Azure DevOps Rollbacks TLS 1.0/1.1

CIO Review Europe | Tuesday, May 17, 2022

Microsoft's Azure DevOps team has undone the deprecation of outdated Transport Layer Security at the end of January because of unspecified "unexpected issues" that arose following the change.

FREMONT, CA: The director of product management for Azure DevOps, Rajesh Ramamurthy, announced that Microsoft plans to phase out the support for TLS 1.0/1.1 due to the risk of protocol downgrade attacks and other TLS vulnerabilities outside of Microsoft's control. TLS downgrade attacks try to transform strong, more recent versions of TLS into weaker, older versions of the protocol to make them more exploitable. Some have amusing names like POODLE (Padding Oracle On Downgraded Legacy Encryption) [PDF] and SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes); others, like FREAK (factoring RSA export keys) and Logjam, try to be a little more serious.

As of January 31, 2022, Azure DevOps services stopped accepting TLS 1.0/1.1 connections and required TLS 1.2 as a minimum. This affected all Azure DevOps Services HTTPS connections, including web API, and get access to https://dev.azure.com/orgname and https://orgname.visualstudio.com. Users of the self-hosted Azure DevOps Server were unaffected. However, things did not proceed as anticipated, and TLS 1.0/1.1 will be available for another week or two for clients using IPv4 endpoints. TLS 1.2 is already enforced as a minimum requirement if one connects over IPv6. Mark Graham, the product manager for Azure DevOps Platform, gave no further insights than "anticipated difficulties," which pretty much covers everything. Fortunately, only a small percentage of Azure DevOps users are expected to be affected.

The next effort by Microsoft to disable TLS 1.0/1.1 for Azure DevOps is set for March 31, 2022. Prior to that date, there will be dress rehearsals consisting of 12-hour TLS 1.1/1.0 test shutdowns for https://orgname.visualstudio.com on March 22, 2022, from 09:00 to 21:00 UTC. Then, on March 24, 2022, https://dev.azure.com/orgname will disable TLS 1.1/1.0 to see if any program fails with TLS 1.2. Following these tests, the obsolete TLS versions will be re-enabled until the end of the month, when the deprecation will be complete, barring any unexpected complications.

Read Also

follow on linkedin follow on twitter

Copyright © 2022 CIOReviewEurope. All rights reserved.         Contact         |         Subscribe        

Top