How to know if an Azure Server is under TLS 1.2

4
votes

We have a web app hosted in an Azure Server (using api in an Azure Server). For security purposes we'd like to know if the server is under tls 1.2 (I suppose for a non-cloud server we'll just have to see in regedit to know it).

I've seen topics on how to disabled ssl 3 from an azure server see at :

https://azure.microsoft.com/fr-fr/blog/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/

I suppose to enable tls 1.2 we'll have to do this kind of things ...

So my questions are : - How to know if the azure server is under tls 1.2 - if not, how to set the azure server to tls 1.2

Thanx for your help.

4
azuressltls1.2
Did you check the (updated) heading? Azure Websites has disabled SSL 3.0 for all sites by default to protect our customers from the vulnerability mentioned before. Customers no longer need to take any action to disable SSL 3.0 in Azure Websites. Panagiotis Kanavos
yes I think I've seen this, this isn't the question ...fguigui
That means that there is no SSL anymore, everything is TLS already. You can check whether its TLS 1.1 or 1.2 from your browser. In Chrome, go to F12 (Developer Tools) > SecurityPanagiotis Kanavos
it seems you're right Panagiotis !fguigui

4 Answers

7
votes

As of today 2018-04-30, you can modify your site to only serve TLS 1.2 and up by going to your app service, then TLS/SSL settings, then setting your minimum TLS Version.

azure portal ssl settings

3
votes

enter image description here

So after the good advice of Panagiotis, we can see this in Chrome/F12 Security, it is said that we're under TLS 1.2, but the cypher is obsolete, the question now would be how to put an up to date cypher, any idea ?

2
votes

As Panagiotis Kanavos correctly points out:

Azure Websites has disabled SSL 3.0 for all sites by default to protect our customers from the vulnerability mentioned before. Customers no longer need to take any action to disable SSL 3.0 in Azure Websites.

But, here's some specific answers to your questions:

How to know if the azure server is under TLS 1.2?

Check your site with: https://www.ssllabs.com/ssltest/index.html (search for "protocol" and you'll find a list of SSL/TLS versions allowed/disallowed).

If not, how to set the azure server to TLS 1.2?

Start here: How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation) (requires .NET 4.6).

Then combine with this: https://www.leowkahman.com/2017/07/04/how-to-disable-tls-1-0-on-an-azure-app-service/ (not supported).

Or this: https://docs.microsoft.com/en-au/azure/app-service-web/app-service-app-service-environment-custom-settings (supported).

1
votes

There are caveats to this setting. Apparently, its not just this setting that controls the transport level outbound communication. We have a situation where we are communicating with a third-party API which is only supporting TLS 1.2 and communication fails with either of this Minimum TLS version 1.0,1.1 and 1.2 on Azure App Service. The hosted app is a .Net Web API on Framework 4.7. So, we had to make this change in Global.asax --> Application_Start so the code tries to communicate with 1.2 and if it fails it tries with 1.1 and then system default.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.SystemDefault;