Disabling Week TLS weak Ciphers on Azure Static Web App

Question

Disabling Week TLS weak Ciphers on Azure Static Web App

Celso Teixeira 10

Hi,

How can we disable week ciphers on Azure Static Web App?

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D)

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C)

TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

TLS_RSA_WITH_AES_128_CBC_SHA (0x002F)

...

Thanks,

1 answer

Your answer

Answer 1

Hi [@Celso Teixeira ] thanks for the question.

you can use a simple API call to disable weaker cipher suites. This Azure blog post shows how to Disabling Week TLS weak Ciphers. Here is the same infomation below:

Minimum TLS cipher suite is a property that resides in the site’s config and customers can make changes to disable weaker cipher suites by updating the site config through API calls. The minimum TLS cipher suite feature is currently not yet supported on the Azure Portal.

Here is an example on how to select a minimum TLS cipher suite in order to disable weaker cipher suites.

Let’s say, based from the list of supported TLS cipher suites, we would like to disable all the cipher suites that are weaker than TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. In order to do this, we can call the Update Config API to set the property minTlsCipherSuite to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. Refer to the sample API call below.

Take note that the API parameter for minTlsCipherSuite is case sensitive.

PATCH https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Web/sites/<siteName>/config/web?api-version=2022-03-01

{ 
  "properties": { 
    "minTlsCipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" 
  } 
}

After successfully updating the site config, we will see the value of the property minTlsCipherSuite change to the selected cipher suite, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA from the example above.

We will also see the value of the property supportedTlsCipherSuites show a list of all the cipher suites that are enabled for the web app. In this case, the cipher suites that are weaker than the selected minimum cipher suite, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, will not show up in the supportedTlsCipherSuites property because they have been disabled for the web app.

Hope that helps. Please let us know if you have further questions.

Thanks,

Grace

If the reply is helpful, please Upvote and Accept as answer

Grmacjon-MSFT 19,301 Reputation points Moderator

2023-01-20T17:07:28.4066667+00:00

Hi Celso Teixeira , checking to see if the above answer helped answered your question. let us know if you have other questions.

Best,

Grace
West, Zachary 10 Reputation points

2023-03-07T17:30:33.9033333+00:00

The documentation you reference doesn't specifically mention Azure Static Web Apps. Do these instructions still apply to Static Web Apps, as the OP asked about?
Imran Saroia 0 Reputation points

2023-06-01T16:20:59.48+00:00

Please advise if the API is applicable for Azure Static Web Apps too. Or is there a particular sample API call for Static Web Apps?
Kynsai Iangrai 40 Reputation points

2024-02-12T18:10:35.16+00:00

@Grmacjon-MSFT This works only with App services, and not with static web apps. Please suggest a way for static web apps as well.
Raymond de Jong 81 Reputation points

2024-10-08T09:13:20.4933333+00:00

Not possible because of a shared environment..

https://learn.microsoft.com/en-us/answers/questions/1441255/how-to-disable-weaker-tls-cipher-suites-for-static?page=1&orderby=Helpful&comment=answer-1374622#newest-answer-comment

Share via

Disabling Week TLS weak Ciphers on Azure Static Web App

1 answer

Your answer