TLS upgrade broke Azure DevOps for some users

Microsoft has decided to reverse a security upgrade it applied to its Azure DevOps cloud-based software development and life cycle management system, after it caused problems for users on IPv4 connections.

In January, the company rolled out Transport Layer Security (TLS) 1.2-only access to the service, something which will now be reversed for some users.

The aim was to comply with the Internet Engineering Task Force’s March 2021 to deprecate the obsolete TLS versions that didn’t support current cryptographic algorithms.

The old TLS versions were also subject to protocol downgrade attacks like Poodle.

Microsoft hasn’t explained what issues arose during the upgrade, but in this blog post said that the deprecation of TLS 1.0 and TLS 1.1 cause some “unexpected issues” for IPv4 users.

Azure DevOps Platform product manager Mark Graham wrote that IPv6 endpoints were already enforcing TLS 1.2, so those customers are unaffected.

“We anticipate minimal impacts to our customers as more than 99.5% of connections made to Azure DevOps Services already use TLS 1.2. Clients have TLS 1.2-compatibility issues because of obsolete OS version or if available updates are not applied (applies for all Windows, macOS and Linux) or legacy .NET Framework installation or OS configuration prohibiting certain TLS cipher suites”, Graham’s post stated.

To help customers identify Azure DevOps-facing software that can’t support TLS 1.2, Microsoft will disable TLS 1.0/1.1 for 12 hours on March 22 for https://orgname.visualstudio.com domains; and March 24 for the https://dev.azure.com/orgname domains.

Graham’s post also tells users how to test their TLS support in PowerShell, YAML, or as a pipeline task. 

He warns users that a browser check won’t catch an incompatibility: “Browsers often use crypto libraries (such as OpenSSL) and thus circumvent the classic HTTP/TLS stack that other software uses”.