We welcome user feedback and feature requests!

Disable TLS1.0

Please let us choose what Cipher to use and Disable/Enable TLS versions in Azure Web Apps.

194 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Tony shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

26 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Bryan commented  ·   ·  Flag as inappropriate

    This is not an acceptable solution for most people looking for this feature. In my opinion, implementing only for ASE should not warrant this being marked as completed. This is obviously still an open concern for users of multi-tenant PaaS.

  • Drew Marsh commented  ·   ·  Flag as inappropriate

    Surprised and disappointed to find that this is still not possible to control at the "pure"-PaaS Azure Web Apps level.

  • Kevin commented  ·   ·  Flag as inappropriate

    I agree with all others that have commented here. The cost to jump to an ASE environment is prohibitive for small companies. An option to disable this should be provided across all levels of Web Apps.

  • Owen - Acumy commented  ·   ·  Flag as inappropriate

    In order to allow web apps as an option where security scans are required, the community needs a way to choose the level of TLS and cipher support. I understand that this is not easy, as SSL/TLS terminates upstream in the infrastructure, but surely there could be pools of web app infrastructure available with, say, varying levels of extremely tight to relatively loose TLS restriction, under which your web app is installed on demand (even a required delay of a few hours for a deployment change would be acceptable.)

  • Enrico commented  ·   ·  Flag as inappropriate

    You cannot expect us to incur the high cost of an App Service Environment just to get to a platform that complies with modern security standards

  • Bill commented  ·   ·  Flag as inappropriate

    This is absurd. You cannot expect us to incur the high cost of an App Service Environment just to get to a platform that complies with modern security standards.

  • Nicholas commented  ·   ·  Flag as inappropriate

    Any basic scan of an Azure Web App shows that TLS 1.0, an insecure transportation security protocol, is supported. This vulnerability is unacceptable. You need to provide an option to disable it.

  • Dave commented  ·   ·  Flag as inappropriate

    Remove the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher. This is no longer PCI 3.1 compliant.

  • Sam commented  ·   ·  Flag as inappropriate

    We are on the brink of switching to AWS simply because this is a complete block for us. Switching to an ASE is out of the question due to the high and unnecessary expense.

  • Anonymous commented  ·   ·  Flag as inappropriate

    To add to the chorus... "Disabling TLS 1.0 is supported in ASE" is not the answer to this suggestion due to the significant increase in cost. You literally jump from from $149/mo for two S1 instances to $1475/mo for the lowest-cost ASE configuration.

  • Ryan Salter commented  ·   ·  Flag as inappropriate

    PCI compliance is the underlying issue and TLS 1.0 needs to be disabled. The ideal solution is that Azure websites have an option to be PCI compliant, or PCI 3.1 compliant. I'm having an issue with compliance on Azure hosted websites and will be forced to move them to another host. The fact that deadline is delayed until 2018 does not equate to compliance in the meantime. I have an immediate need to be fully compliant.

  • P Pelzer commented  ·   ·  Flag as inappropriate

    +1.... We have many clients who need to be compliant. Microsoft praises itself for its security but this easy to score item is left hanging.

← Previous 1

Feedback and Knowledge Base