Share via

Handling End of TLS 1.0 Support in Azure App Services for Legacy Client Devices

Adam Lihm 20 Reputation points
2024-05-14T23:40:34.0833333+00:00

I am facing an issue with the upcoming end of support for TLS 1.0 in Azure App Services, as mentioned here. Additionally, the Azure documentation states that TLS 1.0 and 1.1 are considered legacy and not secure, recommending TLS 1.2 as the minimum version (reference).

Here is the specific text from the documentation:

"TLS 1.0 and 1.1 are considered legacy protocols and are no longer considered secure. It's generally recommended for customers to use TLS 1.2 as the minimum TLS version, which is also the default. To ensure backward compatibility for TLS 1.0 and TLS 1.1, App Service will continue to support TLS 1.0 and 1.1 for incoming requests to your web app. However, since the default minimum TLS version is set to TLS 1.2, you need to update the minimum TLS version configurations on your web app to either TLS 1.0 or 1.1 so the requests won't be rejected."

My challenge is that I have a legacy device that connects to my Azure App Service, and this device only supports TLS 1.0. Given the upcoming end of support for TLS 1.0, I need clarification and advice on the following points:

  • Does the end of support for TLS 1.0 mean that I will be unable to configure my Azure App Service to accept TLS 1.0 connections, or does it simply mean that TLS 1.0 will be unsupported but still configurable?
  • If TLS 1.0 connections will no longer be allowed, what are the recommended solutions for handling legacy devices that do not support newer TLS protocols?
  • Would hosting a proxy server that supports TLS 1.0 and forwards requests to my Azure App Service (which uses TLS 1.2) be a viable solution? If so, what are the best practices or recommended configurations for setting up such a proxy?

Any guidance or suggestions on how to handle this situation would be greatly appreciated. Thank you!

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,115 questions
0 comments
Accepted answer
  1. TP 80,586 Reputation points
    2024-05-15T00:03:47.52+00:00

    Hi Adam,

    There's been no announcement thus far saying that App Service will block you from allowing TLS 1.0/1.1. On other services they have specifically mentioned in documentation that TLS 1.2 will be minimum after the deadline.

    They are aware there are some people still using TLS 1.0/1.1 with App Service and in my opinion (based on experience) they will not suddenly block TLS 1.0/1.1 without specific warning.

    Let's say they do block TLS 1.0/1.1 for App Services. What you could do instead is run your app in an Azure VM. Another alternative as you mentioned would be a reverse proxy that accepts TLS 1.0 and then establishes a TLS 1.2 connection to your App Service.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Umesh Pandit 21 Reputation points
    2024-05-14T23:53:56.07+00:00

    The end of support for TLS 1.0 and 1.1 in Azure App Services is indeed a significant change, especially for legacy client devices that only support these versions.

    Here's some information that might help:

    • Azure support for TLS 1.0 and 1.1 will end by 31 October 2024. This is part of an effort to enhance security and provide best-in-class encryption for your data.
    • Despite this, Azure App Service will continue to support TLS 1.0 and 1.1 for incoming requests to your web app to ensure backward compatibility.

    However, since the default minimum TLS version is set to TLS 1.2, you need to update the minimum TLS version configurations on your web app to either TLS 1.0 or 1.1 so the requests won't be rejected.

    • If your resources that interact with Azure services are already exclusively using TLS 1.2 or later, you don't need to take further action. If they still have a dependency on TLS 1.0 or 1.1, transition them to TLS 1.2 or later by 31 October 2024.

    For legacy devices that only support TLS 1.0, here are a couple of potential solutions:

    1. Update the Device:

    If possible, update the firmware or software on the device to support a newer version of TLS.

    1. Use a Proxy Server:

    If updating the device isn't an option, you could consider setting up a proxy server that supports TLS 1.0 and forwards requests to your Azure App Service (which uses TLS 1.2). This would allow the legacy device to communicate with the proxy server using TLS 1.0, and the proxy server would then communicate with Azure using TLS 1.2.

    Used Copilot and Adjusted the output

    Source:

    https://stackoverflow.com/questions/78475044/handling-end-of-tls-1-0-support-in-azure-app-services-for-legacy-client-devices

    https://azure.microsoft.com/en-us/updates/azure-support-tls-will-end-by-31-october-2024-2/

    https://learn.microsoft.com/en-us/answers/questions/1431848/is-it-possible-to-keep-old-app-services-using-tls