Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure app service - how to disable weak ciphers?

I have a web application running as an Azure App Service. We've had a recent security review and it highlighted that weak ciphers are available and these should be disabled. The ciphers were:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA

I've seen that it's possible to disable these by creating an isolated app service (https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings#change-tls-cipher-suite-order). But this adds significant expense and complexity. Is it possible to disabling these without requiring an isolated app service?

like image 634
Matthew van Boheemen Avatar asked May 21 '20 04:05

Matthew van Boheemen


1 Answers

For now, there are 3 possible ways to remove weak ciphers:

App Service Environment - This gives you access to set your own ciphers though Azure Resource Manager - Change TLS Cipher Suite Order. I reproduced this and found out that it is possible to set your own ciphers or change the cipher suite order by modifying the clusterSettings as shown below:

clustersettings

Using Azure FrontDoor – You can configure a minimum TLS version in Azure Front Door in the custom domain HTTPS settings via Azure portal. Once you configure TLS1.2, only the following strong cipher suites are supported:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

You can find more information on this here - Front Door TLS Configuration.

Using Application Gateway – This lets you specify a central TLS policy that's suited to organizational security requirements and helps to meet compliance requirements. The TLS policy includes control of the TLS protocol version as well as the cipher suites and the order in which ciphers are used during a TLS handshake as seen here - Application Gateway SSL Policy Overview

like image 70
cobethur Avatar answered Oct 10 '22 13:10

cobethur