4

We have a web app hosted in an Azure Server (using api in an Azure Server). For security purposes we'd like to know if the server is under tls 1.2 (I suppose for a non-cloud server we'll just have to see in regedit to know it).

I've seen topics on how to disabled ssl 3 from an azure server see at :

https://azure.microsoft.com/fr-fr/blog/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/

I suppose to enable tls 1.2 we'll have to do this kind of things ...

So my questions are : - How to know if the azure server is under tls 1.2 - if not, how to set the azure server to tls 1.2

Thanx for your help.

fguigui
  • 294
  • 1
  • 4
  • 11
  • 1
    Did you check the `(updated)` heading? `Azure Websites has disabled SSL 3.0 for all sites by default to protect our customers from the vulnerability mentioned before. Customers no longer need to take any action to disable SSL 3.0 in Azure Websites. ` – Panagiotis Kanavos Feb 16 '17 at 16:40
  • yes I think I've seen this, this isn't the question ... – fguigui Feb 16 '17 at 16:41
  • 3
    That means that there is no SSL anymore, everything is TLS already. You can check whether its TLS 1.1 or 1.2 from your browser. In Chrome, go to F12 (Developer Tools) > Security – Panagiotis Kanavos Feb 16 '17 at 16:41
  • it seems you're right Panagiotis ! – fguigui Feb 16 '17 at 17:30

4 Answers4

8

As of today 2018-04-30, you can modify your site to only serve TLS 1.2 and up by going to your app service, then TLS/SSL settings, then setting your minimum TLS Version.

azure portal ssl settings

Erik Oppedijk
  • 3,496
  • 4
  • 31
  • 42
viggity
  • 15,039
  • 7
  • 88
  • 96
3

enter image description here

So after the good advice of Panagiotis, we can see this in Chrome/F12 Security, it is said that we're under TLS 1.2, but the cypher is obsolete, the question now would be how to put an up to date cypher, any idea ?

fguigui
  • 294
  • 1
  • 4
  • 11
2

As Panagiotis Kanavos correctly points out:

Azure Websites has disabled SSL 3.0 for all sites by default to protect our customers from the vulnerability mentioned before. Customers no longer need to take any action to disable SSL 3.0 in Azure Websites.

But, here's some specific answers to your questions:

How to know if the azure server is under TLS 1.2?

Check your site with: https://www.ssllabs.com/ssltest/index.html (search for "protocol" and you'll find a list of SSL/TLS versions allowed/disallowed).

If not, how to set the azure server to TLS 1.2?

Start here: How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation) (requires .NET 4.6).

Then combine with this: https://www.leowkahman.com/2017/07/04/how-to-disable-tls-1-0-on-an-azure-app-service/ (not supported).

Or this: https://learn.microsoft.com/en-au/azure/app-service-web/app-service-app-service-environment-custom-settings (supported).

Tod Thomson
  • 4,773
  • 2
  • 33
  • 33
1

There are caveats to this setting. Apparently, its not just this setting that controls the transport level outbound communication. We have a situation where we are communicating with a third-party API which is only supporting TLS 1.2 and communication fails with either of this Minimum TLS version 1.0,1.1 and 1.2 on Azure App Service. The hosted app is a .Net Web API on Framework 4.7. So, we had to make this change in Global.asax --> Application_Start so the code tries to communicate with 1.2 and if it fails it tries with 1.1 and then system default.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.SystemDefault;

rohit
  • 666
  • 8
  • 24
  • 1
    the Azure Web Apps minimum TLS settings specifies the 'Server' TLS protocol (e.g. a user's browser connecting to your site), but not the 'Client' TLS protocol (e.g. your code makes an outbound HttpClient request) The reason you were seeing the issue w/ the 3rd party API is due to the .NET Framework handling of TLS negotiation, which you can read more about in detail here https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-security-via-appcontext-switches-for-net-framework-46-or-later-versions – avid Oct 08 '19 at 20:57