Microsoft is looking to enable TLS 1.3 for Azure Service Bus, and Azure Event Hubs. We found however that there is a problem with some clients that use both Java and our AMQP or JMS interfaces. Java clients that use Apache Proton-J with a version older than proton-j-0.31.0 along with Java 11+ can't support TLS 1.3. The Proton-J library is used in AMQP and JMS implementations. The nature of the problem lies in the handshake and is thus not detectable by our application layer. This means that we can't detect and work around the issue from the service side. To avoid this problem, customers need to update any instances of Apache Proton-J that have a version older than proton-j-0.31.0. The link for the Proton-J issue is tracked at https://issues.apache.org/jira/browse/PROTON-1972
Required action
Proton-J may also be in a dependent library and may not be directly used by your code. To determine if you have an incompatibility with TLS 1.3, we have enabled the West Central US region with TLS 1.3 support for AMQP traffic. To test if you have a compatibility issue
- first evaluate if you are using AMQP or JMS
- Second, determine if you are using Java 11+ with your client code
- Third, if you are using AMQP or JMS and also Java 11+, then create a namespace in West Central US and attempt to connect to it with your code.
If your client fails to connect, you need to find where you are using Proton-J and get the version used updated to a version that is newer than proton-j-0.30.0.
Timeline
As already noted, this only affects AMQP or JMS traffic. It does not affect web service or Kafka traffic which does have TLS 1.3 enabled now. We are going to enable TLS 1.3 for AMQP and JMS on October 31, 2024. That is also the same day that TLS 1.0 and TLS 1.1 is being removed from Azure Event Hubs and Azure Service Bus. Please take action as soon as possible to guarantee no interruption to your service use when we enable TLS 1.3.
Microsoft
