cannot connect to AzureDevOps due to SSL problems 9.3.4

[ilacurcu]

Hi cannot pull/push from an AzureDevOps Repo due to SSL problems (but doesn't mention certificate issue ). Tested with TW 9.3.4 running in a Docker container, and 2 different Azure repos. (SNIextension = true in place)

Pull Error: org.eclipse.jgit.api.errors.TransportException: https://ilavic92@dev.azure.com/ilavic92/EDC-DevOps_Internal_IOT_CICD/_git/EDC-DevOps_Internal_IOT_CICD: Secure connection to https://ilavic92@dev.azure.com/ilavic92/EDC-DevOps_Internal_IOT_CICD/_git/EDC-DevOps_Internal_IOT_CICD could not be established because of SSL problems at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:222) at org.eclipse.jgit.api.PullCommand.call(PullCommand.java:263) at gb.GitBackupTemplate.Pull(GitBackupTemplate.java:285) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.thingworx.common.processors.ReflectionProcessor.processService(ReflectionProcessor.java:230) at com.thingworx.handlers.ReflectionServiceHandler.processService(ReflectionServiceHandler.java:50) at com.thingworx.handlers.ServiceHandlerBase.processServiceWithMetrics(ServiceHandlerBase.java:48) at com.thingworx.things.Thing.processServiceRequestDirect(Thing.java:8436) at com.thingworx.things.Thing.processAPIServiceRequest(Thing.java:8373) at com.thingworx.webservices.BaseService.handleInvoke(BaseService.java:3339) at com.thingworx.webservices.BaseService.service(BaseService.java:478) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.thingworx.security.authentication.sso.SSOSecurityContextFilter.doFilter(SSOSecurityContextFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.thingworx.security.contenttype.ContentTypeFilter.doFilter(ContentTypeFilter.java:143) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.thingworx.security.contenttype.ContentLengthFilter.doFilter(ContentLengthFilter.java:73) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.thingworx.security.filter.ValidationFilter.doFilter(ValidationFilter.java:22) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.thingworx.security.authentication.AuthenticationFilter.propagateRequest(AuthenticationFilter.java:746) at com.thingworx.security.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:243) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:389) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.thingworx.security.filter.ClickjackFilter.doFilter(ClickjackFilter.java:298) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at com.thingworx.security.filter.HttpResponseHeadersFilter.doFilter(HttpResponseHeadersFilter.java:172) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: org.eclipse.jgit.errors.TransportException: https://ilavic92@dev.azure.com/ilavic92/EDC-DevOps_Internal_IOT_CICD/_git/EDC-DevOps_Internal_IOT_CICD: Secure connection to https://ilavic92@dev.azure.com/ilavic92/EDC-DevOps_Internal_IOT_CICD/_git/EDC-DevOps_Internal_IOT_CICD could not be established because of SSL problems at org.eclipse.jgit.transport.TransportHttp.handleSslFailure(TransportHttp.java:686) at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:587) at org.eclipse.jgit.transport.TransportHttp.openFetch(TransportHttp.java:361) at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:105) at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:91) at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1260) at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:211) ... 64 more Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1588) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1416) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1314) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411) at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1592) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520) at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:334) at org.eclipse.jgit.transport.http.JDKHttpConnection.getResponseCode(JDKHttpConnection.java:85) at org.eclipse.jgit.util.HttpSupport.response(HttpSupport.java:208) at org.eclipse.jgit.transport.TransportHttp.connect(TransportHttp.java:509) ... 69 more Suppressed: java.net.SocketException: Broken pipe (Write failed) at java.base/java.net.SocketOutputStream.socketWrite0(Native Method) at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150) at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeAlert(SSLSocketOutputRecord.java:81) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:380) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450) ... 79 more Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483) at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472) at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:110) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1408) ... 81 more

[ilacurcu]

don't know if it's related to this https://devblogs.microsoft.com/visualstudio/azure-devops-requires-tls-1-2-on-all-connections-including-visual-studio/

[vrosu]

Hi @ilacurcu, I have not tested this yet, but I do know it worked with Azure Repos, but if you're using PTC network, can you try to disable ZScaler or to connect via mobile hotspot (non PTC network and no PTC VPN)?