We run into a strange error last week when we no longer could install NuGet packages from our Azure DevOps feed. Visual Studio only gave us a basic error message about SSL connections, but to get some details we needed to run dotnet restore:
error : The SSL connection could not be established, see inner exception.
error : Authentication failed because the remote party sent a TLS alert: ‘HandshakeFailure’.
In the web interface of Azure DevOps, we got another message that pointed into the same direction:
ao9vsblobprodsu6weus14.blob.core.windows.net uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
We wasted a whole day to track down the cipher mismatch, but wherever we looked, the client and the server had multiple matching pairs of ciphers and protocols.
In the end, it was not SSL that made those problems, but Microsoft Defender for Cloud. The Microsoft product blocked the Microsoft cloud servers, not only inside the company network, but in any network.
As it turns out, Azure DevOps artefacts are not stored in the same domain as your feed, but on a blob storage inside Azure and those URLs do not show up in any NuGet related output.
Should you run into a similar problem, make sure that you do not block these (sub-) domains:
|
1 2 |
https://*.blob.core.windows.net https://*.visualstudio.com |
When you unblock these domains, Defender for Cloud will replicate the rules on your company machines over the next few hours. As soon as this is done, you can install your NuGet packages without any problems.