We welcome user feedback and feature requests!

Disable Insecure Ciphers In Azure Websites

Either through a configuration/scale option, or just blanket by default, I want to be able to disable RC4 ciphers (and any other insecure cipher suites) in Azure Websites so I can get an A rating (or better) from the Qualys SSL Labls SSL Server Test (https://www.ssllabs.com/ssltest/analyze.html).

At present, the only way to do this is not use Azure Websites and host your own VM where you can configure the registry to disable such ciphers.

274 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Martin Costello shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

79 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Marty commented  ·   ·  Flag as inappropriate

    Same here, got the list below.

    Since this is a hard requirement from our security officers to go live, please disable these.

    TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
    TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128

  • necman commented  ·   ·  Flag as inappropriate

    I'm getting these results. When are gonna be these ciphers disabled?

    TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
    TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128

  • Vinay Kumar commented  ·   ·  Flag as inappropriate

    This Morning when got this email as...

    You have received this communication because Trustwave has determined that your External Vulnerability PCI scans will be impacted by an upcoming change to the PCI external scan rules. This finding is based on your recent scan and the fact that scan hosts/targets were "Undetected" by the scanner. Please see the steps below that you can take to help ensure that your scan targets can be reached and you can achieve a passing scan under the new requirements from the Payment Card Industry Security Standards Council (PCI SSC).

    An "Undetected Host" is an IP address in your PCI external Scan Setup that Trustwave was unable to reach per PCI Approved Scanning Vendor requirements. This could be due to an out-of-date scan configuration, a business security policy that hides the network by design, or an active protection system (i.e. WAF or IPS) interfering with the PCI scans. In accordance with the latest PCI scanning standard that becomes effective on January 31, 2018, your current scan configuration would soon result in a failing scan and possible PCI non-compliance.

    When I ran Qualys SSL Test I found more of Cipher Suites keys showing as weak.

    TLS 1.2
    TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
    TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128

    TLS 1.2

    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128

    TLS 1.0 Awaiting to get disabled from Azure Team.

    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128

    Is there any one who is facing same with Azure webapps.....

  • Milan commented  ·   ·  Flag as inappropriate

    For anyone that is interested, you can disable the cipher and TLS 1.0 using an ASE. We ended up using that instead of the WAF. We were about to use a WAF but there were complications that we weren't interested in taking on.

  • Vinay Kumar commented  ·   ·  Flag as inappropriate

    Hello There,

    Is there a way to disable "TLS_RSA_WITH_3DES_EDE_CBC_SHA" vulnerable cipher from the Azure App service (Web Portal).

    I could have updated if I would have RDP access for this, I think its not possible to get the RDP. I have tried from Console but Its not possible to update the reg keys with out elevated privileges.

    I really needs this to be fixed ASAP, any suggestions ??

    Thanks.
    Vinay Kumar.

  • scminter commented  ·   ·  Flag as inappropriate

    Microsoft's response to me 20Apr17:

    The disabling of TLS 1.0 is not supported for App Services. The workaround you can do is using CloudFlare CDN.

  • Owen - Acumy commented  ·   ·  Flag as inappropriate

    In order to allow web apps as an option where security scans are required, the community needs a way to choose the level of TLS and cipher support. I understand that this is not easy, as SSL/TLS terminates upstream in the infrastructure, but surely there could be pools of web app infrastructure available with, say, varying levels of extremely tight to relatively loose TLS restriction, under which your web app is installed on demand (even a required delay of a few hours for a deployment change would be acceptable.)

  • Ryan Salter commented  ·   ·  Flag as inappropriate

    The description of this original request is vague, since insecure ciphers and A rating will continue to change over time. However, PCI compliance is the underlying issue and TLS 1.0 needs to be disabled. I'm having the same problem with compliance on Azure hosted websites and will be forced to move them to another host.

  • Milan commented  ·   ·  Flag as inappropriate

    The RC4 issue is resolved for me, but TLS 1.0 is not. It appears to me that those are 2 separate issues.

    My QSA is telling me that the date for disabling TLS 1.0 was pushed out quite a way so this isn't an issue at this point (see http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls for confirmation). While the Trustwave scan still flags TLS 1.0, I believe your QSA should be ignoring that flag.

    Thank you for getting this resolved.

  • Ryan J commented  ·   ·  Flag as inappropriate

    PCI DDS Compliance 3.1 requires TLS 1.0 to be disabled as rick stated. For all of us that need to be compliant to these standards, Azure need to shut it off or give us the option to shut it off per App Service Plan. 3.1 rules go into effect June 30th 2016. We are attempting to put a mitigation plan in place to our third party scan that already requires us to have TLS 1.0 shut off. It would be much easier if this was just an option.

    "SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

    Effective immediately, new implementations must not use SSL or early TLS. POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30 , 2016."

    Please don't make us have to use a different provider Microsoft!

  • Chris commented  ·   ·  Flag as inappropriate

    PCI Compliance scan on 2/06/2016 states we are still not compliant! WHEN will this be done Azure?

  • rick commented  ·   ·  Flag as inappropriate

    I just had a scan done on 1-18-2016 and the scan failed due to TLSv1.0 enabled on ports 443, 454 and 455. I read that this was going to be disabled staring in September 2015. Well i guess they are still working on it!

← Previous 1 3 4

Feedback and Knowledge Base