WebApp Website failing PCI scan (TLS 1.0) RRS feed

  • Question

  • I am failing a PCI scan performed by Trustwave because the website supports TLS 1.0.

    Here is the failure notice:
    TLSv1.0 Supported
    Note to scan customer:
    This vulnerability is not recognized in the National Vulnerability
    Database. TLS v1.0 violates PCI DSS and is considered an automatic
    failing condition.

    Will Azure WebApps turn of TLS v1.0 support?  Can I do it through .net code (in the Global.asax?)?  The site is a .Net Forms Website.



    Tuesday, October 6, 2015 6:45 PM


All replies

  • Hello woodrowX,

    We are still planning on giving our customers the ability to disable TLS 1.0, but it will be restricted to App Service Environments only because of compatibility impact.
    Once we have an update on this, it will be updated, please keep track of this thread for an update from Nazim lala:


    Syed Irfan Hussain

    • Proposed as answer by Syed Irfan Hussain Wednesday, October 7, 2015 9:23 AM
    • Unproposed as answer by woodrowX Tuesday, October 13, 2015 9:59 PM
    Wednesday, October 7, 2015 9:16 AM
  • Hi Syed,

    Thanks for your response.  If I understand correctly then, my website running under Web Apps will be fine?  I am not clear if WebApps is the same as the App Service Environment.

    If not, is there a way to disable TLS 1.0 using code that you are aware?


    Wednesday, October 7, 2015 8:48 PM
  • Hi Syed,

    The link you posted to only talks about disabling the weak cipher, not TLS 1.0 completely.  Can you verify that Web App websites will eventually allow the disabling of TLS 1.0?  If so, is there an ETA?  The disabling of TLS 1.0 appears to be required to pass the newer PCI scans. 



    Tuesday, October 13, 2015 10:02 PM
  • Here is the thread that discusses TLS 1.0. Feel free to add to it as needed. Short answer is that it's only supported today on App Service Environments.


    • Proposed as answer by David Ebbo Tuesday, October 13, 2015 10:09 PM
    Tuesday, October 13, 2015 10:09 PM
  • Hi David,

    I am sorry I am confused.  For clarification, App Service environment does NOT include the Web App portion of Azure?  Correct?



    Tuesday, October 13, 2015 11:35 PM
  • App Service Environments is a different way to host Azure Web Apps.
    • Marked as answer by woodrowX Wednesday, October 14, 2015 9:26 PM
    Wednesday, October 14, 2015 12:08 AM
  • Hello woodrowX,

    To add to Davids response, you can refer to the links below that will give you more information on Hosing Webapps in App Service Environment:

    Introducing App Service Environment

    How to Create a Web App in an App Service Environment

    Syed Irfan Hussain

    • Marked as answer by woodrowX Wednesday, October 14, 2015 9:26 PM
    Wednesday, October 14, 2015 2:16 PM
  • David-

    you mention disabling TLS 1.0 is supported by App Service Environments, but I can find no documentation on how to disable TLS 1.0 specifically.  I also created an ASE and do not see an option for this.  Can you please tell me how this is supported. 

    If I should open a new thread on this, let me know.  This thread is all over the place.


    Monday, January 4, 2016 5:57 PM
  • Hi Ryan

    We are in the process of releasing the public API to disable TLS 1.0 in ASE yourself shortly. In the meantime, can you open a support ticket using the portal (instructions here) and product support will make the change for you on your ASE. Again, this is just temporary till we release our API publicly and will publish documentation on that when we do so. Hope this works for you.

    Wednesday, January 6, 2016 8:20 PM