Weak SSL Protocol TLS v1.0 in web inspect

0
votes

I am running HP WebInspect tool on a website ( .NET) deployed in Azure. I get a critical Issue on Weak SSL Protocol TLS v1.0 .(More details on error below) . What fix is required to remove this Issue?

Details:

TLS 1.0 is considered insecure as it lacks support for strong ciphersuites and is known to be plagued by several known vulnerabilities. It either uses RC4 cipher, which is prone to bias attacks or uses Cipher Block Chaining (CBC) mode cipher, which enables condition for POODLE (Padding Oracle On Downgraded Legacy Encryption) attacks. NIST Special Publication 800-52 Revision 1 no longer considers TLS 1.0 as strong cryptography. TLS 1.0 is also no longer in compliance with PCI DSS v3.1 requirements. PCI does not consider TLS 1.0 to be adequate to protect cardholder data and has deprecated its use starting June 2016. Update: PCI DSS has extended deadline for migration to TLS1.1 or above to June 30, 2018.

2
.netazuresslazure-web-app-servicetls1.2

2 Answers

0
votes

According to you description, I used https://www.ssllabs.com/ssltest/ to check the supported Protocols provided by Azure Web Apps as follows:

enter image description here

Also, I checked my azure web app and found that it is under TLS 1.2, but the cipher is obsolete as follows:

enter image description here

I assumed that you are talking about setting TLS to a higher version or disabling the TLS 1.0. And I found a official blog about How to disable TLS 1.0 on an Azure App Service Web App, and you could Configure TLS for App Service Environments, but it is much expensive.

Moreover, I found a feedback about Disable TLS1.0, and someone commented that you could disable TLS 1.0 on Azure Web App via using the custom domain and Application Gateway, details you could follow here. Additionally, you could use Azure Cloud Service or VMs for controlling it instead of Azure Web Apps.

0
votes

Your problem is not TLS 1.2. Rather, it is the HMAC-SHA1. The hashing you have is using SHA1 (secure hash algorithm), giving you 160 bit hashes via Message Digest (MD). If you look it up you'll find that MD5 is a form of message digest that is considered to be broken (flawed). It turns out that SHA1 is derived from MD4 (and MD4 is an earlier form of MD5) and so it is broken.

The standard is now to use SHA256 (a keyed-hash message authentication code). While you are at this, ensure that for a production site you use a key length greater than 1024 bits. There are 2 common keys, Diffie-Hellman and RSA. So, look for a cipher that gives at least 2048 bit DH or RSA keys.