Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Minimum TLS Version in Azure Storage Account

I have an Azure Storage V2 account setup and I am trying to block TLS 1.0 and 1.1. I have set the Minimum TLS version to 1.2 but when I test the storage account using SSL Labs or other tools to test the TLS versions that are supported they still report TLS 1.0 and 1.1 being enabled.

Below is a screenshot of the configuration from the Azure portal. I also checked in Powershell and the Minimum TLS version reported is TLS1_2. Have I missed something or could this be because of something else?

Storage Account Configuration

like image 401
Jason Avatar asked Mar 04 '21 19:03

Jason


1 Answers

During my attempts to reproduce this in a browser for my support ticket I was able to verify that TLS 1.0 and 1.1 ARE being blocked but not at the Session/Presentation layer (I know some debate exists whether TLS is at layer 5/6), they are blocked at the Application layer. The Azure Storage host accepts the TLS 1.0 connection and then checks your account's settings and if the Minimum TLS version is not met it throws an HTTP 400 error stating the TLS version is not permitted.

For my purposes I will try to get this accepted by the auditors as this will continue to fail the TLS-testing sites but for any practical matter TLS 1.0/1.1 is blocked.

This is what Azure returns when you browse to the site with an unsupported TLS version: enter image description here And the GET HTTP Response is 400 - enter image description here

To test this I found that you can force Firefox to a Minimum / Maximum TLS version and then test this in a browser. To configure Firefox to allow TLS 1.0 follow these steps (obviously remember to change this back after testing):

  1. Go to about:config in the Firefox address bar
  2. Set security.tls.version.enable-deprecated to true
  3. Set security.tls.version.max to 1 (or 2 for TLS 1.1)
  4. Set security.tls.version.min to 1

You can then test any site using TLS 1.0.

like image 121
Jason Avatar answered Oct 09 '22 22:10

Jason