How to fix weak SSL Cipher?

Deshmukh, Vijit 491 Reputation points
2023-09-04T16:02:03.83+00:00

Hi Team,

As per security audit, our application has come under vulnerability stating:

Insecure Transport: Weak SSL Cipher, https://<webapp-name.azurewebsites.net:443/

We have deployed views js code as a front end service to the Azure App service.

Please let me know how to fix this alert.

Thanks,

Vijit

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,774 questions
{count} votes

Accepted answer
  1. VenkateshDodda-MSFT 17,826 Reputation points Microsoft Employee
    2023-09-05T04:16:01.8866667+00:00

    @Deshmukh, Vijit Thanks for reaching out to Microsoft Q&A, apologize for any inconvenience caused on this.

    Based on the shared information, I have understood that when you ran the security audit on one of your webapp it shows as weak cipher, and you want to update the cipher suite of that webapp.

    Recent update on App service front-ends has bring the capability of customizing TLS Cipher suite to customer who are running their app service on multi-tenant.

    Currently the minimum TLS cipher suite feature that allows web apps in multi-tenant premium App Service Plans to disable weaker cipher suites is in public preview.

    Below is the list of cipher suites that are listed in order from most secure to least secure.

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
    TLS_RSA_WITH_AES_256_GCM_SHA384, 
    TLS_RSA_WITH_AES_128_GCM_SHA256, 
    TLS_RSA_WITH_AES_256_CBC_SHA256, 
    TLS_RSA_WITH_AES_128_CBC_SHA256, 
    TLS_RSA_WITH_AES_256_CBC_SHA, 
    TLS_RSA_WITH_AES_128_CBC_SHA
    

    For example, if you want to disable all the cipher suites that are weaker than TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA you can do it by calling the WebApps-Update configuration REST API by set the property with value.

    "minTlsCipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
    

    Refer to this blog post for more information on how to disable the weaker cipher suites on Azure App service.

    Feel free to reach back to me if you have any further questions on this.

    0 comments No comments

0 additional answers

Sort by: Most helpful