Support for TLS_RSA_WITH_AES_128_CBC_SHA256 in Azure App Services (Logic App)

mandarm-8234 20 Reputation points


I am integrating MQ Connector in my Logic App. The MQ server's MQ channel is configured with a certificate having TLS_RSA_WITH_AES_128_CBC_SHA256 Cipher suite.

However in Azure App Service plan, we cannot precise Cipher suites and the connection fails on the Logic App.

More so, when we test with the server's another MQ channel with a certificate ANY_TLS12_OR_HIGHER, the connection passes and I receive the message.

Can you advise how to solve this error ?

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,948 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,212 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sina Salam 5,716 Reputation points

    Hello Mandar Mahadadalkar ,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.


    I understand that you are encountering an issue with integrating an MQ Connector in your Logic App due to a mismatch in supported cipher suites. The MQ server's MQ channel is configured with a TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suite, the connection fails when using this specific cipher suite. However, when you test with another MQ channel using a certificate with the ANY_TLS12_OR_HIGHER configuration, the connection succeeds. You would like to know how to solve the issue.


    To solve these challenges, you need to understand that the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 is indeed considered a weak cipher and is not recommended for use in Azure App Service that was the reason it fails. There are some resources that confirm this:

    Update the MQ Channel Configuration

    However, you can update the MQ Channel Configuration by access your MQ server's configuration and identify the channel that is currently using TLS_RSA_WITH_AES_128_CBC_SHA256 and also, update the channel's cipher specification to use ANY_TLS12_OR_HIGHER or a more inclusive set of cipher suites.

    Example of the code is here after you have connected to your queue manager CMD:


    Reconfigure MQ Channel

    Secondly, you can change the MQ channel configuration to use a more general TLS configuration like ANY_TLS12_OR_HIGHER. If the above not working, because you need to Reconfigure MQ Channel. For resources on how you can achieve a step by step configurations are here in the links below:

    OPTION to Configure Custom TLS/SSL Policies

    Thirdly, if applicable to your environment you will need to configure custom TLS/SSL policies in ASE.

    Kindly check the resources below to be able to achieve this:

    Make Azure Function as a proxy

    Fourthly, in this option, you can use an Azure Function as a proxy to handle the connection with the required cipher suite. Kindly use the below links for more details step-by-steps:


    The resources used above as a link served as the original source for this solution.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    0 comments No comments

0 additional answers

Sort by: Most helpful