WebApp Website failing PCI scan (TLS 1.0)

Question

I am failing a PCI scan performed by Trustwave because the website supports TLS 1.0.

Here is the failure notice:
TLSv1.0 Supported
Note to scan customer:
This vulnerability is not recognized in the National Vulnerability
Database. TLS v1.0 violates PCI DSS and is considered an automatic
failing condition.

Will Azure WebApps turn of TLS v1.0 support?  Can I do it through .net code (in the Global.asax?)?  The site is a .Net Forms Website.

Thanks,!

Robert

Answer 1

Hello woodrowX,

We are still planning on giving our customers the ability to disable TLS 1.0, but it will be restricted to App Service Environments only because of compatibility impact.
Once we have an update on this, it will be updated, please keep track of this thread for an update from Nazim lala:

https://social.msdn.microsoft.com/Forums/azure/en-US/89fa31a0-1832-4de2-b6ff-bf1980efbd62/failing-trustwave-vulnerability-scan-for-pci-dss-compliance?forum=windowsazurewebsitespreview

Thanks,
Syed Irfan Hussain

Answer 2

Hi Syed,

Thanks for your response.  If I understand correctly then, my website running under Web Apps will be fine?  I am not clear if WebApps is the same as the App Service Environment.

If not, is there a way to disable TLS 1.0 using code that you are aware?

Thanks!

Answer 3

Hi Syed,

The link you posted to only talks about disabling the weak cipher, not TLS 1.0 completely.  Can you verify that Web App websites will eventually allow the disabling of TLS 1.0?  If so, is there an ETA?  The disabling of TLS 1.0 appears to be required to pass the newer PCI scans. 

Thanks!

Rob

Answer 4

Here is the thread that discusses TLS 1.0. Feel free to add to it as needed. Short answer is that it's only supported today on App Service Environments.

David

Answer 5

Hi David,

I am sorry I am confused.  For clarification, App Service environment does NOT include the Web App portion of Azure?  Correct?

Thanks,

Rob

Answer 6

App Service Environments is a different way to host Azure Web Apps.

Answer 7

Hello woodrowX,

To add to Davids response, you can refer to the links below that will give you more information on Hosing Webapps in App Service Environment:

Introducing App Service Environment

How to Create a Web App in an App Service Environment

Thanks,
Syed Irfan Hussain

Answer 8

David-

you mention disabling TLS 1.0 is supported by App Service Environments, but I can find no documentation on how to disable TLS 1.0 specifically.  I also created an ASE and do not see an option for this.  Can you please tell me how this is supported. 

If I should open a new thread on this, let me know.  This thread is all over the place.

Ryan

Answer 9

Hi Ryan

We are in the process of releasing the public API to disable TLS 1.0 in ASE yourself shortly. In the meantime, can you open a support ticket using the portal (instructions here) and product support will make the change for you on your ASE. Again, this is just temporary till we release our API publicly and will publish documentation on that when we do so. Hope this works for you.