Disabling Week TLS weak Ciphers on Azure App Service

Question

Disabling Week TLS weak Ciphers on Azure App Service

Akila Weerathunge 41

looking for a way to disable these weak ciphers in Azure App Service. The minimum TLS version is set to 1.2.
However there are Weak ciphers in this TLS 1.2 Cipher Suites as following,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)

I have gone through the following article but i was not allowed to modify the ciphers in Azure Resource Manager.
https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings#change-tls-cipher-suite-order

is there a way to disable these weak ciphers in Azure App Service.

Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2021-02-03T19:32:53.947+00:00

Hi @Akila Weerathunge , did you receive an error when trying to use Azure Resource Manager to update the ciphers? Can you post the error you received down below?

Regards,
Ryan
Akila Weerathunge 41 Reputation points

2021-02-04T01:58:41.883+00:00

Hi @Ryan Hill ,

This is the error Im reieving when trying to update it through Resource Manager.
Mat Powers 21 Reputation points

2022-04-25T11:02:39.98+00:00

Weak ciphers need to be disabled by Microsoft, but they appear unwilling to do so. Cynics may speculate that this is so that they can charge more for single tenant solutions or additional "front door services".

There is currently a User Voice entry posted 9 months ago (the most recent request) to have this done with only 4 votes here: 2da53629-ca25-ec11-b6e6-000d3a4f0f1c

Perhaps if this is more heavily upvoted it will raise awareness of this obvious security issue?

Accepted answer

0 additional answers

Your answer

Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2021-02-03T19:32:53.947+00:00

Hi @Akila Weerathunge , did you receive an error when trying to use Azure Resource Manager to update the ciphers? Can you post the error you received down below?

Regards,
Ryan
Akila Weerathunge 41 Reputation points

2021-02-04T01:58:41.883+00:00

Hi @Ryan Hill ,

This is the error Im reieving when trying to update it through Resource Manager.
Mat Powers 21 Reputation points

2022-04-25T11:02:39.98+00:00

Weak ciphers need to be disabled by Microsoft, but they appear unwilling to do so. Cynics may speculate that this is so that they can charge more for single tenant solutions or additional "front door services".

There is currently a User Voice entry posted 9 months ago (the most recent request) to have this done with only 4 votes here: 2da53629-ca25-ec11-b6e6-000d3a4f0f1c

Perhaps if this is more heavily upvoted it will raise awareness of this obvious security issue?

Answer 1

Ryan Hill 30,281 Microsoft Employee Moderator

Hi @Akila Weerathunge ,

clusterSettings are applied to Microsoft.Web/hostingEnvironements AppServiceEnvironment object. Your application; however, is hosted in the multitenant App Service environment SKU. Disabling ciphers through the clusterSettings property is only available on isolated, i.e. App Service Environment, SKUs. That's why you received the error message. There aren't any current plans to bring this capability to multitenant environments.

---
EDIT: 2022 Apr 26

The team is working to bring this to multitenant environments. Best estimate I can provide at this point in time is the fall of this year.

Regards,
Ryan

Beukes, Le Roi - Singapore 16 Reputation points

2021-05-11T02:59:08.913+00:00

When will Microsoft remove these 'weak ciphers' ?

These are showing up in almost every security report, having an ASE/AppGW etc. does help mitigate this but ideally Microsoft should remove these from the environment - even if it is multi-tenant.

Thank you
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2021-05-11T14:59:29.287+00:00

Hi @Beukes, Le Roi - Singapore , I will see what I can find out from team.
Michael Morrissey 11 Reputation points

2021-05-17T14:29:44.557+00:00

When will Microsoft remove these 'weak ciphers' ?
Beukes, Le Roi - Singapore 16 Reputation points

2021-05-18T07:25:00.983+00:00

Thank you.
Ryan Hill 30,281 Reputation points Microsoft Employee Moderator

2021-05-18T14:28:36.07+00:00

@Michael Morrissey @Beukes, Le Roi - Singapore currently, there isn't a near term plan disabling these older ciphers on multi-tenant environments. If/when these changes are planned, they would be communicated well in advance.

For now, utilizing ASE or deploying an App Gateway upstream is still the best option for mitigating this issue.
Michael Morrissey 11 Reputation points

2021-05-20T13:31:35.91+00:00

Thanks for reverting. You linked a Sep 2017 Feedback Azure post. Is this really the latest information and plan from the Azure App Service team?
Rashmi Sajjan 56 Reputation points

2022-03-21T12:44:33.45+00:00

Any latest update on disabling these older ciphers on multi-tenant environments? We are facing similar issue from Security team.
Lennert Kuijpers 1 Reputation point

2022-10-18T06:35:01.767+00:00

The preview is now available

Public-preview-min-tls-cipher-suite.html
Beukes, Le Roi - Singapore 16 Reputation points

2024-06-13T01:43:58.2166667+00:00

An old post - but I see that this feature is now generally available via the update configuration api :

"properties.scmMinTlsVersion"

https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/update-configuration?view=rest-appservice-2023-12-01

Share via

Disabling Week TLS weak Ciphers on Azure App Service

0 additional answers

Your answer