Why is TLS1.0 still seemingly supported on a "minimum TLS1.2" web app service on azure?

Question

We have an app service on Azure, and as Microsoft made available recently (april 30 2018), we now have an option to require TLS 1.1 or 1.2 :

We run hackerguardian scans for PCI compliance, yet, they still return failure on TLS support :

I also ran the ssl test from ssl labs. And result were... unclear :

There are no TLS 1.0 Cypher in the Cypher suites section, and all handshake simulation use TLS 1.2

Finally, if I try to open the app in IE with TLS 1.2 disabled, it fail :

I am unsure about what to try next. My guess is that TLS1.0 is still supported but with no cypher, so all connection attempts fail. Any other way to test TLS1.0 support, beside my IE test?

Answer 1

It's caused by a feature is done, but not done-done issue. More information is available from Microsoft. As of today (June 19th), there are still some edge cases that are not handled correctly. Full support is now delayed to the beginning of July (after the PCI Compliance date).

(May 14th)

This is actually working at the moment in blocking TLS 1.0, but the reports are catching an unsupported edge case which are deploying a fix for most likely by the end of the week. Reports like SSL Labs are marking TLS 1.0 in orange as is blocked, but not complete.

This issue is documented here:

https://blogs.msdn.microsoft.com/appserviceteam/2018/05/02/breaking-change-for-sni-ssl-hostnames-on-azure-app-service/

(May 21th)

This was delayed a bit, deploying right now and will be live in full during the first week of June, though some may see this update sooner.

(June 14th - someone asked)

TLS 1.0 is showing as being removed from port 443. Thank you.

However, an nmap scan still shows that port 455 has TLS 1.0 and TLS 1.1 enabled.

Could you please confirm that you're aware of this and are working on removing TLS 1.0 from port 455 as well?

(June 14th - the answer)

@anotherazureuser - the solution for that specific port will be deployed in 2-3 weeks. Stay tuned.