Diagnosing Costco Business Center Connection Resets
Costco’s B2B portal is hosted on Microsoft’s Azure cloud with Azure’s standard CDN layer. The portal uses TLS 1.3 with ECH for all authenticated sessions. When business members access the portal from macOS Safari, the ECH-enabled ClientHello can be blocked by ISP gateways that perform SSL inspection, resulting in an immediate TCP RST and ERR_CONNECTION_RESET.
Azure’s TLS configuration requires ECH for all HTTPS connections, and there is no fallback mechanism for legacy ISP gateways. When the ISP gateway resets the ECH-enabled ClientHello, Safari cannot complete the TLS handshake, and the connection is terminated.
Browser Integrity Sync on Azure-Hosted Portals
Costco’s portal uses browser integrity sync to validate sessions across Azure’s load balancers. When the TLS handshake is interrupted, the integrity sync fails, and Azure’s backend interprets the failure as an unauthorized access attempt, blocking the business member’s session entirely.
Fixing Costco Business Center TLS Errors
Using Microsoft Edge Instead of Safari
Microsoft Edge uses a different TLS stack (based on Chromium’s BoringSSL) that has a different cipher suite negotiation order than Safari. Download Microsoft Edge from the official Microsoft website and attempt to access Costco Business Center in Edge. Edge’s TLS stack may successfully negotiate a handshake with Azure’s TLS configuration where Safari fails.
Disabling SSL Inspection on Network Router
If you are on a corporate or shared network, access the router’s admin panel and disable SSL inspection for Costco’s domains (costcobusiness.com, business.costco.com). Consult your router manufacturer’s documentation for the exact steps. Disabling SSL inspection allows ECH to pass through without being intercepted and reset.
Switching to a VPN with US Endpoints
Costco’s B2B portal is optimized for US-based connections. Use a VPN with US endpoints to route your traffic through American ISP infrastructure, which supports ECH for TLS 1.3 connections. This bypasses the problematic ISP gateway in your region and allows the TLS handshake to complete successfully.
Call to Action
Use the webs.ninja network lab to test connectivity to Costco Business Center’s Azure-hosted endpoints. The diagnostic identifies the specific point of failure in the TLS handshake — whether it is the ISP gateway, Azure’s TLS configuration, or a platform incident — allowing targeted remediation.