Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for TLS 1.3 #2095

Open
ehrw1n opened this issue Nov 25, 2024 · 9 comments
Open

Support for TLS 1.3 #2095

ehrw1n opened this issue Nov 25, 2024 · 9 comments

Comments

@ehrw1n
Copy link

ehrw1n commented Nov 25, 2024

I am seeking support for enabling TLS 1.3 in Azure SignalR Service or guidance on any documentation steps I might have overlooked. Currently, the absence of TLS 1.3 support forces us to maintain our Azure Web App instance on TLS 1.2, which is the only barrier to achieving our enhanced security settings.

We are using version 8.0 on both the client and server, and have configured the client hub connection to permit TLS 1.3, but this has not resolved the issue. Does SignalR, whether self-hosted or on Azure, support TLS 1.3? Additionally, would upgrading to .NET 9.0 make a difference?

@vicancy
Copy link
Member

vicancy commented Nov 26, 2024

Azure SignalR does support TLS1.3. You could validate this with openssl s_client -connect <hostname>:<port> -tls1_3.

What errors are you seeing when upgrading your Azure Web App instance to TLS 1.3?

@ehrw1n
Copy link
Author

ehrw1n commented Nov 26, 2024

That's good to hear!

Inner Exception: Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'

After configuring the client to explicitly allow TLS versions 1.2|1.3, 1.2 or 1.3, connect still fails, but oddly the inner exception seemed to have disappeared.

@ehrw1n
Copy link
Author

ehrw1n commented Nov 26, 2024

We also restrict cipher suites based on similar security considerations, outlined here:

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

@ehrw1n
Copy link
Author

ehrw1n commented Nov 26, 2024

  • Microsoft.AspNetCore.SignalR.Client 8.0.8
  • Microsoft.Azure.SignalR 1.26.1

We hadn't updated to 8.0.11 and 1.28.0 yet, doing that today.

@ehrw1n
Copy link
Author

ehrw1n commented Nov 26, 2024

openssl s_client -tls1_3 successfully connects to the web app and signalr instance. The service.signalr.net instance speaks TLS 1.2 and 1.3, which doesn't seem configurable.

@vicancy
Copy link
Member

vicancy commented Nov 27, 2024

That's good to hear!

Inner Exception: Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'

After configuring the client to explicitly allow TLS versions 1.2|1.3, 1.2 or 1.3, connect still fails, but oddly the inner exception seemed to have disappeared.

Where is this error thrown from?

Yes the service supports both TLS1.2 and 1.3, it is the client side determining which to use.

@ehrw1n
Copy link
Author

ehrw1n commented Nov 27, 2024

Thrown when I call HubConnection.StartAsync

Do you know why the inner exception might have vanished when I tried setting the TLS version in HttpMessageHandlerFactory?

@ehrw1n
Copy link
Author

ehrw1n commented Nov 27, 2024

In this scenario, it's a Windows-specific client app where I don't have control over the Windows hosts. Is it possible that dotnet core uses Schannel on Windows exclusively instead of OpenSSL? If so, I may be limited in my options, unless I can configure dotnet core to use a different crypto implementation. I'd prefer to require 1.3, but Windows 10 clients may hinder that.

If that's the situation, then it appears I'm limited by platform constraints. Thank you for the assistance - it seems we can close out this ticket as a platform limitation.

@ehrw1n
Copy link
Author

ehrw1n commented Nov 27, 2024

dotnet/runtime#110220

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants