Setting Minimum TLS Version For Azure App Services

I was recently helping a company to work through a set of white hat penetration test results for a legacy web application. Among other things, was a note that while the web application did support TLS 1.2, it was still accepting connections via TLS 1.0/1.1. As to why this is a security risk, here is a great article on the subject from Digicert : https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1. But in short, most modern web applications should only accept TLS 1.2, and should actually reject TLS 1.1 and 1.0.

Luckily this is a fairly trivial fix if we are using Azure App Services with no (or minimal) code changes!

Setting The Minimum TLS Version Via Portal

If we are looking to set the minimum TLS version via the portal, we first have to open up our App Service, and look down the left hand menu for TLS/SSL settings.

On this screen we can edit the TLS minimum version, which should really be 1.2 at all times.

And we are done! A very easy setting to change that adds a tonne of security benefits.

Setting The Minimum TLS Version Via ARM Template

While editing this setting via the portal is great, chances are you have an ARM template that you use to automate your deployments.

While it’s hard to show the full ARM template here as it’s rather verbose, inside your template you likely already have a Microsoft.Web/sites/config element, and inside that properties. Adding a minTlsVersion property will allow you to set the minimum TLS version of your web application.

{
	"type": "Microsoft.Web/sites/config",
	"name": "myAppServiceName/web",
	"apiVersion": "2018-11-01",
	[...]
	"properties": {
		[...]
		"minTlsVersion": "1.2",
	}
}

Default TLS Version

It’s important to note that this is mostly a legacy issue. If you create a fresh Azure App Service anytime beyond June 2018, the default minimum TLS version is automatically set to 1.2. However existing App Services are left unchanged and so you may have to do a quick work around of all existing services and upgrade them.

Additionally, if you for whatever reason did need to support TLS 1.0 (Which you really really shouldn’t!), then you would need to downgrade this setting on any new services created.

Leave a Reply

Your email address will not be published. Required fields are marked *