Reputation: 1335
Azure app service - how to disable weak ciphers?
I have a web application running as an Azure App Service. We've had a recent security review and it highlighted that weak ciphers are available and these should be disabled. The ciphers were:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
I've seen that it's possible to disable these by creating an isolated app service (https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings#change-tls-cipher-suite-order). But this adds significant expense and complexity. Is it possible to disabling these without requiring an isolated app service?
Upvotes: 17
Views: 23921
Answers (3)
Reputation: 51
Microsoft recently added a [Minimum TLS Cipher Suite (Preview)] option to the Azure Wep App configuration settings - note that it's still in preview, so there are some bugs to iron out, and not all clients support such a secure cipher.
Configuration > General Settings > Platform settings
Minimum TLS Cipher Suite (Preview)
Change minimum TLS Cipher Suite (preview)
Upvotes: 5
Reputation: 649
Recently, another option has been added to Disabling Weaker TLS Cipher Suites for Web Apps on Multi-tenant Premium App Service Plans via API Calls.
PATCH https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Web/sites/<siteName>/config/web?api-version=2022-03-01
{
"properties": {
"minTlsCipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
}
}
Details can be found here: Public Preview: Disabling Weaker TLS Cipher Suites
Upvotes: 3
Reputation: 360
For now, there are 3 possible ways to remove weak ciphers:
App Service Environment - This gives you access to set your own ciphers though Azure Resource Manager - Change TLS Cipher Suite Order. I reproduced this and found out that it is possible to set your own ciphers or change the cipher suite order by modifying the clusterSettings as shown below:
Using Azure FrontDoor – You can configure a minimum TLS version in Azure Front Door in the custom domain HTTPS settings via Azure portal. Once you configure TLS1.2, only the following strong cipher suites are supported:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
You can find more information on this here - Front Door TLS Configuration.
Using Application Gateway – This lets you specify a central TLS policy that's suited to organizational security requirements and helps to meet compliance requirements. The TLS policy includes control of the TLS protocol version as well as the cipher suites and the order in which ciphers are used during a TLS handshake as seen here - Application Gateway SSL Policy Overview
Upvotes: 13
Related Questions
- What is the best way to enable SSL/HTTPS on Azure web app
- SSL 256 bit encryption - on Azure website
- How to remove weak ciphers from TLS 1.2 configuration on Azure App Service?
- Is it possible to remove weak Ciphers or edit registry settings on Web Applications hosted on Azure?
- Azure App Service to App Service communication on TLS1.2 failing
- Azure - How to fix "Web application should only be accessible over HTTPS" warning?
- Disable <TLS 1.2 in Azure Portal
- Disable TLSv1.0 in Azure App Service Web App
- Is it possible to configure Azure Web site SSL protocols & ciphers
- Azure forcing https for no reason?