3

A customer ran a scan on an IoTEdge (v1.0.9.1) device and discovered that non-recommended versions of TLS protocol are enabled by default.

  • TLS Version 1.0 Protocol (TCP/5671), Severity: High
  • TLS Version 1.1 Protocol (TCP/5671), Severity: Medium

Is there a way to configure IOT Edge (by default) to

  • Disable usage of TLS 1.0 / 1.1
  • Only use TLS 1.2 for inbound / outbound communications?
  • Disable the iot-edge gateway functionality (‘standard iot edge’ device scenario)

I saw below links but wanted to know if there are other options to provide to the customer

Control TLS version and ciphers exposed by IoT Edge Hub
https://github.com/Azure/iotedge/tree/master/edge-modules/edgehub-proxy

TLS 1.2 enforcement available in select regions Azure IoT Hub TLS support | Microsoft Docs
https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-tls-support

user14832293
  • 33
  • 2
  • Could you please provide more info about your situation? It is not clear to me whether this belongs on SO or may be better answered on [ServerFault](https://serverfault.com/). Are you writing code as part of this or simply configuring a server? – Beefster Dec 15 '20 at 21:16

2 Answers2

2

Release 1.0.10 of IoT Edge Hub has an environment variable SslProtocols which you can use to control this. Full listing of available environment variables for system modules is available in the Github repo.

enter image description here

enter image description here

When not used in a gateway configuration, one can remove the host port binding setting from edgeHub. Follow resolution steps for this issue (not related).

Venkat Yalla
  • 558
  • 2
  • 9
  • This method works on my Azure IoT Edge1.2 as well. I was trying to find some ways to directly disable TLS1.0 & TLS1.1 but there is no direct way to do it in RedHat Enterprise Linux. It was good to know that just adding one environment variable solved the problem. – Prasan Dutt Apr 11 '22 at 15:46
0

Venkat Yalla's answer is correct. You have to set this: SslProtocols tls1.2

Next is where to set the environment variable, if you installed the sdk on the server you have to set the variable there.

However, if you installed IotHub as a service, you can set the environment variable on Azure Portal. On Azure - Iot Hub - Select Iot Edge and click on you device. Then click Set Modules and then Runtime Settings (small cog - middle page). On the right blade, you can set environment variables for either the Edge Agent or the Edge Hub. This variable is for the Edge Hub.

enter image description here

Then Apply and go through the Review+Creat process. I recomment to restart the hub to see the results faster. It worked for me.

Carlos Oliveira
  • 138
  • 2
  • 8