question

mindmischief-2019 avatar image
1 Vote"
mindmischief-2019 asked mindmischief-2019 commented

Visual Studio 2022 won't connect to NuGet



Visual Studio 2022 gives an error when trying to browse NuGet.

I get these errors on 2 different Windows Servers (2016) I’ve tried. One running Visual Studio 2017, the other running Visual Studio 2019 and 2022.

Visual Studio 2017:

“[nuget.org] Unable to load the service index for source https://api.nuget.org/v3/index.ison.
An error occurred while sending the request.
The underlying connection was closed: An unexpected error occurred on a send.
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
An existing connection was forcibly closed by the remote host.”

Visual Studio 2022:

[nuget.org] Unable to load the service index for source https://api.nuget.org/v3/index.json. An error occurred while sending the request. The underlying connection was closed: An unexpected error occurred on a send. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. An existing connection was forcibly closed by the remote host


Note that we do not use a proxy.

Loading https://api.nuget.org/v3/index.json with both Chrome and Edge work.
Loading https://api.nuget.org/v3/index.json with Internet Explorer returns:

“This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://api.nuget.org again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.”


Things I’ve tried that have failed to resolve it

updated Visual Studio

Clearing nuget cache from within Visual Studio

Deleted NuGet.Config from C:\Users\<user>\AppData\Roaming\NuGet

Modified C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\devenv.com based on tips I found. I know it’s possible that what I changed was not correct. Reverted back.

Registry changes:

Computer\HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
Computer\HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
Computer\HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client

 DisabledByDefault = 1
 Enabled = 0

Computer\HKEY LOCAL MACHINE\SYSTEM\ CurrentControl Set) Control SecurityProviders \SCHANNEL\Protocols\TLS 1.2\Client

 DisabledByDefault = 0
 Enabled = 1

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v2.0.50727
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319

 SchUseStrongCrypto = 1
 SystemDefaultTlsVersions = 1


Tried moving the server's Active Directory object out of the current AD OU which has a Group Policy configured with specific ciphers enabled, and the order of preference, into a new OU with this NOT configured.

Tried disabling anti-virus software



Reference links, things I've tried or looked into:
https://docs.microsoft.com/en-us/security/engineering/solving-tls1-problem
https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor%22%20%5Cl%20%22registry-strings
https://stackoverflow.com/questions/41185443/nuget-connection-attempt-failed-unable-to-load-the-service-index-for-source


At this point, I'm run out of ideas. It seems like Visual Studio is not adhering to the system's default TLS settings (1.2) but it could possibly be something else.




vs-setupvs-extensionsdotnet-package-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SlyJack-0448 avatar image
0 Votes"
SlyJack-0448 answered VincentCastagna-3050 commented

Hi,
We had this issue today, this was resolved out end by adding TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 into HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

Also ensured only 'Use TLS 1.2' was enabled in IE Options, and no proxy settings were set up.

Hope this helps.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you add a new key, a new string value or modified an existing one ? Please provide a bit more info, thank you !

0 Votes 0 ·
mindmischief-2019 avatar image
0 Votes"
mindmischief-2019 answered VincentCastagna-3050 published

I posted this question on an internal Slack channel and someone responded there with a similar reply.

I added these two to our GPO and it fixed it.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Thanks for your help!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you elaborate ? What's GPO ? Did you add a new key, or a new string/value new binary value ?

0 Votes 0 ·
PaulWalton-3681 avatar image
0 Votes"
PaulWalton-3681 answered mindmischief-2019 commented

@VincentCastagna-3050 I have the same question. The frequent use of initialisms is annoying. I think GPO is referring to Group Policy Objects but I'm not sure.

Like you also asked, it would be helpful if they explained how they added these keys to the registry.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yeah, GPO is Group Policy Object. I added the two mentioned lines to it using Group Policy Management Console but we do it for a policy that applies to multiple servers.

https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls

For a single server, you can do it using regedit, like how SlyJack suggested.

More info here:

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

1 Vote 1 ·