使用 TLS 1.2 从 HttpClient 连接到 Azure FrontDoor 后面的 API

Question

Azure Front Door is configured with minimum TLS 1.2. The backend Azure App Service is also configured to use minimum TLS 1.2.

When running the .Net Framework 4.7.1 console app with the following code on Windows Server 2012 R2:

class Program
    {
        static async Task Main(string[] args)
        {
             ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
             var client = new HttpClient();

            try
            {

                var OK = await client.GetAsync("https://foo-appservice.azurewebsites.net/"); // App service.
                var NotOK = await client.GetAsync("https://foo.myfoo.io/"); // Front door.

            }
            catch (Exception e)
            {
               Console.WriteLine(e);
            }

            Console.ReadKey();
        }
    }

I get the following exception on the second call.

An error occurred while sending the request.
The underlying connection was closed: An unexpected error occurred on a send.
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

Running this with curl from the same server works, however:

curl https://foo.myfoo.io/ -i --tlsv1.2 --tls-max 1.2

The same .net code runs fine from my other windows 10 laptop.

What can be the reason why the call fails on the windows server box?

Edit:

I think this has to do with custom domains, since performing a simple GET to the front door assigned domain works.

Answer 1

Turns out "someone" had disabled a lot of cipher suites on the Windows Server.

I used wireshark to look at the TLS handshake and noticed that the cipher suites listed at the Client Hello didn't match the servers.

So for anyone struggling with TLS errors, it can be worthwile to look at the TLS handshake in Wireshark!