The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure App Service - Web Apps!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Azure Websites Port 454 and 455 - Insecure SSL RRS feed

  • Question

  • We're having trouble passing TrustWave's PCI compliance tool due to ports 454 and 455 supporting weak ciphers (RC4 & MD5.)  I have tried to disputing this with them, but the disputes were denied.  Azure recently disabled these ciphers on 443.  Is Azure working on removing the weak ciphers from ports 454 and 455?

    Monday, August 17, 2015 11:27 PM

Answers

All replies

  • Hello,
      
     As far as I know these ports are used for Azure Internal communication and RC4 & MD5 ciphers are currently enabled on these ports. Please refer to the link below and refer to the response from Petr Podhorsky: 
     http://stackoverflow.com/questions/27807505/whats-listening-on-port-454-and-455-in-azure-warning-flagged-by-security-scan#comment44060237_27807505
      
    You can leave a comment on the feedback thread below to request for disabling these ciphers on those ports: 
     http://feedback.azure.com/forums/169385-web-apps-formerly-websites/suggestions/7091994-disable-insecure-ciphers-in-azure-websites
      
    Thanks, 
    Syed Irfan Hussain
    Tuesday, August 18, 2015 3:00 PM
    Moderator
  • Just for tracking, this is related to this thread, though here the focus is on those two ports.
    Wednesday, August 19, 2015 11:31 PM
    Moderator
  • Our PCI compliance scans are failing because ports TCP 454 & 455 are still using the RC4 Ciphers. This is our last hurdle to be PCI compliant on Azure Web Apps.

    Is there any known work around - or ETA on when this can be resolved?

    Much thanks to David Ebbo for his help on this matter and this thread!


    -- chris

    Thursday, August 20, 2015 1:28 AM
  • Sorry, there are still things we need to figure out for this one, and we don't have a clear ETA yet. Note that there is no real vulnerability caused by this, though I understand that it not passing TrustWave's PCI compliance can be an issue for some.
    Friday, August 21, 2015 11:11 PM
    Moderator
  • Thanks for the update David. We too are having issues getting clearance from our PCI compliance vendor, 

    https://www.coalfire.com/.

    Regardless of ports 454 & 455 being un-officially secure, these are still picked up by the monitors and thus, we are denied PCI clearance status because of the RC4 Ciphers.

    Being in the payments business and hosted on Azure WebApps, this is a deal breaker. Could I ask for a hint on the un-official ETA? Are we talking days, weeks, months, or quarters? 

    Appreciate any insight you can provide.


    -- chris

    Monday, August 24, 2015 10:46 PM
  • Chris, I can only give a very rough ballpark at this point, and I would say it is a matter of a few weeks.

    David

    Tuesday, August 25, 2015 12:16 AM
    Moderator
  • Thank you for the feedback David, much appreciated.

    -- chris

    Tuesday, August 25, 2015 1:00 AM
  • The current target is that this will be done by the end of September. This is just an estimate, and it could be a bit sooner or a bit later.

    David

    Thursday, September 3, 2015 4:51 PM
    Moderator
  • That is great news David; appreciate the heads up and communication! Looking forward to having this in place and I'm sure many others are as well.

    -- chris

    Tuesday, September 8, 2015 3:09 PM
  • Thank you, David.  It's great to know you guys are working on this.  Having a estimated ETA is also super helpful.  Much appreciated.
    Friday, September 11, 2015 4:45 AM
  • Hi David, I realize no promises have been made. Just wanted to check in on the overall picture... is the target still set for the end of Sept?

    Thanks for all you and the team are doing!


    -- chris

    Thursday, September 24, 2015 1:04 AM
  • Our most recent scan on Oct 1 did flag port 454 and 455 as insecure.  Thank you guys for taking care of this.
    Friday, October 2, 2015 4:15 AM
  • Our most recent scan on Oct 1 did flag port 454 and 455 as insecure.  Thank you guys for taking care of this.

    I'm confused by your comment... did you mean to say that your recent scan did NOT flag those ports as insecure?

    Wednesday, October 7, 2015 7:26 PM
  • Our scans are now passing! Although this forum hasn't been updated, I'm thinking this has been resolved. Thank you!

    -- chris

    • Proposed as answer by mexner Thursday, December 10, 2015 7:33 PM
    Wednesday, October 14, 2015 1:27 AM
  • Hello mexner,

    Yes, the change was rolled out in the last update as confirmed by our Operations Team.

    Thanks,
    Syed Irfan Hussain

    Thursday, October 15, 2015 1:40 PM
    Moderator
  • Whoops, I meant they're not flagged.  Sorry for the confusion!
    Wednesday, October 21, 2015 12:38 AM
  • As of 1-18-2016 this is still an issue. My scan failed for " TLSv1.0 Supported".
    Monday, January 18, 2016 11:55 PM
  • I know this thread is more than a year old.  We failed our latest PCI scan due to this issue.  ssllabs shows this RC4 entry for our azure website:

    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112

    Did Azure enable RC4 in the recent months? If so, what is Azure guidance for passing the PCI scan?

    I appreciate any help.

    Thanks

    Monday, January 23, 2017 6:36 AM
  • @sguda

    The cipher suite you shared is not RC4, but CBC based cipher. Can you check with the vendor who did the PCI scan to see what version of PCI scan are they doing?

    Yes, the above cipher suite is supported by the Azure App Service infrastructure.

    FYI, Azure App Service should be compliant with PCI DSS 3.0.


    I this response helps you, then please mark this as an "Answer" Regards, Kaushal Blog: http://blogs.msdn.com/b/kaushal/

    Monday, January 23, 2017 11:37 AM