0

I am trying to connect and send a message to azure service bus queue using the following code

var connectionString = "<Your connection string>";

var queueName = "<Your queue name>";

var client = QueueClient.CreateFromConnectionString(connectionString, queueName);
var message = new BrokeredMessage("This is a test message!");
client.Send(message);

This is the same code they have on their site as an example.

But while connecting, it gives an SSPI ERROR with an inner exception of 'The client and server do not possess a common algorithm'.

Also, I have disabled TLS 1.0 and SSL 3.0 in my system. Is it because of that.

Can someone help me understand what is wrong here?

Tom
  • 125
  • 1
  • 11
  • Where is your application running (what host)? Do you have a firewall in place? Default connectivity mode is TCP, so perhaps the ports are getting blocked. More on connectivity mode here: https://msdn.microsoft.com/en-us/library/microsoft.servicebus.connectivitymode.aspx?f=255&MSPPError=-2147217396 There's also another thread with a similar question: http://stackoverflow.com/questions/35469739/azure-service-bus-connection-error-from-worker-role – Sean Feldman Oct 06 '16 at 04:53
  • @Sean Feldman my application is running on azure web apps, but this issue is when I am trying it locally on my IIS host..on my machine..I haven't tried after deploying it. I have also tried changing service bus environments, but with no luck. – Tom Oct 06 '16 at 17:01

2 Answers2

0

The client and server do not possess a common algorithm

That's not a TCP layer problem. That's higher up in the TLS handshake and it means just that. The two parties (client and server) could not agree on a common cipher suite and the handshake failed.

Run your client's host through SSLLab's browser test (even if it's not a browser): https://www.ssllabs.com/ssltest/viewMyClient.html

Then run the Service Bus endpoint through the server test page:
https://www.ssllabs.com/ssltest/

Compare results and enable at least one cipher suite in your client that matches what the TLS stack on the Service Bus endpoint accepts.

You should also simply try doing:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

..since you've disabled TLS 1.0 and i'm no longer sure what your .NET now defaults to, so explicitly setting the protocol version is the natural way to go.

TLS 1.2 was released back in 2008. You can be sure Azure supports it for all services, globally - check your own Service Bus namespace here! (same story for 935x/TCP).

It's not enough to support TLS 1.2, your host must have at least one common cipher suite with the server -- use this to check your host:

https://github.com/snobu/get-schannel-ciphers (.exe under /Release/)

Community
  • 1
  • 1
evilSnobu
  • 24,582
  • 8
  • 41
  • 71
  • I have set the security protocol version explicitly itself in my application start..so I can confirm and be sure that my application uses TLS 1.1 or TLS 1.2 for outbound request. I guess the azure service bus runs on TLS 1.0 and can't handle TLS 1.1 and above as of yet – Tom Oct 06 '16 at 16:58
  • TLS 1.2 was released in 2008 (https://tools.ietf.org/html/rfc5246). You can be sure Azure supports that for all services, globally - see https://www.ssllabs.com/ssltest/analyze.html?d=takethebus.servicebus.windows.net (same story for 9354/TCP). It's not enough to support TLS 1.2, your host has to have at least ONE common cipher suite with the server -- use this to check your host: https://github.com/snobu/get-schannel-ciphers (.exe under /Release/) – evilSnobu Oct 06 '16 at 18:34
  • I know i am dragging up an older post, but it is the only thing I could find that is remotely close to what I am dealing with. I have the same problem where I am trying to use Azure Service Bus on a machine where PCI requirements mean TLS 1.0 is disabled. Interestingly enough, when TLS 1.0 is enabled everything works. Simply disabling TLS 1.0 breaks the application. I will not pretend to understand everything about cipher suites, but it certainly looks like TLS 1.0 is the problem as everything works fine while it is on. – meyousikmann Oct 31 '16 at 00:23
  • Fire up Wireshark and check what your application is trying to negotiate with the other end (Client Hello packet). `16 03 01` is TLS 1.0, `03 02` TLS 1.1 `03 03` TLS 1.2 - http://blog.bfitz.us/?p=1508 – evilSnobu Oct 31 '16 at 05:46
0

We encountered the exact same issue when we disabled TLS 1.0 and 1.1 (we used https://docs.nwebsec.com/projects/AzureStartupTasks/en/latest/ and also added

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

in Global.asax under Application_Start).

We opened a ticket with Microsoft support and found out that Azure Service Bus needs to be upgraded to .Net Framework 4.6.2 in order to support TLS 1.1 and TLS 1.2. Here are the details:

Service Bus relies on the underlying SSLStream class for secure communication for NetEventRealyBinding.

In WCF included in the .Net Framework 4.5.2, SSLStream only supports SSL 3.0 and TLS 1.0.

The WCF version in .Net Framework 4.6.2 supports TLS 1.1 and TLS 1.2 for SSLStream.

The Service Bus Service will need to be updated to use .Net Framework 4.6.2. Currently Service Bus uses OSFamily 4 https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-guestos-update-matrix#family-4-releases which has .Net Framework 4.5.2. Current plans to upgrade to .Net Framework are slated for middle of 2017.

I'll update this answer once I hear more from Microsoft.

UPDATE 2017-03-21:

Microsoft sent this workaround, which fixed the issue and allowed our code to work with TLS 1.2.

  1. In the PowerShell script you currently use to set up TLS 1.2, add the following line. On .Net Framework 4.5.2 this will force SslStreams to use Tls 1.0/1.1/1.2. But since your machine allows only TLS 1.2, that will be used. 

    UpdateRegistryKey "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" "SchUseStrongCrypto" 1 "DWORD"

  2. In you the startup of your code add the following line, and rebuild and retest

    ServiceBusEnvironment.SystemConnectivity.Mode = ConnectivityMode.Https;
zekay2000
  • 26
  • 3