locked
TLS plans for Azure App Service

    General discussion

  • The PCI Security Standards Council announced that PCI-compliant websites must transition from TLS version 1.0 to TLS 1.1 or higher by June 30, 2018.

    What this means for you and how App Service will adapt.

      • By April 30th, through the Azure portal and Azure Resource Manager templateswe will introduce an ability to select the minimum-required TLS version (1.1 or 1.2) for your app. This option is not available yet, we will announce when it is.
      • App Service apps created after June 30th, will be automatically configured with TLS 1.2, though through the new setting, you will still retain the option to configure earlier TLS versions for your apps, if necessary, for compatibility with older browser clients. 

    The recommended testing scenario is running comparability checks using this 3rd party service as an example: https://www.ssllabs.com/ssltest/viewMyClient.html.

    The general guidance is that users using the latest versions of common browsers will not encounter any problems. However, users using 'N-1' versions of browsers *may* encounter problems requiring explicit configuration changes to address. Running anything older than 'N-1' browser versions increases the risk that the browser can't support TLS 1.2.


    Oded Dvoskin

    Wednesday, January 10, 2018 8:15 PM
    Moderator

All replies

  • What about existing services? will those include the change? or will it have to be redeployed once the change is made?


    Friday, January 12, 2018 12:03 AM
  • No redeployment is needed for the apps running on App Service. However, you may still benefit from checking the incoming traffic to your app as described in the post, before changing the TLS configuration, if you will do so.

    Oded Dvoskin

    Friday, January 12, 2018 12:48 AM
    Moderator
  • Is there a date set for TLS 1.0 deprecation? 

    I've re-read your post a couple of times and it's not clear to me.  There's mention of selecting between 1.1 and 1.2, but 1.0 won't be an option at that point?

    I'm hoping there'll be a time when I can test applications currently using TLS 1.0 to make sure the negotiation process is working when TLS 1.0 is deactivated.

    Friday, January 12, 2018 7:09 PM
  • The PCI compliance date market wide (not only Microsoft), is June 30th, 2018.

    If you have an existing Web App, 1.0 will continue to be available for you. Even after June 30th, when new apps are created with 1.2 as a default, app owners will still be able to change the TLS version to 1.1 or 1.0, though that is not recommended. 

    We will announce when the configuration option is available. 


    Oded Dvoskin

    Friday, January 12, 2018 9:19 PM
    Moderator
  • One of clients based in Australia was affected by this change last weekend, we spent hours troubleshooting this.

    Is there any schedule as to when this upgrade is going to take place, is it rolled out 'per region' or globally? 


    Henryk

    Monday, January 29, 2018 4:38 PM
  • With the functionality MSFT is releasing will it allow us to disable specific ciphers or will MSFT automatically disable those automatically? I am specifically referencing the current TLS_RSA ciphers. More info on these can be found here: 

    https://robotattack.org/

    https://www.us-cert.gov/ncas/current-activity/2017/12/13/Transport-Layer-Security-TLS-Vulnerability

    Monday, January 29, 2018 4:56 PM
  • @HenryK - We are still about a couple months out from deploying the TLS changes. We will announce here when it's available, in addition to other communication channels - blogs, twitter etc.

    The only option right now to change the TLS level is using App Service Environment.


    Oded Dvoskin

    Monday, January 29, 2018 6:38 PM
    Moderator
  • @dajsile - We are releasing the TLS options without changing anything in cipher suites. Microsoft updates the ciphers from time to time and we adhere to that. When there are security changes impacting Azure App service, we will announce those.


    Oded Dvoskin

    Monday, January 29, 2018 6:40 PM
    Moderator
  • Was there any change affecting Blob Storage then, specifically around TLS?

    Henryk

    Monday, January 29, 2018 8:12 PM
  • @HenrykA - I'm not sure. You could ask the Storage team on their forum: https://social.msdn.microsoft.com/forums/azure/en-US/home?forum=windowsazuredata


    Oded Dvoskin

    Monday, January 29, 2018 8:25 PM
    Moderator
  • In the information above you stated "By April 30th, through the Azure portal and Azure Resource Manager templateswe will introduce an ability to select the minimum-required TLS version (1.1 or 1.2) for your app. This option is not available yet, we will announce when it is." there is no information on disabling TLS 1.0 and/or TLS 1.1.

