I have an Azure Storage V2 account setup and I am trying to block TLS 1.0 and 1.1. I have set the Minimum TLS version to 1.2 but when I test the storage account using SSL Labs or other tools to test the TLS versions that are supported they still report TLS 1.0 and 1.1 being enabled.
Below is a screenshot of the configuration from the Azure portal. I also checked in Powershell and the Minimum TLS version reported is TLS1_2. Have I missed something or could this be because of something else?
During my attempts to reproduce this in a browser for my support ticket I was able to verify that TLS 1.0 and 1.1 ARE being blocked but not at the Session/Presentation layer (I know some debate exists whether TLS is at layer 5/6), they are blocked at the Application layer. The Azure Storage host accepts the TLS 1.0 connection and then checks your account's settings and if the Minimum TLS version is not met it throws an HTTP 400 error stating the TLS version is not permitted.
For my purposes I will try to get this accepted by the auditors as this will continue to fail the TLS-testing sites but for any practical matter TLS 1.0/1.1 is blocked.
This is what Azure returns when you browse to the site with an unsupported TLS version: And the GET HTTP Response is 400 -
To test this I found that you can force Firefox to a Minimum / Maximum TLS version and then test this in a browser. To configure Firefox to allow TLS 1.0 follow these steps (obviously remember to change this back after testing):
You can then test any site using TLS 1.0.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With