How do I configure Perfect Forward Secrecy in Windows Azure (OS, or Websites)

Question

I want to move my website to Windows Azure, but need to make sure that I'm using PFS on all my instances and roles. (regular web roles and Websites as well)

How do I configure this so that each deployment is automatically configured this way?

Answer 1

This excellent article by André N. Klingsheim explains detailed options for hardening the SSL/TLS configuration on Windows Server and Windows Azure. This includes

• Disabling SSL
• Enabling TLS
• Changing Cipher Suite Priorities

The author additionally provides a NuGet package as well as related source code for handling these updates during Azure role startup.

If you want to enforce (perfect) forward secrecy over just enabling it you will probably want to disable all cipher suites not supporting that. Looking at the relevant powershell script all TLS_RSA_*-suites need to be removed from $preferredCipherSuites. Note that this will drop compatibility with some (mostly legacy) browsers/clients.

Please also see this answer that contains several resources on cipher suite recommendations.