    Can you provide some insight on this?

    Will Microsoft disable early TLS or Will we (users) have the ability to do it through Azure Portal and any announcements on this? 

    Appreciate your response.

    Thanks

    Thursday, February 15, 2018 7:37 PM
  • @kcor1504 - As stated, we are currently working on this option and will have it ready by April 30th. There is no information out there on this since it is not yet supported.

    For the specific implementation of deprecation of older TLS versions in App Service, customers will need to take action in order to select the minimum level on an app by app basis.

    Oded


    Oded Dvoskin

    Thursday, February 15, 2018 7:43 PM
    Moderator
  • Guys I need to enable TLS 1.1 or higher to my app service who do I proceed?

    curiously its nowhere to be found :(


    tha black chief with a bizzarre voice

    Tuesday, March 13, 2018 12:47 AM
  • @Marcelluswalace - The  capability to do so is not available yet. This discussion is about the work the App Service platform is releasing soon to allow all customers to be able to select their TLS level. As mentioned, we will be releasing this capability by April 30th. Was there additional clarification?

    Oded Dvoskin

    Tuesday, March 13, 2018 3:48 AM
    Moderator
  • Are we still on track to have the option to disable tls 1.0 in azure web apps by April 30th? There is a bunch of discussion of having to use dedicated vms or ASE to control PCI compliance but those come with hefty costs weather it be monetary or human resources.
    • Edited by scott3344 Monday, April 9, 2018 5:19 PM
    Monday, April 9, 2018 5:13 PM
  • @scott3344 - yes, we are. I will be publishing a blog on our team site when it's available very soon. 

    aka.ms/AppServiceBlog

    I will also update the thread here.


    Oded Dvoskin

    Monday, April 9, 2018 5:18 PM
    Moderator
  • Thank you. It took me a couple hours to find this info. Everything else was related to ASE(https://support.microsoft.com/en-us/help/3124528/microsoft-web-app-azure-app-service-compliance-with-pci-standards-3-0), migrating to a dedicated VM, or application gateway(https://t.co/ZeG1hmDrkn) this solution is very buried even though it is the most seamless as a customer.
    Monday, April 9, 2018 5:23 PM
  • @scott3344  - I'm sorry about the time spent. This will definitely be easier for all users in multi-tenant hosting once we launch the new feature.

    Oded Dvoskin

    Monday, April 9, 2018 5:25 PM
    Moderator
  • Not trying to complain just want this info to get our there as I am sure it is a difficult process in the background to give us a simple solution on the front end. I appreciate your work and response.
    Monday, April 9, 2018 5:27 PM
  • I totally agree. Until now an ASE was the only way to do this. Due to PCI compliance we will allow for all customers to configure this, and after the feature is out it will make its way to our documentation as well for easier discovery.


    Oded Dvoskin

    Monday, April 9, 2018 6:13 PM
    Moderator
  • We have just released the settings to apply required TLS versions to each app. See the blog for additional details:

    https://blogs.msdn.microsoft.com/appserviceteam/2018/04/17/app-service-and-functions-hosted-apps-can-now-update-tls-versions/

    Thanks,

    Oded


    Oded Dvoskin

    Tuesday, April 17, 2018 6:40 PM
    Moderator
  • Hi Oded.  I just tried the new "TLS >1.2" from the SSL Settings.   First, very minor, since TLS 1.2 is included, it should be >= 1.2, no? 

    I switched my app to >1.2 and ran https://www.ssllabs.com/ssltest  and "Control Scan Vulnerability Scan".  Both still failed for TLS 1.0 but TLS 1.1 was showing disabled and TLS 1.2 was good.

    The slllabs results had this caveat for the TLS 1.0 failure:  "TLS Support only observed with Client that Does Not Support Server Name Indication".  

