Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting #1738

Closed
vladicapavlovic opened this issue Jul 30, 2020 · 13 comments
Closed

Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting #1738

vladicapavlovic opened this issue Jul 30, 2020 · 13 comments
Labels
customer-reported Issue created by a customer

Comments

@vladicapavlovic
Copy link

When start Cosmos db emulator last version 2.11.2.0, Win 10, build 20170, and navigate on explorer, got this:

Error while refreshing databases: {"code":403,"body":{"code":"Forbidden","message":"Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.\r\nActivityId: 2cae913d-fd4c-4875-bd49-cda0722b9081, Microsoft.Azure.Documents.Common/2.11.0"},"headers":{"access-control-allow-credentials":"true","access-control-allow-origin":"","content-location":"https://localhost:8081/offers","content-type":"application/json","date":"Thu, 30 Jul 2020 05:16:11 GMT","server":"Microsoft-HTTPAPI/2.0","status":"403","x-ms-activity-id":"2cae913d-fd4c-4875-bd49-cda0722b9081","x-ms-gatewayversion":"version=2.11.0","x-ms-throttle-retry-count":0,"x-ms-throttle-retry-wait-time-ms":0},"activityId":"2cae913d-fd4c-4875-bd49-cda0722b9081"}

Same happen from code running on docker over gateway (certificate exported correctly)
"Azure.Cosmos" Version="4.0.0-preview3",
code:
cosmosClient = new CosmosClient(connStrCustom,
new CosmosClientOptions()
{
ConnectionMode = ConnectionMode.Gateway
});

Exception:

DocDBTrace Information: 0 : Fail to reach global gateway https://192.168.100.3:8081/, Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1
at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request)
at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint)
at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList1 locations, Func2 getDatabaseAccountFn)
DocDBTrace Error: 0 : Operation will NOT be retried. Current attempt 0, Status Code: Forbidden
DocDBTrace Warning: 0 : initializeTask failed System.AggregateException: One or more errors occurred. (Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1)
---> Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
ActivityId: 58019869-0800-41ed-bbb3-80c727c6bfb1, Microsoft.Azure.Documents.Common/2.11.0, Linux/10 cosmos-netstandard-sdk/3.4.1
at Azure.Cosmos.GatewayStoreClient.ParseResponseAsync(HttpResponseMessage responseMessage, JsonSerializerSettings serializerSettings, DocumentServiceRequest request)
at Microsoft.Azure.Cosmos.GatewayAccountReader.GetDatabaseAccountAsync(Uri serviceEndpoint)
at Microsoft.Azure.Cosmos.Routing.GlobalEndpointManager.GetDatabaseAccountFromAnyLocationsAsync(Uri defaultEndpoint, IList1 locations, Func2 getDatabaseAccountFn)
at Microsoft.Azure.Cosmos.GatewayAccountReader.InitializeReaderAsync()
at Microsoft.Azure.Cosmos.CosmosAccountServiceConfiguration.InitializeAsync()
at Microsoft.Azure.Cosmos.DocumentClient.InitializeGatewayConfigurationReaderAsync()
at Microsoft.Azure.Cosmos.DocumentClient.GetInitializationTaskAsync(IStoreClientFactory storeClientFactory)
at Microsoft.Azure.Cosmos.TaskHelper.<>c__DisplayClass0_0.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.Azure.Documents.BackoffRetryUtility1.ExecuteRetryAsync(Func1 callbackMethod, Func3 callShouldRetry, Func1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action1 preRetryCallback) at Microsoft.Azure.Documents.ShouldRetryResult.ThrowIfDoneTrying(ExceptionDispatchInfo capturedException) at Microsoft.Azure.Documents.BackoffRetryUtility1.ExecuteRetryAsync(Func1 callbackMethod, Func3 callShouldRetry, Func1 inBackoffAlternateCallbackMethod, TimeSpan minBackoffForInBackoffCallback, CancellationToken cancellationToken, Action1 preRetryCallback)
at Microsoft.Azure.Cosmos.DocumentClient.EnsureValidClientAsync()
--- End of inner exception stack trace ---

ty
@j82w
Copy link
Contributor

j82w commented Jul 30, 2020

Related issues:
#1551
#1232

@vladicapavlovic
Copy link
Author

vladicapavlovic commented Jul 30, 2020
edited
Loading

its not same, this worked with certificate 1 week ago, (I don't want to disable cert. validation), with v3, but I think after update cosmos emulator, or (some win update maybe build 20170, or edge, I am not sure...), stop working

cosmosClient = new CosmosClient(connStrCustom,
new CosmosClientOptions()
{
ConnectionMode = ConnectionMode.Gateway,
});

and dockefile...

