Stackexchange.redis: Cannot connect with TLS 1.1 or 1.2 when TLS 1.0 is disabled with .NET 4.5.2
We are using the StackExchange.Redis client to connect to a VNET joined instance of Azure Redis and when disabling TLS 1.0 and enabling TLS 1.1/1.2 on the PaaS instance, we cannot connect to Redis and instead receive the exception below. We are using .NET 4.5.2 and setting the SecurityProtocol to Tls11|Tls12.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11;
_An exception occurred while getting the Redis server information: StackExchange.Redis.RedisConnectionException: No connection is available to service this operation: INFO; The client and server cannot communicate, because they do not possess a common algorithm;
at StackExchange.Redis.RedisServer.ExecuteSyncT
at StackExchange.Redis.RedisServer.Info(RedisValue section, CommandFlags flags)
at CallSite.Target(Closure , CallSite , Object , Object , Object )_
To reproduce this issue, disable TLS 1.0 (sample posh script below)
# Disable TLS 1.0 for client and server SCHANNEL communications New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Log-Message "TLS 1.0 has been disabled."
Enabled TLS 1.1/1.2 (code omitted, but similar to above) and then connect to Redis and execute a cmd.
tonycoelho
All 3 comments
On your client machine, did you set 'SchUseStrongCrypto' to 1 in the two registry keys mentioned here? https://www.johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications
Once I did that, I was able to connect to Azure Redis with TLS 1.2 successfully. Without that change, my windows 10 machine only seemed to allow TLS 1.0 by default.
Also, I have sent a pull request to add support for configuring this directly on the client is here: #603
JonCole
on 21 Mar 2017
Jon, thanks for providing the article, very informative. After setting those two registry keys, I can now connect to Azure Redis with TLS 1.2.
tonycoelho
on 21 Mar 2017
Thank you Jon!
It fixed my issue related to the StackExchange.Redis trying to connect to the Azure.
StackExchange.Redis.RedisConnectionException: 'No connection is available to service this operation: PING; The client and server cannot communicate, because they do not possess a common algorithm; IOCP: (Busy=0,Free=1000,Min=8,Max=1000), WORKER: (Busy=1,Free=8190,Min=8,Max=8191), Local-CPU: n/a'
RedisConnectionException: InternalFailure on xxxxxxxxx.redis.cache.windows.net:6380/Subscription, Initializing/NotStarted, last: NONE, origin: ConnectedAsync, outstanding: 0, last-read: 0s ago, last-write: 0s ago, keep-alive: 60s, state: Connecting, mgr: 10 of 10 available, last-heartbeat: never, global: 66s ago, v: 2.0.601.3402
Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
gustavomoutella
on 22 Aug 2019
Related issues
anytime-hxy
·
4Comments
lgcardonanet
·
4Comments
deepaknc
·
5Comments
FilipCotan
·
3Comments
Plasma
·
5Comments
Most helpful comment
On your client machine, did you set 'SchUseStrongCrypto' to 1 in the two registry keys mentioned here? https://www.johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications
Once I did that, I was able to connect to Azure Redis with TLS 1.2 successfully. Without that change, my windows 10 machine only seemed to allow TLS 1.0 by default.
Also, I have sent a pull request to add support for configuring this directly on the client is here: #603