    "Control Scan" (https://smartscan.controlscan.com/security/index/0/overview) simply fails on TLS 1.0.  I'm required to use Control Scan so, I am still not PCI compliant.

    Please advise.

    Thanks,

    Terry




    • Edited by seascan1 Tuesday, April 17, 2018 10:59 PM
    Tuesday, April 17, 2018 10:45 PM
  • Hi @seascan1,

    You're correct. We're correcting that specific default configuration in our next release, in about 2 weeks. If this is needed for compliance, please reach out to me directly so I can update when this happens. odvoskin(at)microsoft(dot)com

    Regarding the icon in the portal, we've gotten additional feedback on that and will be changing that soon. Thanks for flagging it. The selected config means that is the minimum TLS version accepted, but since 1.3 isn't there, it makes sense changing that.

    Thanks!


    Oded Dvoskin

    Wednesday, April 18, 2018 12:56 AM
    Moderator
  • Hi, is there any update on this issue? Scans still showing TLS 1.0 enabled after we have set it to > 1.2
    Tuesday, May 1, 2018 9:17 PM
  • Unfortunately, we discovered a breaking change in the update we were going to launch for showing 1.0 as not accepted, so this is delayed an additional 2 weeks. We expect this out around mid-May.


    Oded Dvoskin

    Tuesday, May 1, 2018 9:20 PM
    Moderator
  • One update we can share now is the TLS updates to apps hosted in National Clouds, is now available in the Azure Portal UI menu for App Service.


    Oded Dvoskin

    Tuesday, May 1, 2018 9:20 PM
    Moderator
  • TLS selection is now available for all App Service Environments (ASE) as well!

    Oded Dvoskin

    Sunday, May 6, 2018 10:46 PM
    Moderator
  • Hi! Any idea when this is going to be working on App Service? I've just configured the app to require "minimum TLS version" = 1.1 but on https://www.ssllabs.com/ssltes I still get v1.0 as valid.  Thanks!

    Monday, May 14, 2018 7:39 PM
  • Enabled minimum TLS version =1.2 on the AppService SSL settings. Still SSL labs test shows

    TLS 1.3 No
    TLS 1.2 Yes
    TLS 1.1 No
    TLS 1.0 Yes
    SSL 3 No
    SSL 2 No

    Any idea on when TLS 1.0 will be completely disabled per the SSL setting?

    Monday, May 14, 2018 8:49 PM
  • Hi @Formstack Developers and @MahaWonders. 

    This is actually working at the moment in blocking TLS 1.0, but the reports are catching an unsupported edge case which are deploying a fix for most likely by the end of the week. Reports like SSL Labs are marking TLS 1.0 in orange as is blocked, but not complete.

    This issue is documented here: 

    https://blogs.msdn.microsoft.com/appserviceteam/2018/05/02/breaking-change-for-sni-ssl-hostnames-on-azure-app-service/



    Oded Dvoskin

    Monday, May 14, 2018 8:53 PM
    Moderator
  • Any Update on this?

    Thanks

    Monday, May 21, 2018 5:13 PM
  • @kcor1504

    This was delayed a bit, deploying right now and will be live in full during the first week of June, though some may see this update sooner.


    Oded Dvoskin

    Monday, May 21, 2018 5:30 PM
    Moderator
  • I can confirm that this is now rolling out. We have multiple Azure sites reporting back TLS 1.2 only.
    Monday, June 4, 2018 5:00 PM
  • @RobPageSC - that's great news! We typically don't call deployments complete until they are available in all regions, but it's good to see the results live already! 

    Oded Dvoskin

    Monday, June 4, 2018 5:07 PM
    Moderator
  • Hi,

    There is now the possibility in the SSL settings to specify the desired Minimum TLS version. However this option has an issue when the App Service is behind an Azure Traffic Manager. When TLS 1.0 is disabled via this option, the traffic manager reports the App Service as stopped! Please look into this and fix it.

    Thank you,

    Stefan

    Tuesday, June 5, 2018 1:00 PM
  • Hi Stefan C. Iancu,

    We were unable to reproduce this scenario with TLS and Traffic Manager. If this issue is still happening, do you mind opening a new MSDN post and provide repro steps? The best case would be to open a support ticket so we can investigate internally if this is still happening.

