We have a private Nuget server secured with TLS 1.2 but disallowing TLS 1.0 and TLS 1.1 due to POODLE. The Nuget client is unable to connect because the default value of ServicePointManager.SecurityProtocol is Ssl3 | Tls. We're able to connect by adding the following before the connection is made:
ServicePointManager.SecurityProtocol =
SecurityProtocolType.Ssl3
| SecurityProtocolType.Tls
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls12;
Is there a reason not to support TLS 1.1+? If not, I'd be glad to submit a PR if someone could direct me to the right repo.
dahlbyk
All 25 comments
@dahlbyk it all depends where you use NuGet. In the command line we control it all, but when hosted in other applications it is the application host owner that is allowed to play with SPM (since unfortunately it is a global static property).
yishaigalatzer
on 8 Apr 2015
In my case the failure is with nuget.exe, so I would at least recommend a change in protocol support there. I haven't tried accessing the feed with other tools, but it seems like defaulting to support the more secure protocols would guide client consumers into the pit of success?
This setting being AppDomain-wide is...unfortunate.
dahlbyk
on 9 Apr 2015
@zhili1208 please see what it means to fix this for visual studio and for nuget.exe 2.8.6
yishaigalatzer
on 9 Apr 2015
@dahlbyk the easy fix is to install https://support.microsoft.com/en-us/kb/2954853/
yishaigalatzer
on 9 Apr 2015
+1 for fixing this
drusellers
on 10 Apr 2015
@drusellers read above it is fixed by .net. We are not going to make changes. And override other potential fixes.
yishaigalatzer
on 10 Apr 2015
If the fix above doesn't work for you, please reopen
yishaigalatzer
on 10 Apr 2015
This fix isn't working for us, unfortunately.
Getting an exception:
nuget list -source https://test-proget/nuget/Default -verbosity detailed
System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xxx.xxx.xxx.xxx:443
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at NuGet.RequestHelper.GetResponse()
at NuGet.HttpClient.GetResponse()
at NuGet.RedirectedHttpClient.GetResponseUri(HttpClient client)
at NuGet.RedirectedHttpClient.EnsureClient()
at System.Lazy`1.CreateValue()
at System.Lazy`1.LazyInitValue()
at System.Lazy`1.get_Value()
at NuGet.MemoryCache.GetOrAdd[T](Object cacheKey, Func`1 factory, TimeSpan expiration, Boolean absoluteExpiration)
at NuGet.RedirectedHttpClient.get_CachedClient()
at NuGet.RedirectedHttpClient.get_Uri()
at NuGet.DataServicePackageRepository.get_Context()
at NuGet.DataServicePackageRepository.Search(String searchTerm, IEnumerable`1 targetFrameworks, Boolean allowPrereleaseVersions)
at NuGet.PackageRepositoryExtensions.Search(IPackageRepository repository, String searchTerm, IEnumerable`1 targetFrameworks, Boolean allowPrereleaseVersions)
at NuGet.AggregateRepository.<>c__DisplayClass35.<Search>b__34(IPackageRepository r)
at System.Linq.Enumerable.<>c__DisplayClass12`3.<CombineSelectors>b__11(TSource x)
at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
at NuGet.AggregateQuery`1.GetSubQueries(Expression expression)
at NuGet.AggregateQuery`1..ctor(IEnumerable`1 queryables, IEqualityComparer`1 equalityComparer, ILogger logger, Boolean ignoreFailures)
at NuGet.AggregateRepository.CreateAggregateQuery(IEnumerable`1 queries)
at NuGet.AggregateRepository.Search(String searchTerm, IEnumerable`1 targetFrameworks, Boolean allowPrereleaseVersions)
at NuGet.PackageRepositoryExtensions.Search(IPackageRepository repository, String searchTerm, IEnumerable`1 targetFrameworks, Boolean allowPrereleaseVersions)
at NuGet.Commands.ListCommand.GetPackages()
at NuGet.Commands.ListCommand.ExecuteCommand()
at NuGet.Commands.Command.Execute()
at NuGet.Program.Main(String[] args)
Attempting to install NDP45-KB2954853-x64.exe responds with a rather un-useful
Software Update KB2954853 Installation Wizard does not apply, or is blocked by another condition on your computer.
with no log file created.
We are running NuGet version 2.8.60717.93 against a windows 2012 R2 server, with SSL 2.0, SSL 3.0, TLS 1.0 & TLS 1.1 all disabled.
