Will Azure CIS 1.3 policy "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled" be updated to accommodate the latest change of setting Client Cert mode to Ignore if HTTP v2.0 is used?

Question

Will Azure CIS 1.3 policy "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled" be updated to accommodate the latest change of setting Client Cert mode to Ignore if HTTP v2.0 is used?

Sharawat, Neetu 35

Due to the following change, we are not able to remediate the policy "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled" anymore (because the Client Cert Mode is enforced to set to Ignore now when HTTP version is 2.0).

Are there any plans to update the built-in Azure CIS 1.3 policy to accommodate this change [meaning it will only get evaluated if HTTP version is not 2.0?]?

When selecting HTTP version 2.0, incoming client certificates must be ignored.

AnuragSingh-MSFT 21,551 Reputation points Moderator

2023-06-09T06:12:56.0766667+00:00

@Sharawat, Neetu , thank you for bringing it to our attention. I am looking into it and will get back to you with an update.

Accepted answer

0 additional answers

Your answer

AnuragSingh-MSFT 21,551 Reputation points Moderator

2023-06-09T06:12:56.0766667+00:00

@Sharawat, Neetu , thank you for bringing it to our attention. I am looking into it and will get back to you with an update.

Answer 1

AnuragSingh-MSFT 21,551 Moderator

@Sharawat, Neetu , thank you for reporting this issue and apologies for the delayed response.

I checked with the team owning this initiative and they are actively analyzing the CIS 1.3 policy and HTTP v2.0 requirement. This policy and the CIS initiative will be updated after the review to ensure that HTTP 2.0 based web apps do not run into this issue again.

Quach Keven 0 Reputation points

2023-11-21T11:38:49.35+00:00

Hello @AnuragSingh-MSFT , are there any news on this? I have encountered the same issue and it seems that this is not fixed at the moment.

This is our current setting:

HTTP 2.0 works with "client certificate mode: require". When I reselect HTTP 2.0 or switch to 1.1 and switch back to 2.0, it automatically changes the client certificate mode to "ignore", without any option to change it:
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Jake Davis 0 Reputation points

2023-11-29T23:06:21.45+00:00

Hi @AnuragSingh-MSFT , is there any update on this? I still cannot enable HTTP 2.0 and require incoming client certificates. We are not able to remediate the CIS 1.3 policy because we are using HTTP 2.0 which is the recommended version for better performance.
AnuragSingh-MSFT 21,551 Reputation points Moderator

2023-11-30T03:46:26.0733333+00:00

Hi Jake Davis & Quach Keven, I reached out to the team again and got to know that this is in progress. While I dont have an ETA, I am hoping that it should be done in the next few weeks.
Ben Eady 6 Reputation points

2023-12-02T22:39:41.0433333+00:00

Hi @AnuragSingh-MSFT , we are also encountering this issue with the NIST SP 800 53 R5 compliance policies. Could these also be included in this update?
AnuragSingh-MSFT 21,551 Reputation points Moderator

2023-12-04T03:55:53.65+00:00

Ben Eady, thank you for the update. The same policy is included in the NIST initiative too. Once the original policy gets updated, this initiative will be fixed as well.
Jake Davis 0 Reputation points

2023-12-04T21:02:11.7733333+00:00

Thanks, @AnuragSingh-MSFT . Keep us updated!
Sharawat, Neetu 35 Reputation points

2023-12-05T14:20:16.5+00:00

Thanks @AnuragSingh-MSFT . We created a custom policy to fix this.
Jake Davis 0 Reputation points

2024-01-05T02:26:36.5766667+00:00

@Sharawat, Neetu you created a custom policy to enable incoming client certificates and have HTTP version 2.0 for app services?
Jake Davis 0 Reputation points

2024-01-05T02:28:42.1833333+00:00

@Sharawat, Neetu You created a custom policy to enable both HTTP version 2.0 and incoming client certificates?
AnuragSingh-MSFT 21,551 Reputation points Moderator

2024-01-05T05:14:37.73+00:00

Jake Davis, a custom policy should not be required in this case as the built-in policy is already updated.

Please let me know if you are still facing this issue with HTTP 2.0 app service.
Jake Davis 0 Reputation points

2024-01-05T19:16:55.2733333+00:00
@AnuragSingh-MSFT

If I have these two policies enabled:

App Service apps should use latest 'HTTP Version'

App Service apps should have 'Client Certificates (Incoming client certificates)' enabled

Does that mean the app service with HTTP 2.0 version cannot have client certificates enabled? (Each time I enable HTTP version 2.0 in the portal, the incoming client portion is greyed out). Does that mean enabling both policies would make app service uncompliant? Any solution to this? Thanks
AnuragSingh-MSFT 21,551 Reputation points Moderator

2024-01-08T09:24:46.47+00:00

Jake Davis, thank you for the reply.
The HTTP 2.0 version does not have client certificate requirement. The second policy mentioned above, specifically checks if the web service has HTTP 2.0 enabled, and in this case does not check for client certificate. It is checked only for the previous versions.

Therefore, if you enable both the policies, they will not create conflict and should work together.

Hope this helps. Please feel free to post a new question, if you have a followup question so that we can keep the discussion on this thread scoped to a single topic.
Sharawat, Neetu 35 Reputation points

2024-01-08T14:58:07.8166667+00:00

@Jake Davis , the custom policy checked if the setting is HTTP 2.0, then ignore the check for incoming client certs.
AnuragSingh-MSFT 21,551 Reputation points Moderator

2024-01-09T04:32:48.3266667+00:00

Sharawat, Neetu, thank you for the reply and added clarification. As the question related to this thread has been addressed, please do click Accept answer so that it can help others in the community looking for help on similar topics.

Share via

Will Azure CIS 1.3 policy "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled" be updated to accommodate the latest change of setting Client Cert mode to Ignore if HTTP v2.0 is used?

0 additional answers

Your answer