Sign-in Error "The SSL connection could not be established, see inner exception"

[0anton]

Preflight Checklist

• [X] I have installed the latest version of Storage Explorer.
• [X] I have checked existing resources, including the troubleshooting guide and the release notes.
• [X] I have searched for similar issues.

Storage Explorer Version

1.33.1 (98)

Regression From

1.32.1

Architecture

i86

Storage Explorer Build Number

20240410.2

Platform

Windows

OS Version

Windows 11

Bug Description

Suddenly, SE fails to log me in in to Azure account throwing the error:

{
  "message": "\"The SSL connection could not be established, see inner exception.\""
}

Steps to Reproduce

1. Launch SE
2. Click "Sign in with Azure"
3. In "Select Azure Environment" to "Azure"
4. Click "Next" to start the browser authentication flow.
5. Error "Unable to sign in: The SSL connection could not be established, see inner exception." appears.

Actual Experience

Expected Experience

After the browser authentication flow has completed, the SE lists the available Azure subscribtions.

Additional Context

Nothing unusual. It just stopped working. I still can access the same Blob Storage from CLI (az storage blob ..) using the same user and the same machine.

It is related to https://github.com/microsoft/AzureStorageExplorer/issues/7593, but the latter does not provide the solution or provides an obscure recommendation by the author.

[MRayermannMSFT]

It is related to https://github.com/microsoft/AzureStorageExplorer/issues/7593, but the latter does not provide the solution or provides an obscure recommendation by the author.

Did you try the solution suggested in the final comment on the issue you linked?

[0anton]

Did you try the solution suggested in the final comment on the issue you linked?

Hi Matthew @MRayermannMSFT the supposed fix given by the original author without comment or endorsement by MS employee. It is obscure, even you tagged it with the "surprised eye". So, I didn't try and won't try until I understand it and get direct recommendation to apply it by somebody from MSFT.

What I tried now is to uninstall SE completely, delete the SE folder and install it again. Same error.

[MRayermannMSFT]

@0anton given that what the user user did worked, I would recommend that you try it as well.

[prafulbusa]

### RESOVLED I have exact same issue and as a MS internal I am not able to use many tools that requires to have SSL Secure tunnel connection to remote host. CaseBuddy, OofSponder, SA, Kusto, and some more have exact same issue. Not even able to RDP to Azure machine, not sure if this is related to that.

I was able to resolve it by replacing the old values to newer

Replace the "Functions" Type Reg_MULTI_SZ

RSAE-PSS/SHA256 RSAE-PSS/SHA384 RSAE-PSS/SHA512 RSA/SHA256 RSA/SHA384 RSA/SHA1 ECDSA/SHA256 ECDSA/SHA384 ECDSA/SHA1 DSA/SHA1 RSA/SHA512 ECDSA/SHA512

[0anton]

@prafulbusa method (extending the list of allowed protocols didn't work for me.

Still getting:

{
  "message": "\"The SSL connection could not be established, see inner exception.\""
}

I've just restarted the app. Did you reboot the PC to apply new SSL configs?

[0anton]

@MRayermannMSFT is it possible you extend the error message to include the content of inner exception to the error message, so I have hints why the SSL connection originating from Azure Storage Explorer got dropped?

[MRayermannMSFT]

@0anton can you try following these steps to get a hold of your authentication logs?

https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/blobs/alerts/storage-explorer-troubleshooting?tabs=Windows#authentication-logs

Those logs may have the inner exception, if they don't then please share the logs here so I can share with the team responsible for surfacing the inner exception. Also, please follow the recommended step of clearing out the existing logs before gathering the fresh set. Thanks.

[victor-miranda-komatsu]

I faced the same issue today.

BTW, I'm behind the company VPN. It worked after disconnecting the VPN.

My logfiles are attached anyway.

ServiceHub.zip

Version: 1.33.1 (98) AzCopy Version: 10.23.0 Platform: macOS Architecture: arm64 Build Number: 20240410.2 Commit: a9a0d1a0d0

[craxal]

@MRayermannMSFT Take a look at the logs and see what can be done.

[0anton]

I’ve installed Fiddler (as per ASE troubleshooting instruction). It is a “man-in-the-middle” proxy to troubleshoot network connections. Configured Azure (use system proxy). And Azure could successfully log in!

This has its explanation - Fiddler as a man-in-the-middle terminates connections for ASE and forwards them in its name. So, the problem is definitely something in the SSL stack, but unfortunately because the devs don’t expose the “inner exception” (@MRayermannMSFT ?), we don’t know what exactly goes wrong in TLS connection.

Funny enough, collected network logs are useless, because they just show normal TLS connection to login.microsoft.com.

Need more ideas. How to enable detailed traces for nodejs, which powers ASE?

[craxal]

@0anton It has been suggested that you try Wireshark instead of Fiddler, as it is better at diagnosing SSL issues.

Here are some links that may also be helpful:

• https://dev.azure.com/VS-Languages-Training-Path/Training/_wiki/wikis/Test.wiki/104/SSL-issues
• https://dev.azure.com/VS-Languages-Training-Path/Training/_wiki/wikis/Test.wiki/14/TLS-1.2-TLS-1.3-detection-script-for-VS-Sign-in(by-Chris-Mann)

[0anton]

Thanks @craxal, @MRayermannMSFT for hints!

Somehow it started working.

I believe allowing again ciphers

RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512

by adding them at the top of the Functions in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003\ and rebooting the host did the trick.

That's the same what @prafulbusa suggested and also https://github.com/microsoft/AzureStorageExplorer/issues/7593

The reason those ciphers disappear from the list was the customization of SSL policy distributed by the local IT.

Will observer and closing for now.