Either sun set TLS 1.0 or give users the means to disable it
We chose Azure App Services to host a new web application which was scheduled to go live by the end of March, 2016. Incredibly, we are now finding that TLS 1.0 cannot be disabled on App Services. Because of that, we cannot pass a PCI DSS 3.1 scan. We’ve looked through all of the posts and replies on MS forums related to this, but there is no answer to the specific question we have. We understand that there are alternative hosting solutions like ASE and Web Roles where MS has the means to disable TLS 1.0. Both of these represent additional time and effort to setup and deploy our QA and production sites, and both represent additional compute costs for resources that we definitely don’t need (i.e., we have no worker processes and would prefer to not pay for worker instances). We also understand that PCI is requiring new applications to be DSS 3.1 compliant even though they have extended the deadline for existing applications to June, 2018.
So, the question is whether Microsoft is planning to give users the ability to disable TLS 1.0 in ordinary (i.e., non-ASE) App Services. Or, will you finally be sun setting TLS 1.0 in ordinary App Services? All of the replies referred to above were extremely vague about what exactly is on the roadmap for App Services. Could we please have a definitive answer whether we will have this ability to disable TLS 1.0 before the June, 2018 deadline? If so, we may be able to prepare a mitigation and migration plan that would grant us an exception to the DSS 3.1 compliance.
For what it’s worth, we came to Microsoft because it appeared to be the clear PaaS leader. Please tell us that MS thought this through and has a cost effective PaaS strategy that is consistent with the entire industry regarding secure protocols. If not, then what differentiates Azure VMs from AWS VMs?
This is a feature in ASE, details available here https://azure.microsoft.com/en-us/documentation/articles/app-service-app-service-environment-custom-settings
Alex Lowe commented
Good news. The cipher suite is being updated in April. See https://social.msdn.microsoft.com/Forums/azure/en-US/6530d35a-9321-4e61-a496-39b66c63a1a0/we-are-updating-our-tlsssl-cipher-suites-to-improve-security?forum=windowsazurewebsitespreview for more information.
This is insane. We should not have to pay more for basic security. Switching cloud provider now.
Colin Mierowsky commented
I must agree with Sam, please reconsider this, or drop the proce for ASE.
Sorry to be blunt, but this is a slap in the face to loyal Azure users. Switching to an ASE will cost several times more in server expenses per month because it requires a Premuim account. So much for affordable scalability...
Note that the PCI standards board updated their guidance for PCI v 3.1 and pushed out the date for removing TLS 1.0 to June 2018.
We will continue to evaluate options for disabling TLS 1.0. In the near term will keep TLS 1.0 enabled given that a sizable percentage of browser traffic still relies on TLS 1.0.