locked
We are updating our TLS/SSL cipher suites to improve security RRS feed

  • General discussion

  • Customers should have received an email on 1/5/2017 about Azure App Service Web Apps upgrading TLS/SSL cryptography like below

    So what is this about?

    Currently, Azure Web Apps supports 3DES cipher, for TLS/SSL although it is prioritized at the bottom of the list. The new cipher suite order will remove the 3DES cipher and will look like the following:

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
    TLS_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA


    Note that this change has not been made live yet, it will be rolled out over four weeks starting April 3, 2017.

    Thursday, January 5, 2017 10:40 PM

All replies

  • So, what action do we need to do with our sites?
    Thursday, January 5, 2017 10:53 PM
  • Just test that all the clients you use to access your site still work with this cipher order by trying it against our test site https://appsvcssl.trafficmanager.net
    Friday, January 6, 2017 10:44 PM
  • I am assuming that the change will require a re-boot of the app service. How will this be co-ordinated so that we make the change out of our business hours and thereby not impact customers?
    Monday, January 9, 2017 4:28 PM
  • This will be handled by our regular service updates, your should not see more than a cold start for your app service web app.
    Monday, January 9, 2017 7:59 PM
  • Does it somehow affect the SSL certificates that used by Web Apps or Cloud Services?
    Tuesday, January 10, 2017 10:05 AM
  • Not really. Your SSL certs should still work as is.
    Tuesday, January 10, 2017 5:40 PM
  • Our website is accessed by enterprise users still using Windows XP and IE 8/7... and even though we don't support this... we do need to show an error page from our Azure Web App to these users (over HTTPS).

    According to https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites IE 8 On Windows XP does not support any AES chipper suites.  

    So my question is if this change will make serving simple web pages over HTTPS connections to IE 8 clients on XP fail? 


    Wednesday, January 11, 2017 1:05 PM
  • Does this new update will have fix for below weak key issue....

    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK                                        112 11

    QUALYS SSL Labs says our azure portal has "A Grade" scan rating but it shows the above keys has weak. The same issue is now not allowing us to validate the PCI SCAN. Moreover PCI complain shows TLS 1.0 is also venerable and this has to be disabled.     

    Can we expect any update for workaround from the Azure????

    Regards,

    Vinay Kumar.


    Thursday, April 27, 2017 7:03 AM
  • Nice information, where can I find original article on Azure updates?
    Tuesday, May 2, 2017 1:11 PM
  • We are running an App Service with an App Service Plan on Azure. We have clients using Compact Framework .NET 3.5 (CE6) using https which do not get any response anymore, probably due to this change (Since April 29th 2017). It seems as we need support for SSL2 to be able to get our CE6 clients to work and this has been removed recently.

    The compact framework clients are out on customer sites and the last option is to update them. What can we do? Is it possible to get the old TLS versions back? Can we migrate the app service and put it in an app service environment instead of the service plan to get it to work?

    Wednesday, May 3, 2017 3:13 PM
  • I really appropriate the Azure for taking this issue as a customers priority and resolving the issue....

    Now I can see below weak 3DES key is removed on Azure App service.

    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK                                        112

    Now moving forward how we can disable TLS 1.0 protocol for the app services instead of waiting for the Azure updates.

     



    Monday, May 8, 2017 5:40 AM
  • What does this ports 454 and 455 in Azure Apps servers....

    The 3DES still enabled on the both 2 ports and this is not allowing us to pass the PCI scan.

    Can some one tell me how we can block ports 454 and 455 from azure apps servers and what will be the connections loss....If it's not necessary, can I switch it off?

    Regards,

    Vinay Kumar. 



    Monday, May 8, 2017 11:50 AM
  • 454: Required port used by Azure infrastructure for managing and maintaining App Service Environments via SSL. Do not block traffic to this port. This port is always bound to the public VIP of an ASE.

    455: Required port used by Azure infrastructure for managing and maintaining App Service Environments via SSL. Do not block traffic to this port. This port is always bound to the public VIP of an ASE.

    This Cant blocked if so then it will break the internal communication. It seems we need to wait for the update to fix the issues in port 454 and 455 same fix as they did on port 433 (May-2017).

     

    Monday, May 8, 2017 12:09 PM
  • When can we expect solution from Azure on security updates on disabling TLS 1.0 and fixing the weak network ports 454 and 455 allowed over internet. 


    Friday, May 12, 2017 12:54 PM
  • I'm experiencing the same issue as Vinay, TLS_RSA_WITH_3DES_EDE_CBC_SHA is weak and still enabled. Therefore we are failing our PCI scan.

    This stack overflow article suggested March, but its now June. https://stackoverflow.com/questions/44392988/azure-app-service-web-app-pci-compliance

    Any ideas on when TLS_RSA_WITH_3DES_EDE_CBC_SHA will be deprecated? 

    Tuesday, June 13, 2017 4:22 AM
  • I never received such an e-mail and testing a web app created 5 minutes ago does not show these ciphers:

    https://www.ssllabs.com/ssltest/analyze.html?d=testcipher.azurewebsites.net

    Actually not even the test site uses these ciphers (appsvcssl.trafficmanager.net). I noticed this because HSTS preload was warning me about it.

    At the time of writing, here is the list of ciphers HSTS Preload considers secure (none of which seem to be used by Azure Web Apps): 

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305


    Sunday, November 5, 2017 10:00 PM
  • What about these weak Cipher suites? How can we remove them for an App service?

    TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256

    TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK  128

    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256

    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128

    TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK  256 

    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128



    Thursday, January 3, 2019 12:56 PM
  • What about these weak Cipher suites? How can we remove them for an App service?

    TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256

    TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK  128

    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256

    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128

    TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK  256 

    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128



    Same issue here. Any help??????

    Friday, March 15, 2019 2:45 PM
  • What about these weak Cipher suites? How can we remove them for an App service?

    TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256

    TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK  128

    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256

    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128

    TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK  256 

    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128



    Same issue here. Any help??????

    Any updates on this issue?
    Tuesday, May 14, 2019 6:27 AM