Impact of Disabling Weak Ciphers on App Service Environment

Madaan (Wipro), Sanket 26 Reputation points
2022-10-17T14:55:29.55+00:00

In the following article there are steps mentioned on how to disable or set your own cipher suite order for your App Service Environment.
https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings#change-tls-cipher-suite-order

But I want to know if I go ahead with the changes on App Service Environment, will the change be reflected on every app in that App Service Environment.
If yes, suppose I only put the two ciphers mentioned in the article in cluster settings, these two ciphers are supported by TLS 1.2 only. Does that mean the application only supports TLS 1.2 even if the Minimum TLS Version on TLS Settings is 1.0. Will it cause any problems?

Azure App Configuration
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
237 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,909 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,111 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Michael Taylor 54,811 Reputation points
    2022-10-17T15:46:37.313+00:00

    SSL consists of 2 pieces - the protocol being used and the ciphers involved. When a site attempts to connect it sends along the TLS version and the supported ciphers. The server looks at the supported ciphers and sends back all the ciphers it supports. If there are none then the SSL connection fails. So if you are using ciphers that are not supported prior to TLS 1.2 then no client using a lesser version will have any ciphers the server allows. Therefore there is no benefit in supporting the earlier protocols.

    Most sites only support TLS 1.2 anyway as the earlier protocols are not supported. Therefore I would say support only TLS 1.2 and remove any deprecated ciphers. However there are more than a couple ciphers that are still secure. You should enable all the secure ones. The less ciphers you support the more likely you are to have clients that don't support one of your ciphers and therefore fail to connect.

    0 comments No comments

  2. SENU DANIEL PHILIP 1 Reputation point
    2022-12-01T06:45:15.993+00:00

    Does "Allow TLS 1.0 and 1.1" put to "Off" state before implementing

    "clusterSettings": [
    {
    "name": "FrontEndSSLCipherSuiteOrder",
    "value": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    }
    ],

    Secondly, does ASE needs to be restarted to make all the app services affective in the single tenant isolated ASE


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.