-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting #1738
Comments
its not same, this worked with certificate 1 week ago, (I don't want to disable cert. validation), with v3, but I think after update cosmos emulator, or (some win update maybe build 20170, or edge, I am not sure...), stop working cosmosClient = new CosmosClient(connStrCustom, and dockefile... RUN apt-get install ca-certificates && certificate validation is ok, with following ( |
It doesn't seem to be related to the SDK itself, but rather something on the Emulator |
The Cosmos service only supports TLS 1.2, and it seems like your settings were requiring TLS 1.3 which caused the exception. A backlog item was created to add this scenario to the emulator documentation to help people in the future. Thank you for reporting it. |
I think update to build 20170... cause this... ty announcing-windows-10-insider-preview-build-20170 An experimental implementation of Transport Layer Security (TLS) 1.3 is enabled by default starting with Insider Preview Build 20170. IIS/HTTP.SYS have TLS 1.3 enabled by default. SSPI callers can use TLS 1.3 by passing the new crypto-agile SCH_CREDENTIALS structure when calling AcquireCredentialsHanlde. SSPI callers using TLS 1.3 need to make sure their code correctly handles SEC_I_RENEGOTIATE. |
The emulator documentation PR got merged. https://github.com/MicrosoftDocs/azure-docs-pr/pull/125714 |
I'm also hitting this issue. @j82w the link to your PR is broken now. I found some documentation on the topic in the troubleshooting section.
I didn't have IIS installed when first encountering the issue. I installed IIS, but I don't have any site bindings for 8081. What's the recommended path forward if no site bindings exist to edit? |
add new... |
@adstep and others; I am using Cosmos emulator on Windows 10 Fast Ring and just ran into this. My IIS does not have the bindings and looking at the request messages it seems that the host is directly through HTTP.sys. I was able to get this working by disabling TLS1.3 for the HTTP.SYS binding using
The values for appid and certhash should come from the output file captured in step 1. |
https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator-release-notes version 2.11.8 fixes an issue TLS 1.3... |
Closing due to in-activity, pease feel free to re-open. |
When start Cosmos db emulator last version 2.11.2.0, Win 10, build 20170, and navigate on explorer, got this:
Same happen from code running on docker over gateway (certificate exported correctly)
"Azure.Cosmos" Version="4.0.0-preview3",
code:
cosmosClient = new CosmosClient(connStrCustom,
new CosmosClientOptions()
{
ConnectionMode = ConnectionMode.Gateway
});
Exception:
DocDBTrace Information: 0 : Fail to reach global gateway https://192.168.100.3:8081/, Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1
at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request)
at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint)
at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList
1 locations, Func
2 getDatabaseAccountFn)DocDBTrace Error: 0 : Operation will NOT be retried. Current attempt 0, Status Code: Forbidden
DocDBTrace Warning: 0 : initializeTask failed System.AggregateException: One or more errors occurred. (Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1)
---> Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1
at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request)
at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint)
at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList
1 locations, Func
2 getDatabaseAccountFn)at Microsoft.Azure.Cosmos.GatewayAccountReader.InitializeReaderAsync()
at Microsoft.Azure.Cosmos.CosmosAccountServiceConfiguration.InitializeAsync()
at Microsoft.Azure.Cosmos.DocumentClient.InitializeGatewayConfigurationReaderAsync()
at Microsoft.Azure.Cosmos.DocumentClient.GetInitializationTaskAsync(IStoreClientFactory storeClientFactory)
at Microsoft.Azure.Cosmos.TaskHelper.<>c__DisplayClass0_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.Azure.Documents.BackoffRetryUtility
1.ExecuteRetryAsync(Func
1 callbackMethod, Func3 callShouldRetry, Func
1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action1 preRetryCallback) at Microsoft.Azure.Documents.ShouldRetryResult.ThrowIfDoneTrying(ExceptionDispatchInfo capturedException) at Microsoft.Azure.Documents.BackoffRetryUtility
1.ExecuteRetryAsync(Func1 callbackMethod, Func
3 callShouldRetry, Func1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action
1 preRetryCallback)at Microsoft.Azure.Cosmos.DocumentClient.EnsureValidClientAsync()
--- End of inner exception stack trace ---
ty
The text was updated successfully, but these errors were encountered: