App Service- TLS question

Question

We got an email today saying TLS 1.0 and 1.1 are going away. Which is fine with me. My question is, how can I preemptively get rid of TLS 1.0 and 1.1? I had a ticket open with M$ and they pretty much said it's impossible to do without hosting the web app on your own private server in the cloud. Did that change? The email suggests it's configurable at the "template" levle. This is the email I just got:

Azure App Service to maintain compliance with TLS requirements

Dear Azure customer,

You’re receiving this email because you have an App Service app and we want to let you know about upcoming security improvements we’re making for PCI compliance. The PCI Security Standards Council announced that PCI-compliant websites must transition from TLS version 1.0 to TLS 1.1 or higher by June 30, 2018.

What is App Service?

App Service is a service to rapidly build, deploy, and scale enterprise-grade web, mobile, and API apps running on any platform. Meet rigorous performance, scalability, security and compliance requirements while using a fully-managed platform.

What this means for you:

• By April 30, 2018:
  • Through the Azure portal and Azure Resource Manager templates, you’ll be able to select the minimum-required TLS version (1.1 or 1.2) for your app.
  • We’ll configure App Service apps to require only newer TLS versions (1.1 and 1.2)—two months before the required date.
• After June 30, 2018, all newly created App Service apps will be automatically configured to require TLS 1.2. You’ll still retain the option to configure earlier TLS versions for your apps, if necessary, for compatibility with older browser clients. 

Answer 1

I had the same question, desire. After scouring all the settings available under my App Service, I think that it isn't there yet, it just will be "by April 30, 2018"

Answer 2

> Through the Azure portal and Azure Resource Manager templates, you’ll be able to select the minimum-required TLS version (1.1 or 1.2) for your app.

How to configure that?

Answer 3

The option to select the TLS level  is not available yet. It will be introduced in the next few months.

Answer 4

Does this include Azure Government app services as well?

Answer 5

Since I have an open support ticket I sent the same question to the rep working on it. Previously in Chrome when looking at the security info, I would see something to the effects of "Obsolete connection settings". That was resolved by M$ this week without any notice. The question came up is I could disable TLS 1.0 and 1.1, ultimately he said no because I'm in a "shared" environment. And the only way to fix this is to put up an "Application Gateway" (which costs money) or host it on a private Web App server in Azure (which also costs more money). I'll update this thread if and when they respond back. Otherwise I'm assuming this feature will be available in April some time.  

Answer 6

@Alan_Coras - Yes, this will include Azure App Service Government as well. 

Answer 7

@Erick iGrafx - Currently, the only ways to disable TLS 1.0 are the ways you mentioned. When we introduce the solution in a few months, you will be able to do this for the "shared" multi-tenant hosting model as well.

Answer 8

Thank you

Answer 9

We got an email today saying TLS 1.0 and 1.1 are going away. Which is fine with me. My question is, how can I preemptively get rid of TLS 1.0 and 1.1? I had a ticket open with M$ and they pretty much said it's impossible to do without hosting the web app on your own private server in the cloud. Did that change? The email suggests it's configurable at the "template" levle. This is the email I just got:

Azure App Service to maintain compliance with TLS requirements

Dear Azure customer,

You’re receiving this email because you have an App Service app and we want to let you know about upcoming security improvements we’re making for PCI compliance. The PCI Security Standards Council announced that PCI-compliant websites must transition from TLS version 1.0 to TLS 1.1 or higher by June 30, 2018.

What is App Service?

App Service is a service to rapidly build, deploy, and scale enterprise-grade web, mobile, and API apps running on any platform. Meet rigorous performance, scalability, security and compliance requirements while using a fully-managed platform.

What this means for you:

• By April 30, 2018:
  • Through the Azure portal and Azure Resource Manager templates, you’ll be able to select the minimum-required TLS version (1.1 or 1.2) for your app.
  • We’ll configure App Service apps to require only newer TLS versions (1.1 and 1.2)—two months before the required date.
• After June 30, 2018, all newly created App Service apps will be automatically configured to require TLS 1.2. You’ll still retain the option to configure earlier TLS versions for your apps, if necessary, for compatibility with older browser clients. 

Is this already in production?

Answer 10

@eransha - This is not available in production yet. We plan on having the option ready by 4/30. This will apply for all multi-tenant hosted applications on App Service. You're correct that until now the only option to disable TLS 1.0 was through the App Service Environment, but with this coming change, all customers will be able to apply these changes at the site level to each site they own.

---

Oded Dvoskin

Answer 11

The option to update is now available:

https://blogs.msdn.microsoft.com/appserviceteam/2018/04/17/app-service-and-functions-hosted-apps-can-now-update-tls-versions/

---

Oded Dvoskin

Answer 12

Any date or timeframe on CLI or Powershell configuration? Can we configure via ARM templates?

Answer 13

CLI will be coming in a week or so. PowerShell in a number of weeks. Yes, ARM templates can definitely be configured.

---

Oded Dvoskin

Answer 14

We manually made the change and exported the ARM template and don't see the settings. Is there a specific version we need or can you specify the setting in the template. 

Answer 15

@dajsile - not sure about that one. Could you open a new post and I'll have our team respond?

---

Oded Dvoskin

Answer 16

"type": "Microsoft.Web/sites/config"

minTlsVersion

Answer 17

Very cool, thanks!

---

Oded Dvoskin

Answer 18

As of 5/13/2018, ILB-based ASEs in Gov don't have TLS options for App Services deployed to the ASE.  The PaaS App Services in Gov do, though.  I haven't checked if there's some way to manipulate this via az cli or Powershell, yet.

Answer 19

Correct, this hasn't deployed for this use cases yet, within the Gov clouds. We expect this to happen sometime next week. There will be a backend way to update through resource explorer but that will also only be at the end of this week or so. I would vote to wait for the UI for better experience.

---

Oded Dvoskin