Posted October 23, 20231 yr Overview Microsoft Azure services already operate in TLS 1.2-only mode. There are a limited number of services that still allow TLS 1.0 and 1.1 to support customers with legacy needs. For customers who use services that still support legacy protocol versions and must meet compliance requirements, we have provided instructions on how to ensure legacy protocols and cipher suites are not negotiated. For example, HDInsight provides the minSupportedTlsVersion property as part of the Resource Manager template. This property supports three values: "1.0", "1.1" and "1.2", which correspond to TLS 1.0+, TLS 1.1+ and TLS 1.2+ respectively. Customers can set the allowed minimum version for their HDInsight resource. This document presents the latest information on TLS protocols and cipher suite support with links to relevant documentation for Azure Offerings. For offerings that still allow legacy protocols to support customers with legacy needs, TLS 1.2 is still preferred. The documentation links explain what needs to be done to ensure TLS 1.2 is preferred in all scenarios. Documentation Links Azure Offering TLS documentation API Management Manage protocols and ciphers in Azure API Management App Service Secure a custom DNS with a TLS/SSL binding - Azure App Service Set up staging environments - Azure App Service Application Gateway TLS policy overview for Azure Application Gateway Configure TLS policy using PowerShell - Azure Application Gateway Azure App Service - Azure Arc Secure a custom DNS with a TLS/SSL binding - Azure App Service Set up staging environments - Azure App Service Azure App Service Static Web Apps Secure a custom DNS with a TLS/SSL binding - Azure App Service Set up staging environments - Azure App Service Azure Cognitive Search Security overview - Azure Cognitive Search Azure Cosmos DB https://devblogs.microsoft.com/cosmosdb/tls-1-2-enforcement/ Azure Database for MariaDB SSL/TLS connectivity - Azure Database for MariaDB Connectivity settings for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database and Azure Synapse Analytics Azure Database for MySQL SSL/TLS connectivity - Azure Database for MySQL Connectivity settings for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database and Azure Synapse Analytics Azure Database for PostgreSQL Single Server - SSL/TLS - Azure Database for PostgreSQL - Single Server Flexible Server - Encrypted connectivity using TLS/SSL in Azure Database for PostgreSQL - Flexible Server Connectivity settings for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database and Azure Synapse Analytics Azure Front Door / Azure Front Door X Azure Front Door - Frequently asked questions Azure SQL Connectivity settings for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database and Azure Synapse Analytics Azure SQL Database Edge Connectivity settings for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database and Azure Synapse Analytics Azure Synapse Analytics Connectivity settings for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database and Azure Synapse Analytics Azure Web Application Firewall TLS policy overview for Azure Application Gateway Configure TLS policy using PowerShell - Azure Application Gateway Azure Front Door - Frequently asked questions Cloud Services Troubleshooting issues caused by applications that don't support TLS 1.2 Common Data Service Server cipher suites and TLS requirements - Power Platform Important changes (deprecations) coming in Power Apps and Power Automate - Power Platform Dynamics 365 AI Customer Insights Security overview - Azure Cognitive Search Frequently asked questions Upgrade the TLS version of your Power BI application to TLS 1.2 | A... Transport layer security in Azure HDInsight https://devblogs.microsoft.com/cosmosdb/tls-1-2-enforcement/ Enforce a minimum required version of Transport Layer Security (TLS) for incoming requests - Azure Storage Azure security baseline for Service Fabric Service-Fabric-Troubleshooting-Guides/Security/TLS Configuration.md at master · Azure/Service-Fabric-Troubleshooting-Guides Dynamics 365 Fraud Protection Upgrade the TLS version of your Power BI application to TLS 1.2 | A... Event Grid Azure security baseline for Event Grid Event Hubs Add support for TLS 1.1 and TLS 1.2 on Service Bus for Windows Server 1.1 - Microsoft Support Functions Secure a custom DNS with a TLS/SSL binding - Azure App Service Set up staging environments - Azure App Service HDInsight