TLS default configuration for Azure IOT Edge on devices

Question

A customer ran a scan on an IoTEdge (v1.0.9.1) device and discovered that non-recommended versions of TLS protocol are enabled by default.

TLS Version 1.0 Protocol (TCP/5671), Severity: High
TLS Version 1.1 Protocol (TCP/5671), Severity: Medium

Is there a way to configure IOT Edge (by default) to

Disable usage of TLS 1.0 / 1.1
Only use TLS 1.2 for inbound / outbound communications?
Disable the iot-edge gateway functionality (‘standard iot edge’ device scenario)

I saw below links but wanted to know if there are other options to provide to the customer

Control TLS version and ciphers exposed by IoT Edge Hub
https://github.com/Azure/iotedge/tree/master/edge-modules/edgehub-proxy

TLS 1.2 enforcement available in select regions Azure IoT Hub TLS support | Microsoft Docs
https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-tls-support

Could you please provide more info about your situation? It is not clear to me whether this belongs on SO or may be better answered on ServerFault. Are you writing code as part of this or simply configuring a server? — Beefster

Venkat Yalla Venkat Yalla · Accepted Answer · 2020-12-16T00:45:39

Release 1.0.10 of IoT Edge Hub has an environment variable SslProtocols which you can use to control this. Full listing of available environment variables for system modules is available in the Github repo.

When not used in a gateway configuration, one can remove the host port binding setting from edgeHub. Follow resolution steps for this issue (not related).

TLS default configuration for Azure IOT Edge on devices

1 Answers