Earlier this year, we announced an upgrade to our network infrastructure and the new IP addresses you need to allow list in your firewall – Update to Azure DevOps Allowed IP addresses – Azure DevOps Blog.
This is our second blog post to inform you that starting from April 23rd, 2025, we will be requiring Server Name Indication (SNI) on all incoming HTTPS connections to Azure DevOps Services.
SNI is an extension to the TLS protocol that allows clients to specify the hostname they are connecting to. All modern browsers and client software support SNI and use it by default, ensuring a seamless transition for most users. In fact, more than 99.995% of the customer traffic reaching our servers is SNI-ready.
However, some client software may be incompatible with SNI due to various factors, such as outdated or misconfigured networking libraries, runtimes, or operating systems. Issues may also arise from proxies or NGFW firewalls. The following tools used with Azure DevOps may be impacted by SNI issues:
- Git clients
- IDE plugins and extensions (e.g., Team Explorer Everywhere)
- Software running on older Java versions which do not support SNI (Java 6 and earlier) or do not have SNI enabled by default (some versions of Java 7 and 8)
- Old browser versions (see https://caniuse.com/sni)
SNI issues usually manifest by connection errors, such as:
ERR_SSL_PROTOCOL_ERROR,ERR_CERT_COMMON_NAME_INVALIDjavax.net.ssl.SSLHandshakeException,javax.net.ssl.SSLExceptionCould not establish trust relationship for the SSL/TLS secure channel
You can validate the SNI-compatibility of your system by calling the status endpoint of Azure DevOps, which we have configured to require SNI. If this call is successful, it indicates that the host, including its operating system and networking environment, is SNI-compatible.
Windows
Invoke-WebRequest -Method GET -Uri
Linux
curl -X GET
Browser
Software
Legacy software may have its own SNI compatibility issues, independent of the hosting computer. If you have a program that connects to Azure DevOps, you can test the SNI readiness by temporarily overriding DNS settings. This will ensure the program connects to Azure DevOps through an endpoint that requires SNI.
Follow these steps:
1. Resolve an IP address of status.dev.azure.com
Windows:
(Resolve-DnsName status.dev.azure.com -Type A).IP4Address
Linux:
dig +short status.dev.azure.com
2. Open the Hosts File.
Windows: C:\Windows\System32\drivers\etc\hosts
Linux: /etc/hosts
3. Add DNS overrides. Add the following lines to the hosts file, replacing
.visualstudio.com
dev.azure.com
feeds.dev.azure.com
vsrm.dev.azure.com
pkgs.dev.azure.com
4. Restart the program being validated to allow it to pick up the DNS overrides. Test that it connects to Azure DevOps and works as expected.
5. After validating, remove the lines you added in Step 3 and save the hosts file.
We appreciate your cooperation in making this transition as smooth as possible. By taking the necessary actions, you can avoid experiencing connection issues.