Transport layer security in Azure HDInsight IoT Hub Azure IoT Hub TLS support Key Vault Azure Key Vault security overview Logic Apps Secure access and data - Azure Logic Apps Secure access and data - Azure Logic Apps Microsoft Azure Managed Instance for Apache Cassandra https://devblogs.microsoft.com/cosmosdb/tls-1-2-enforcement/ Microsoft Forms Pro Important changes (deprecations) coming in Power Apps and Power Automate - Power Platform Server cipher suites and TLS requirements - Power Platform Notification Hubs Add support for TLS 1.1 and TLS 1.2 on Service Bus for Windows Server 1.1 - Microsoft Support Notification Hubs TLS updates Power Apps Frequently asked questions https://social.technet.microsoft.com/Forums/92811d44-1165-4da2-96e7-20dc99bdf718/can-power-query-be-updated-to-use-tls-version-12?forum=powerquery Upgrade the TLS version of your Power BI application to TLS 1.2 | A... Manage protocols and ciphers in Azure API Management Power Automate https://docs.microsoft.com/power-platform/admin/wp-compliance-data-privacy#data-protection Frequently asked questions https://social.technet.microsoft.com/Forums/92811d44-1165-4da2-96e7-20dc99bdf718/can-power-query-be-updated-to-use-tls-version-12?forum=powerquery Upgrade the TLS version of your Power BI application to TLS 1.2 | A... Manage protocols and ciphers in Azure API Management Secure access and data - Azure Logic Apps Power BI Upgrade the TLS version of your Power BI application to TLS 1.2 | A... Power BI Embedded Upgrade the TLS version of your Power BI application to TLS 1.2 | A... Service Bus Add support for TLS 1.1 and TLS 1.2 on Service Bus for Windows Server 1.1 - Microsoft Support Service Fabric Azure security baseline for Service Fabric Service-Fabric-Troubleshooting-Guides/Security/TLS Configuration.md at master · Azure/Service-Fabric-Troubleshooting-Guides SQL Server Stretch Database Connectivity settings for Azure SQL Database and Azure Synapse Analytics - Azure SQL Database and Azure Synapse Analytics Storage Enforce a minimum required version of Transport Layer Security (TLS) for incoming requests - Azure Storage https://docs.microsoft.com/azure/import-export/ https://azure.microsoft.com/updates/afstlssupport/ VPN Gateway https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-vpn-faq#tls1 FAQ (Frequently Asked Questions) What is meant by legacy protocols? Legacy protocols are defined as anything lower than TLS 1.2. What is meant by legacy cipher suites? Cipher suites that were considered safe in the past but are no longer strong enough or they PFS. While these ciphers are considered legacy, they are still supported for some backward compatibility customer scenarios. What is the Microsoft preferred cipher suite order? For legacy purposes, Windows supports a large list of ciphers by default. For all Microsoft Windows Server versions (2016 and higher), the following ciphers are the preferred set of cipher suites. The preferred set of cipher suites is set by Microsoft's security policy. It should be noted that Microsoft Windows uses the IANA (Internet Assigned Numbers Authority) cipher suite notation. This link shows the IANA to OpenSSL mapping. It should be noted that Microsoft Windows uses the IANA (Internet Assigned Numbers Authority) cipher suite notation. This link shows the IANA to OpenSSL mapping. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Why is ChaCha20-Poly1305 not included in the list of approved ciphers? ChaCha20-Poly1305 PolyChacha ciphers are supported by Windows and can be enabled in scenarios where customers control the OS. Why are CBC ciphers included in the Microsoft preferred cipher suite order? The default Windows image includes CBC ciphers. However, there are no known vulnerabilities related to the CBC mode cipher suites. We have mitigations for CBC side-channel attacks. Microsoft’s preferred cipher suite order for Windows includes 128-bit ciphers. Is there an increased risk with using these ciphers? AES-128 does not introduce any practical risk but different customers may have different preferences with regard to the minimum key lengths they are willing to negotiate. Our preferred order prioritizes AES-256 over AES-128. In addition, customers can adjust the order using the TLS Cmdlets. There is also a group policy option detailed in this article: Prioritizing Schannel Cipher Suites - Win32 apps | Microsoft Docs. Thanks for reading! Continue reading...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.