github.com/Azure/azure-cosmos-dotnet-v3/issues/1232

vladicapavlovic commented 4 years ago

its not same, this worked with certificate 1 week ago, (I don't want to disable cert. validation), with v3, but I think after update cosmos emulator, or (some win update maybe build 20170, or edge, I am not sure...), stop working

cosmosClient = new CosmosClient(connStrCustom, new CosmosClientOptions() { ConnectionMode = ConnectionMode.Gateway, });

and dockefile...

RUN apt-get install ca-certificates && \ cp -R /tmp/cert/cosmosdb.crt /usr/local/share/ca-certificates && \ update-ca-certificates ....

certificate validation is ok, with following ( [https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator#running-on-mac-or-linux] ), but new error is: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting. (at 1551 or 1232 I cant find any key word from this bug i.e. encryption in transit protocol or cipher or )

ealsur commented 4 years ago

It doesn't seem to be related to the SDK itself, but rather something on the Emulator

vladicapavlovic commented 4 years ago

This works :) image

j82w commented 4 years ago

The Cosmos service only supports TLS 1.2, and it seems like your settings were requiring TLS 1.3 which caused the exception. A backlog item was created to add this scenario to the emulator documentation to help people in the future. Thank you for reporting it.

vladicapavlovic commented 4 years ago

I think update to build 20170... cause this... ty

announcing-windows-10-insider-preview-build-20170

An experimental implementation of Transport Layer Security (TLS) 1.3 is enabled by default starting with Insider Preview Build 20170. IIS/HTTP.SYS have TLS 1.3 enabled by default. SSPI callers can use TLS 1.3 by passing the new crypto-agile SCH_CREDENTIALS structure when calling AcquireCredentialsHanlde. SSPI callers using TLS 1.3 need to make sure their code correctly handles SEC_I_RENEGOTIATE.

j82w commented 4 years ago

The emulator documentation PR got merged. https://github.com/MicrosoftDocs/azure-docs-pr/pull/125714

adstep commented 4 years ago

I'm also hitting this issue.

@j82w the link to your PR is broken now.

I found some documentation on the topic in the troubleshooting section.

If you encounter "Forbidden","message":"Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting..." connectivity issues, this might be caused by global changes in the OS (for example Insider Preview Build 20170) or the browser settings that enable TLS 1.3 as default. Similar error might occur when using the SDK to execute a request against the Cosmos emulator, such as Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting. This is expected at this time since Cosmos emulator only accepts and works with TLS 1.2 protocol. The recommended work around is to change the settings and default to TLS 1.2; for instance in IIS Manager navigate to "Sites" -> "Default Web Sites" and locate the "Site Bindings" for port 8081 and edit them to disable TLS 1.3. Similar operation can be performed for the Web browser via the "Settings" options.

I didn't have IIS installed when first encountering the issue. I installed IIS, but I don't have any site bindings for 8081. What's the recommended path forward if no site bindings exist to edit?

image

adstep commented 4 years ago

I'm looking at my internet options and I don't have TLS 1.3 enabled either, so I'm not sure why the update would affect me.

image

vladicapavlovic commented 4 years ago

add new...

richardhauer commented 4 years ago

@adstep and others; I am using Cosmos emulator on Windows 10 Fast Ring and just ran into this. My IIS does not have the bindings and looking at the request messages it seems that the host is directly through HTTP.sys.

I was able to get this working by disabling TLS1.3 for the HTTP.SYS binding using netsh.

  1. Get the current settings required from cmd: netsh http show sslcert >> C:\temp\netsh.output.txt
  2. Search the output file for 0.0.0.0:8081 or whatever port you are using
  3. Set the flags from cmd: netsh http update sslcert ipport=0.0.0.0:8081 appid={00000000-0000-0000-0000-9134d4f81626} certhash=b35df09d20000000000019ad39c6170000000000 certstorename=My disabletls13=enable

The values for appid and certhash should come from the output file captured in step 1. The important part is the disabletls13=enable. You need all these bits for the command to work.

vladicapavlovic commented 4 years ago

https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator-release-notes

version 2.11.8 fixes an issue TLS 1.3...

ghost commented 2 years ago

Closing due to in-activity, pease feel free to re-open.