Getting the following vulnerability results from Tenable scans for APIM (API Management Service) and Azure SQL Server when we have already set min_tls_version to TLS 1.2

Kim Patrick Delos Reyes 26

SSL Medium Strength Cipher Suites Supported (SWEET32)
TLS Version 1.0 Protocol Detection

The scan is made against domain <sqlservername>.database.windows.net

Kim Patrick Delos Reyes 26 Reputation points

2021-07-06T08:34:04.703+00:00

Is this a false positive or how can this vulnerability result be fixed? we've already set to TLS1.2

1 answer

KalyanChanumolu-MSFT 8,316 Reputation points

2021-07-06T09:52:56.647+00:00

@Kim Patrick Delos Reyes Thank you for reaching out.

Please check if you have Minimum TLS version set to 1.2 on the Azure SQL Server.
If yes, there shouldn't be any further action from your end.

You may want to post this issue on the Tenable community for a more appropriate response on the scans.

----------

If an answer is helpful, please "Accept answer" or "Up-Vote" which might help other community members reading this thread.
And if you have further questions or issues, please let us know.
Please sign in to rate this answer.
Kim Patrick Delos Reyes 26 Reputation points

2021-07-06T10:45:22.157+00:00

@KalyanChanumolu-MSFT - Yes, I can confirm all our services are at Minimum TLS version set to 1.2 per screenshot.
As the scan results are against URL <sqlservername>.database.windows.net, does it mean our Azure resources at TLS 1.2 does not support the use of these SSL ciphers and can be considered false positives?

We can also see these results on our APIM resources agains <api-name>.azure-api.net

Any links for reference that can support evidence will be helpful

KalyanChanumolu-MSFT 8,316 Reputation points

2021-07-06T17:29:41.377+00:00

@Kim Patrick Delos Reyes Here is an extract from this article regarding TLS 1.2

All Azure services fully support TLS 1.2 and services where customers are using only TLS 1.2 have made a switch to accept only TLS 1.2 traffic.

However, if you have older versions of non-microsoft clients or drivers using versions less than TLS 1.2, here are some security best practices and guidelines

I am not aware of the tenable scans, so I suggest you post the question on their community to understand the results better

----------

If an answer is helpful, please "Accept answer" or "Up-Vote" which might help other community members reading this thread.
And if you have further questions or issues, please let us know.
Sign in to comment