RUN apt-get install ca-certificates &&
cp -R /tmp/cert/cosmosdb.crt /usr/local/share/ca-certificates &&
update-ca-certificates
....

certificate validation is ok, with following (
[https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator#running-on-mac-or-linux] ),
but new error is:
Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting.
(at 1551 or 1232 I cant find any key word from this bug i.e. encryption in transit protocol or cipher or )

@ealsur
Copy link
Member

ealsur commented Jul 30, 2020

It doesn't seem to be related to the SDK itself, but rather something on the Emulator

@vladicapavlovic
Copy link
Author

vladicapavlovic commented Aug 4, 2020
edited
Loading

This works :)
image

@j82w
Copy link
Contributor

j82w commented Aug 5, 2020

The Cosmos service only supports TLS 1.2, and it seems like your settings were requiring TLS 1.3 which caused the exception. A backlog item was created to add this scenario to the emulator documentation to help people in the future. Thank you for reporting it.

@vladicapavlovic
Copy link
Author

vladicapavlovic commented Aug 5, 2020
edited
Loading

I think update to build 20170... cause this... ty

announcing-windows-10-insider-preview-build-20170

An experimental implementation of Transport Layer Security (TLS) 1.3 is enabled by default starting with Insider Preview Build 20170. IIS/HTTP.SYS have TLS 1.3 enabled by default. SSPI callers can use TLS 1.3 by passing the new crypto-agile SCH_CREDENTIALS structure when calling AcquireCredentialsHanlde. SSPI callers using TLS 1.3 need to make sure their code correctly handles SEC_I_RENEGOTIATE.

@j82w j82w added the customer-reported Issue created by a customer label Aug 11, 2020
@j82w
Copy link
Contributor

j82w commented Aug 11, 2020

The emulator documentation PR got merged. https://github.com/MicrosoftDocs/azure-docs-pr/pull/125714

@j82w j82w closed this as completed Aug 11, 2020
@adstep
Copy link

adstep commented Aug 21, 2020

I'm also hitting this issue.

@j82w the link to your PR is broken now.

I found some documentation on the topic in the troubleshooting section.

If you encounter "Forbidden","message":"Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting..." connectivity issues, this might be caused by global changes in the OS (for example Insider Preview Build 20170) or the browser settings that enable TLS 1.3 as default. Similar error might occur when using the SDK to execute a request against the Cosmos emulator, such as Microsoft.Azure.Documents.DocumentClientException: Request is being made with a forbidden encryption in transit protocol or cipher. Check account SSL/TLS minimum allowed protocol setting. This is expected at this time since Cosmos emulator only accepts and works with TLS 1.2 protocol. The recommended work around is to change the settings and default to TLS 1.2; for instance in IIS Manager navigate to "Sites" -> "Default Web Sites" and locate the "Site Bindings" for port 8081 and edit them to disable TLS 1.3. Similar operation can be performed for the Web browser via the "Settings" options.

I didn't have IIS installed when first encountering the issue. I installed IIS, but I don't have any site bindings for 8081. What's the recommended path forward if no site bindings exist to edit?

image

@adstep
Copy link

adstep commented Aug 21, 2020

I'm looking at my internet options and I don't have TLS 1.3 enabled either, so I'm not sure why the update would affect me.

image

@vladicapavlovic
Copy link
Author

add new...

@richardhauer
Copy link

@adstep and others; I am using Cosmos emulator on Windows 10 Fast Ring and just ran into this. My IIS does not have the bindings and looking at the request messages it seems that the host is directly through HTTP.sys.

I was able to get this working by disabling TLS1.3 for the HTTP.SYS binding using netsh.

  1. Get the current settings required from cmd: netsh http show sslcert >> C:\temp\netsh.output.txt
  2. Search the output file for 0.0.0.0:8081 or whatever port you are using
  3. Set the flags from cmd: netsh http update sslcert ipport=0.0.0.0:8081 appid={00000000-0000-0000-0000-9134d4f81626} certhash=b35df09d20000000000019ad39c6170000000000 certstorename=My disabletls13=enable

The values for appid and certhash should come from the output file captured in step 1.
The important part is the disabletls13=enable.
You need all these bits for the command to work.

@vladicapavlovic
Copy link
Author

https://docs.microsoft.com/en-us/azure/cosmos-db/local-emulator-release-notes

version 2.11.8 fixes an issue TLS 1.3...

@ghost
Copy link

ghost commented Dec 15, 2021

Closing due to in-activity, pease feel free to re-open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
customer-reported Issue created by a customer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@richardhauer @vladicapavlovic @ealsur @adstep @j82w