How can we improve Azure Cosmos DB?

Add feature to only support TLS 1.2 for PCI

When a PCI scan was run on our public cosmos end point it raised an exception since TLS 1.0 has not been decommissioned.

Can there be a button on the portal to only support TLS 1.2?

thanks

4 votes
Vote
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
You have left! (?) (thinking…)
Nate Langston shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Hi Nate. Thanks for your suggestion. We are currently evaluating TLS 1.2 enforcement.

In the interim if you are running a service within the Microsoft cloud all outbound connections are TLS 1.2. If you are running outside the Microsoft cloud the recommendation is to use .Net 4.6 which is TLS 1.2 by default. If you are running a VM the recommendation is to disable all transport protocols except TLS 1.2.

Registry Example:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.0\client]
“disabledbydefault”=dword:00000001
“enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.0\server]
“disabledbydefault”=dword:00000001
“enabled”=dword:00000000

As mentioned this is currently being reviewed for planning. We will update this item as this progresses.

Thanks again.

1 comment

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Jason Amos commented  ·   ·  Flag as inappropriate

    This key will throttle TLS logging:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
    "EventLogging"=dword:00000007

Feedback and Knowledge Base