External Feed :: Could not create SSL/TLS secure channel

Hi,

When i am trying to test an external feed package exist or not, i am getting an error as included below.
I have attached a screenshot of the error also.

Log ::

System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
at NuGet.RequestHelper.GetResponse()
at NuGet.RedirectedHttpClient.GetResponseUri(HttpClient client)
at NuGet.RedirectedHttpClient.EnsureClient()
at System.Lazy1.CreateValue() at System.Lazy1.LazyInitValue()
at NuGet.RedirectedHttpClient.get_CachedClient()
at NuGet.RedirectedHttpClient.get_Uri()
at NuGet.DataServicePackageRepository.GetPackages()
at Octopus.Core.Packages.ExternalNuGetFeedAdapter.SearchForPackagesNamedLike(String packageId, Int32 take) in Y:\work\refs\tags\3.1.2\source\Octopus.Core\Packages\ExternalNuGetFeedAdapter.cs:line 69

A week before this seems to be working.
Can you please help me resolve this issue.

Thanks!
Pratheesh

From my network team i came to know that TLS1.0 is disabled due to security reason on nuget server.
Can i know which TLS version is octopus using to communicate with external feed?
And if its TLS1.0 can you tell us if there is any plan to upgrade this to 1.2 and in which release of octoups i can find this.

Thanks in advance!

-Pratheesh

The version of octopus we are using is 3.1.2

Hi Pratheesh,

In Octopus version 3.1.2 we switched to .NET 4.5 which supports TLS 1.2. However, I’m not sure which version of TLS we are using to connect to external feeds. It may be environmental or we may need to instruct NuGet to use TLS 1.2.

What operating system are you using on your Octopus Server?

Cheers
Shane

Hi Shane,

We are using Microsoft Windows Server 2008 R2 Enterprise edition of operating system in Octopus server.
How can i confirm which protocol octopus is using to connect to external feeds?
Is there any way in octopus to explicitly say to use TLS1.2 to connect to external feeds.?

Will you be able to share some document on how to set our Nuget reposotory to use TLS1.2 protocol?

Cheers!
Pratheesh

Hi Pratheesh,

I have tried setting up an environment with a TLS 1.2 NuGet feed. I think it’s working but I don’t trust my TLS configuration skills. I used a vanilla Server 2008 R2 and did not need to add anything special to get it to work.

Are you able to browse to your NuGet feed from your Octopus Server machine in a web browser without getting any certificate or security errors? That might give more of a hint what is happening. Unfortunately the exception in Octopus is very general.

Cheers
Shane

Hi Shane,

Yes we tried manually browsing nuget feed and we are able to access without any issues.

From my network team i came to know that when the source sends request to the destination the source is what decides the TLS protocol.
In our case Octopus sends a request to Nuget repository and gets the nuget package. So Octopus is defining the TLS protocol.
It looks like Octopus makes a TLS1.0 request to the Nuget repository and since TLS1.0 is disabled in Nuget server its not able to communicate.

Can you get to your technical team and confirm on which TLS protocol is been used to communicate to external feeds.
If its using TLS1.0, which release of Octopus uses TLS1.1+ to communicate to external feeds.
This is a show stopper for us as Octopus is not able to connect to Nuget repository and as per company policy the network team has disable TLS1.0 throughout the network.

Cheers!
Pratheesh

Hi Pratheesh,

Thanks for the extra details.

While we support TLS 1.1 and 1.2 in Octopus 3.1, Octopus Server was only using TLS 1.0 to initiate https connections. I’ve enabled https over TLS 1.1 and 1.2, it will be out in the next release (3.2.1). You can track the issue here:
https://github.com/OctopusDeploy/Issues/issues/2116

We should get this out in the next couple of days.

Cheers
Shane

Thanks Shane.
Really appreciate your turn around. :slight_smile:

Can you please update us once 3.2.1 is released so that we can plan ourself to upgrade octopus.

Hi Pratheesh,

The release went out today, please let me know if it helps your situation.

Thanks
Shane

Thanks a lot Shane.
Didn’t expect such a fast turn around :slight_smile:

Thanks much.
Pratheesh