Menu
I have a website that is hosted on Microsoft Azure Websites. It runs only in HTTPS and has a IP certificate. How do I disable SSL v 3.0 protocol on an Azure Website and only allow TLS 1.x ?
The website is running Asp.Net MVC 5 and .Net framework 4.5
484
To ensure the safety of the users, Microsoft completely disabled SSL 3.0 in Azure Websites by default to protect customers from the vulnerability.
In short, a surprising number of web servers still use SSL 3.0. Stop using SSL 3.0! It's not secure, and it's not needed.
In the Internet Options window on the Advanced tab, under Settings, scroll down to the Security section. In the Security section, locate the Use SSL and Use TLS options and uncheck Use SSL 3.0 and Use SSL 2.0. If they are not already selected, check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2.
Update (11/1/2014): SSLv3 is now completely disabled on Azure Websites. You no longer need to install the Site Extension mentioned below.
You can now disable SSLv3 on Azure Websites. This post has the details.
Basically, you just need to install the DisableSSLv3 site extension into your site, and restart the site.
To verify that it's in fact disabled, try running:
curl -sslv3 https://{yoursite}.azurewebsites.net/
And make sure you get a 403.
151
EDIT: SSL v3 is now disabled by default with Azure Websites, see here
This is currently not possible (server side) with Azure Websites.
But the Azure team is working on offering the option to disable SSL v.3 according to David Ebbo (@davidebbo) who is a Microsoft dev lead working on Azure Websites.
See conversions on twitter in the link below and response from David. (thanks to Jon Sagara) https://twitter.com/nirmsk/status/522423884922884097
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
