I want to be able to disable the TLS 1.0 protocol and the RC4 cipher on an Azure website (or Web App) and I can't figure out if it's possible or not. (edit: I am aware that SSL 3.0 is disabled by default on Azure websites but I specifically want to disable TLS 1.0)
I know what registry settings to update but the problem of course is that I don't have access to the OS.
There's the NWebsec startup tasks that allow you to configure web roles (or cloud service) but my understanding is that this solution does not apply to web apps.
Is there any workaround?
In the Azure portal, from the left menu, select App Services > <app-name>. From your app's navigation menu, select TLS/SSL settings > Private Key Certificates (. pfx) > Import App Service Certificate. Select the certificate that you just purchased, and then select OK.
Azure App Service customers can purchase SSL certificates to use with a variety of apps. You can purchase Standard SSL certificates or Wildcard SSL certificates for the rates on the pricing page. Both types of SSL certificates are valid for one year and can be set for autorenewal.
Azure Websites has disabled SSL 3.0 for all sites by default to protect our customers from the vulnerability mentioned before. Customers no longer need to take any action to disable SSL 3.0 in Azure Websites.
How to install an SSL on Microsoft Azure Web App. 1) Go to App Services, select the name of your App and click SSL certificates under the Settings section: 2) The SSL certificate should appear on the list. The next step is to set a binding for the domain you would like to secure with the SSL ...
Details are available on the Custom configuration settings for App Service Environments page. The original answer was that it is not possible to configure anything in the Registry or SSL settings in Azure web apps. Microsoft are aware of PCI compliance changes and will update the host machines that the web apps run on in their own time frame.
If your custom domain is mapped elsewhere, use email to validate your domain ownership. To enable HTTPS on a custom domain, follow these steps: Go to the Azure portal to find a certificate managed by your Azure CDN. Search for and select CDN profiles. In the list of CDN endpoints, select the endpoint containing your custom domain.
Under General, click on the Standard button to switch the site to Standard. To configure SSL, you will upload your certificate and bind it to your site. The steps are: Upload your certificate PFX file and specify the password for it (you would have created one when exporting the certificate to PFX)
Update Jan 2017
Microsoft have completed a feature whereby TLS1.0 can be disabled via App Service Environment configuration. It's possible to set your own ciphers through the Azure resource manager or change the cipher suite order.
Details are available on the Custom configuration settings for App Service Environments page.
Original answer:
The original answer was that it is not possible to configure anything in the Registry or SSL settings in Azure web apps.
Microsoft are aware of PCI compliance changes and will update the host machines that the web apps run on in their own time frame. They announced in January 2015 that they would starting making updates on 18th July 2015 that would result in an A grade for TLS/SSL endpoints for Auzre web apps on sites like http://ssllabs.com
It's likely that this will be an on-going issue as computing power increases and more vulnerabilities are discovered and hosted web apps must rely on Microsoft to keep their servers patched and up-to-date in a timely manner.
This link has some more background information on the changes Microsoft are making: https://social.msdn.microsoft.com/Forums/azure/en-US/50f1ab33-c22a-4629-951e-b7510f6b2cbe/upgrading-tlsssl-cryptography-for-azure-web-apps?forum=windowsazurewebsitespreview
And this link also tracks the feature request that asks MS to disable insecure ciphers in Web apps: http://feedback.azure.com/forums/169385-web-apps-formerly-websites/suggestions/7091994-disable-insecure-ciphers-in-azure-websites?page=2&per_page=20
If registry access and specific control of these settings is a requirement, the Azure options are Cloud Service WebRoles or IAAs VMs.
Vote to get MS to disable TLS 1.0
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With