TLS 1.3 and HSTS Support for Azure Application Gateway
This is about a feature request for an Azure Application Gateway to support TLS 1.3 and HSTS.
At least HSTS is just a secure header which should be trivial to implement.
I`m looking forward to a feedback.
Thanks for the valid suggestion. Your feedback is now open for the user community to upvote which allows us to effectively prioritize your request against our existing feature list and also gives us insight into the potential impact of implementing the suggested feature
Terry Trapp commented
Tap Tap Tap - Is this thing on? HELLLLLO! It's 2021. We need TLS 1.3.
Matthias Schwitzgebel commented
Is there any update if/when TLS 1.3 will be supported on Azure Application Gateway?
C. Dussert commented
It would be nice to, at least, extend the range of strong ciphers supported by Application Gateway (the list provided at https://ssl-config.mozilla.org/ with "intermediate" configuration could be a good starting point).
To use the Application Gateway in production environment, it is really required, with support of TLS1.3 to come soon.
Seriously? TLS1.2 was introduced in 2008 and it was supported by Azure 2020. TLS1.3 was initially published in 2018, does that mean we have to wait until 2030 for it to be available in Azure? That would be super competitive... Come on Microsoft, you can do better...
Ankita Rani Patro commented
how to fix forward secrecy issue with WAF/application gateway in Azure. It grade as B in ssllab. Can someone help me on this
I echo this request but will this work-around work.
on AAG - Rewrite rule - add HSTS on the method type (example: Get).
Alexandre GIRAUD commented
Hi all, really need a roadmap /visibility about TLS 1.3 support please
Rothenbacher, Tony commented
The thing is that the remaining cipher suites and protocols still considered strong *and also* supported by Azure Application Gateways is getting really thin.
As of July 2020; if you configure an Azure Application Gateway using what are considered only strong cipher suites and tls protocols you end up with only one protocol enabled (TLS 1.2) and two cipher suites [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256].
The tls 1.3 rfc was published nearly two years ago in August 2018.
This will be the valid one, I'm looking for. Please consider TLS 1.3 support soon. We are already using application gateway which supports TLS 1.2
Agreed - this will become increasing important as time ticks on. Standards bodies like PCI already have their eye on it - if they say "required" in the next updates, the gateway becomes unusable. Need to get this moving..
Lack of TLS1.3 support is a major concern for us as a client is requesting this. Having at least a roadmap/timeline towards implementation could mitigate this at least a little.
Lack of TLS1.3 support is a major concern for us now as are getting tender requests which explicitly state TLS1.3 support is a must. Due to the fact that Application Gateway doesn't support it chances are we will have to replace the Application Gateways with an IaaS solution which does.
Ultimately Application Gateway is supposed to solve the problem of managing your own reverse proxy but in reality the inflexibility which comes with Application Gateway makes it's own problems which massively detract from the value we get out of it.
Roy Peng commented
Will Azure WAF support forward secrecy? It got B rate at SSLLabs. https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update?_ga=2.202999639.778025117.1582078457-1890284084.1582078457
TLS 1.3 although still a bit early to adopt fully for many people it feels ripe that it could become more urgent to support it in the medium term (say the next 1-3 yrs); mainly as a bulwark against a shrinking list of 'non-weak' TLS protocols and ciphers.
- RFC 8446 was approved by the IETF in August 2018 so we're a year and a half past its acceptance as of February 2020.
Many modern browsers are already supporting it:
- Mozilla Firefox
- Microsoft Edge (Chromium based version).
Many organizations have taken the tack of switching off TLS 1.1 and lower protocols server-side per guidance from the security community at large; leaving us with only TLS 1.2 as the sole remaining supported protocol on Azure App Gateways still considered non-weak by the security concious.
Since 2012 a significant number of vulnerabilities in various cipher suites and ssl/tls protocols have come to light and as a result we've seen a repeating pattern of chopping off support for weak ciphers/protocols in favor of an ever shrinking list of cipher suites and TLS protocols still considered non-weak.
Here are a few notable high profile vulnerabilities over that term:
2013: TIME, BREACH
2014: HEARTBLEED, NEW_BLEICHENBACHER, BERSERK, POODLE_sslv3, POODLE_tlsv1
2015: RC4 Cipher dropped by IETF, FREAK, LOGJAM,
There are shockingly few cipher suites left that are 1) Compatible with TLS 1.2 and 2) Still considered non-weak (see https://www.ssllabs.com/ssltest/); a properly tuned AG with a priority on security and keeping 0 non-weak cipher suites enabled leaves exactly three cipher suites [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256] and one protocol [tls 1.2] on the AG at hand. To me it feels like we're approaching the 'getting a little too close for comfort' stage with respect to the number of protocols  and cipher suites  an AG can support today that are still considered non-weak.
Adding support for TLS 1.3 would give folks more comfort that should something happen to one or more of the three remaining 'non-weak' tls 1.2 compatible ciphers they could quickly switch on TLS 1.3 which would bring with it support for the additional TLS 1.3 compatible cipher suites adding additional client compatibility and buying us additional safety buffer with respect to client compatibility.
Yeamin Rajeev commented
Not supporting TLSv1.3 will be a major reason not to choose Azure Application Gateway and Azure WAF.
Ravindra JOB - C4FR commented
I would also woud like this feature update!
Shaun Blackmore commented
I would also welcome this feature update!
Mike Williams commented
Are there any developments regarding this?