We have a site that retrieves products from Azure Cognitive Search. On Wednesday, February 26, 2020 at around 2pm EST we suddenly started seeing the following errors:
[SocketException (0x2746): An existing connection was forcibly closed by the remote host] System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult) +8156963 System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult) +48
[IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.] System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +298 System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +150
[WebException: The underlying connection was closed: An unexpected error occurred on a send.] System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) +334 System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) +138
The site is running on Windows Server 2008 SP2. After the issue was first reported I checked our staging environment and the same issue was happening there, too. An initial test on my development VM also showed the issue as well. I have seen issues like this pop up in the past so I added the following to the Application_Start method in the projects' Global.asax.cs file:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
That fixed the issue on my development VM (Windows Server 2008 R2), but when I deployed the fix to staging and production, the error still persisted. Based on many different searches I have done the following to try to fix the issue:
- Upgrade the framework from 4.5.1 to 4.6.1
- Upgrade the Microsoft.Azure.Search NuGet package from 3.0.4 to 10.1.0
- Update the registry keys on the server using IIS Crypto
- Deployed all of the latest security patches (made sure KB4019276 had been applied since that came up in many articles)
None of this has worked. I used Wireshark on the server and found that when it is calling Azure it is using the SSL protocol rather than TLS 1.2. I also tried using HttpClient to call Azure Search directly, but that resulted in the same error. Interestingly, there is another server on the network that is also Windows Server 2008 SP2 that has no issue calling Azure Search to load the products into the search index via the HttpClient.
Any ideas how we can get the call to use TLS 1.2 instead of SSL? The following are some articles I've looked at to try to fix the issue:
