Octo.exe and TLS 1.2

We are testing out locking down our octopus instance to only allow TLS 1.2 connections (via these instructions), and we’ve had success with accessing the ui via chrome, and also success with the tentacles accessing the server.

However, we are having issues with octo.exe accessing the server:

octo --list-projects --server https://test-octopus.example.com --apikey=API-GID0R3XUOYXPDQBEZ4DDA6KA

Octopus Deploy Command Line Tool, version 3.3.7+Branch.master.Sha.3dfbf2ea54a21d
d47d6d1ef0be02c7540f703fe9

Handshaking with Octopus server: https://test-octopus.example.com

System.Exception: Unable to connect to the Octopus Deploy server. See the inner
exception for details. ---> System.Net.WebException: The underlying connection w
as closed: An unexpected error occurred on a send. ---> System.IO.IOException: U
nable to read data from the transport connection: An existing connection was for
cibly closed by the remote host. ---> System.Net.Sockets.SocketException: An exi
sting connection was forcibly closed by the remote host
   at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size,
 SocketFlags socketFlags)
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 s
ize)
   --- End of inner exception stack trace ---
   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 s
ize)
   at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 c
ount)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocol
Request asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToke
n message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, A
syncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byt
e[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyRes
ult)
   at System.Net.TlsStream.CallProcessAuthentication(Object state)
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionCo
ntext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C
ontextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, C
ontextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.ConnectStream.WriteHeaders(Boolean async)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetResponse()
   at Octopus.Client.OctopusClient.DispatchRequest[TResponseResource](OctopusReq
uest request, Boolean readResponse)
   at Octopus.Client.OctopusClient.Get[TResource](String path, Object pathParame
ters)
   at Octopus.Client.OctopusClient.EstablishSession()
   --- End of inner exception stack trace ---
   at Octopus.Client.OctopusClient.EstablishSession()
   at System.Lazy`1.CreateValue()
   at System.Lazy`1.LazyInitValue()
   at System.Lazy`1.get_Value()
   at Octopus.Client.OctopusClient.get_RootDocument()
   at OctopusTools.Commands.ApiCommand.Execute(String[] commandLineArguments)
   at OctopusTools.Program.Main(String[] args)
Exit code: -3

I see that it’s compiled under .net 4.5, so TLS 1.2 should be available to it, but the connectivity code appears to be in Octopus.Client, which is not open source, so I cant investigate further.

Can you please investigate? Given the recent SSLv2 vulnerability, I (like to) think that lots of people will be looking to lock down the available protocols.

Thanks,
Matt

Hi Matt,

Thanks for getting in touch. Sorry for taking so long to get back to you.

This is definitely a bug in Octo.exe and we’ve opened a Github issue for this to be resolved @ https://github.com/OctopusDeploy/Issues/issues/2414. You can track the status of the Github issue to know when this fix is available.

Thanks for bringing this to our attention.

Cheers
Mark

Hi Mark

Will a new version of the teamcity plugin be released at the same time?

Also, regarding “track the status of the Github issue to know when this fix is available”… That issue is marked as closed, but is not released yet, so I cant actually use that to determine if its available… Maybe if the Octopus Release Bot updated issues when a release is made and added a comment saying something like “this has now been released in version xyz”?

cheers,
Matt

Hi Mark

Just cloned, compiled and tested with Octopus Deploy Command Line Tool, version 3.3.8+Branch.master.Sha.f8a34fc6097785d7d382ddfaa9a7f009f29bc5fb, and looks like it works fine.

Thanks!
Matt

Hi Matt,

Sorry for the confusion. With Octo.exe, it’s a bit confusing because we link the Github Issue to the Milestone which represents the version of Octopus Deploy that Issue is fixed in.

Glad you found the right version and got it sorted :slight_smile:

Cheers
Mark