As far as I can tell, all that update does is disable the use of RC4 with TLS, so I'm not sure how that enables TLS 1.2 here. What am I missing?
matt-richardson
on 4 Mar 2016
You need nuget.exe 3.3 available on our download tab
yishaigalatzer
on 4 Mar 2016
Unfortunately, no dice, using version 3.3.0.212:
nuget.3.3.0.212.exe list -source https://test-proget/nuget/Default -verbosity detailed
System.Net.WebException: The underlying connection was closed: An unexpected error occurred n a send. ---> System.IO.IOException: Unable to read data from thevtransport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
--- End of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.TlsStream.CallProcessAuthentication(Object state)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at NuGet.RequestHelper.GetResponse()
at NuGet.HttpClient.GetResponse()
at NuGet.RedirectedHttpClient.GetResponseUri(HttpClient client)
at NuGet.RedirectedHttpClient.EnsureClient()
at System.Lazy`1.CreateValue()
at System.Lazy`1.LazyInitValue()
at System.Lazy`1.get_Value()
at NuGet.MemoryCache.GetOrAdd[T](Object cacheKey, Func`1 factory, TimeSpan expiration, Boolean absoluteExpiration)
at NuGet.RedirectedHttpClient.get_CachedClient()
at NuGet.RedirectedHttpClient.get_Uri()
at NuGet.DataServicePackageRepository.get_Source()
at NuGet.Protocol.Core.v2.ListCommandResourceV2Provider.<TryCreate>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.Core.Types.SourceRepository.<GetResourceAsync>d__11`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.Core.Types.SourceRepository.<GetResourceAsync>d__10`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Commands.ListCommand.<GetListEndpointsAsync>d__21.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Commands.ListCommand.<ExecuteCommandAsync>d__22.MoveNext()
Does vs 2015 with nuget 3 work for you? That will help me get some more clues
yishaigalatzer
on 4 Mar 2016
Yep, with the package manager console, it works:
PM> Find-Package -source https://test-proget/nuget/Test
Id Versions Description
-- -------- -----------
jQuery {2.1.4} jQuery is a new kind of JavaScript Library....
PM> (get-module NuGet).version
Major Minor Build Revision
----- ----- ----- --------
2 0 0 0
PM>
Also works from the gui - using nuget 3.3.0.167.
ps - thanks for the lightning fast response!
matt-richardson
on 4 Mar 2016
Makes sense. I think we might be missing a line in the commandline, to set the TLS 1.2, should be fairly easy to add to 3.4. How time critical is this for you?
yishaigalatzer
on 4 Mar 2016
Its a case of "we'd really like it, but its not critical".
In the wake of the drown vulnerability, we're tightening up on unnecessary protocols, so its a pre-emptive thing, rather than a drop-everything thing.
matt-richardson
on 4 Mar 2016
Happy to test out custom builds, if that would help.
matt-richardson
on 4 Mar 2016
Will get back to you as soon as I find out more, it's still hard to code and do a custom build from smartphone :)
yishaigalatzer
on 4 Mar 2016
It is possible to fix this via registry if it is an immediate blocker or you need to use an old version of NuGet.
If you create a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ with the name System.Net.ServicePointManager.SecurityProtocol, and create a string (REG_SZ) in it with the name set to the path of an executable, you can use the value to set the version of SSL/TLS to support. For example, I could set the value to Tls11 or Tls11, Tls12.
You probably need to repeat this process in the WOW6432Node section of the registry, too.
vcsjones
on 4 Mar 2016
Should be fixed with https://github.com/NuGet/NuGet.Client/pull/330 and will be available next release.
joelverhagen
on 5 Mar 2016
Thanks for the awesomely fast turnaround, @joelverhagen.
matt-richardson
on 6 Mar 2016
Cloned at https://github.com/NuGet/NuGet.Client/commit/cd8f8191b089a32deca1f73910b9510d8af0ebca, compiled locally and tested - all looks good. Thanks!
matt-richardson
on 7 Mar 2016
@vcsjones - thanks for the override info.
I found that your suggestion didn't work - at least using this reg file:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol]
"C:\\Users\\matt.richardson\\Downloads\\nuget.3.3.0.212.exe"="Tls12"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol]
"C:\\Users\\matt.richardson\\Downloads\\nuget.3.3.0.212.exe"="Tls12"
But, poking around, I found adding the key for SchUseStrongCrypto did:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
It appears that the DisableStrongCrypto flag overrides the app specific setting in some(most?) circumstances.
matt-richardson
on 7 Mar 2016
@matt-richardson FYI, we drop builds in myget on the nugetbuild gallery. The command line (signed) is available in the nuget.commandline package
yishaigalatzer
on 7 Mar 2016
@yishaigalatzer Ahh. That would've been useful. I saw a mention that CI builds are not available, but I now see that is specific to the vsix builds. Might be worth clarifying that paragraph.
matt-richardson
on 7 Mar 2016
thanks for the feedback, clarified.
By the way - Note that on every doc page, there is a link on the bottom to github, our docs are OSS as well, feel free to submit changes/suggestions right on the page.
yishaigalatzer
on 7 Mar 2016
Loving how fast you guys are responding to issues - keep up the great work!
matt-richardson
on 7 Mar 2016
Related issues
blackchoey
路
3Comments
infin8x
路
3Comments
zhili1208
路
3Comments
mrward
路
3Comments
livarcocc
路
3Comments
Most helpful comment
@vcsjones - thanks for the override info.
I found that your suggestion didn't work - at least using this reg file:
But, poking around, I found adding the key for
SchUseStrongCryptodid:It appears that the
DisableStrongCryptoflag overrides the app specific setting in some(most?) circumstances.