    Thanks,

    Oded


    Oded Dvoskin

    Friday, June 8, 2018 4:53 PM
    Moderator
  • Thanks & Good Job, Oded!  It's working for me.  TLS 1.0 is now completely passing the test with no caveats on SSLLabs.com.

    Saturday, June 9, 2018 1:39 PM
  • We have just completed the deployment for the TLS bug involving SNI-SSL.

    See details here: https://blogs.msdn.microsoft.com/appserviceteam/2018/06/13/tls-configuration-now-fixed-to-block-1-0/


    Oded Dvoskin

    Wednesday, June 13, 2018 4:00 PM
    Moderator
  • We have just completed the deployment for the TLS bug involving SNI-SSL.

    See details here: https://blogs.msdn.microsoft.com/appserviceteam/2018/06/13/tls-configuration-now-fixed-to-block-1-0/


    Oded Dvoskin

    TLS 1.0 is showing as being removed from port 443. Thank you.

    However, an nmap scan still shows that port 455 has TLS 1.0 and TLS 1.1 enabled.

    Could you please confirm that you're aware of this and are working on removing TLS 1.0 from port 455 as well?

    Pedantic PCI compliance scans from companies such as SecurityMetrics and Trustwave are likely going to flag this as a problem. Cheers.

    Thursday, June 14, 2018 2:15 PM
  • @anotherazureuser - the solution for that specific port will be deployed in 2-3 weeks. Stay tuned.


    Oded Dvoskin

    Thursday, June 14, 2018 7:58 PM
    Moderator
  • That is fabulous, thank you Oded.

    We have received further feedback that nmap is reporting inconsistent results when probing App Service for TLS information on port 443 (sometimes returns only TLS 1.2, sometimes TLS 1.0, 1.1, 1.2).

    Is this an expected situation? Should we upgrade to a different plan or something?

    Friday, June 15, 2018 2:15 PM
  • @anotherazureuser Thanks for reporting this. We understand the cause of this, and will include the fix in the next deployment(2-3 weeks ETA) Thanks, Jenny
    Saturday, June 16, 2018 12:03 AM
  • This will extend beyond the pci security standards deadline?


    Tuesday, June 19, 2018 1:45 PM
  • @robdavey555. Hopefully not. If you can send me your site name required for PCI compliance at (jennylaw(at)Microsoft.com), we can prioritize the upgrades accordingly.
    Tuesday, June 19, 2018 7:51 PM
  • We were assured that by June 29, 2018 the fix for this issue would be completely rolled out.  Today is June 30th, our PCI Vulnerability Scans are failing due to ports 443, 454 and 455 having TLS v1.0 still enabled.  Using nmap with the ssl-enum-ciphers script bears this out. 

    I've had 4 support tickets opened with Microsoft Azure Support tell me this issue has been resolved since early May and all but the most recent have been subsequently closed. 

    This issue is NOT resolved, our vulnerability scans continue to fail because of this issue, and Microsoft Support so far has refused to give me a remediation plan for this PCI requirement.

    Saturday, June 30, 2018 10:32 PM
  • Hi @Scott D Lance - please see the 2 comments above from Jenny Lawrence and follow up with her directly if needed.


     

    Oded Dvoskin

    Sunday, July 1, 2018 10:53 AM
    Moderator
  • Hi Jenny, any update on this?  we are failing our scans as of this morning. July 5th, 2018.
    Thursday, July 5, 2018 4:19 PM
  • The fix for the issue of TLS 1.2 failing on the specific ports is currently being deployed and we expect this to be available in all regions in about a week, given there are no major delays in the deployment process.

    Oded Dvoskin

    Thursday, July 5, 2018 7:08 PM
    Moderator
  • The port issue affecting TLS 1.2 should now be resolved. The fix has been deployed to all regions. Please re-run your scans and let us know if you experience anything different. Thanks!

    Oded Dvoskin

    Monday, July 16, 2018 4:34 PM
    Moderator