13

I have a web application running as an Azure App Service. We've had a recent security review and it highlighted that weak ciphers are available and these should be disabled. The ciphers were:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA

I've seen that it's possible to disable these by creating an isolated app service (https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings#change-tls-cipher-suite-order). But this adds significant expense and complexity. Is it possible to disabling these without requiring an isolated app service?

Matthew van Boheemen
  • 1,087
  • 3
  • 13
  • 21
  • did you find an answer to this question? I've had a similar experience with with a security review? From my understanding that although ciphers are weak, they are not broken or fundamentally unsafe. – Brett G Oct 28 '20 at 05:55
  • We didn't find a solution. We ended up just accepting the risk which seemed low overall. – Matthew van Boheemen Oct 28 '20 at 21:29
  • same security risk i am facing, and i am not able to find some simple solution to disable weak ciphers and also disable TLS1.0 as well – Saad Awan Nov 04 '20 at 14:36

3 Answers3

12

For now, there are 3 possible ways to remove weak ciphers:

App Service Environment - This gives you access to set your own ciphers though Azure Resource Manager - Change TLS Cipher Suite Order. I reproduced this and found out that it is possible to set your own ciphers or change the cipher suite order by modifying the clusterSettings as shown below:

clustersettings

Using Azure FrontDoor – You can configure a minimum TLS version in Azure Front Door in the custom domain HTTPS settings via Azure portal. Once you configure TLS1.2, only the following strong cipher suites are supported:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

You can find more information on this here - Front Door TLS Configuration.

Using Application Gateway – This lets you specify a central TLS policy that's suited to organizational security requirements and helps to meet compliance requirements. The TLS policy includes control of the TLS protocol version as well as the cipher suites and the order in which ciphers are used during a TLS handshake as seen here - Application Gateway SSL Policy Overview

cobethur
  • 290
  • 2
  • 8
  • Is there a downside in removing these weak cipher suites? I mean, why havn't Azure removed them by default, to secure their customers? – Vbakke Aug 26 '21 at 09:36
  • @Vbakke users with the old system using old cipher will not able be connect. Refer - Mozilla SSL Configuration Generator & Qualys SSL LAB Test – z2z Oct 16 '21 at 14:59
  • @z2z, I know. Which makes we wonder why Azure has these ancient ciphers on as default. – Vbakke Oct 18 '21 at 12:53
  • @Vbakke i think they don't want to be enforcing... Anyways, secure client will choose best cipher. – z2z Nov 08 '21 at 13:51
  • True, @z2z. But attacks happen by manipulating the handshake to use the less secure ones. – Vbakke Nov 10 '21 at 11:04
2

Recently, another option has been added to Disabling Weaker TLS Cipher Suites for Web Apps on Multi-tenant Premium App Service Plans via API Calls.

PATCH https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Web/sites/<siteName>/config/web?api-version=2022-03-01 

{ 
  "properties": { 
    "minTlsCipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" 
  } 
}

Details can be found here: Public Preview: Disabling Weaker TLS Cipher Suites

Paul Franke
  • 579
  • 3
  • 11
2

Microsoft recently added a [Minimum TLS Cipher Suite (Preview)] option to the Azure Wep App configuration settings - note that it's still in preview, so there are some bugs to iron out, and not all clients support such a secure cipher.

Configuration > General Settings > Platform settings

Minimum TLS Cipher Suite (Preview)

Change minimum TLS Cipher Suite (preview)

Alexander
  • 21
  • 2