Q1: What are cipher suites and how do they work on App Service?
A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients a...
Published Jul 26, 2023
Version 1.0
Blog Post
I'm confused by different results coming from SSL Labs scan and running Get-TlsCipherSuite in AppService's Kudu. Specifically, cipher suite at first position shown by Powershell command, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, is not listed in SSL Labs report at all - SSL Labs shows only TLS_ECDHE_RSA_* but no TLS_ECDHE_ECDSA_*.
I'm trying to connect from the AppService to another service using SslStream and getting error in SSL Handshake. On the party I'm trying to connect to there is a log entry: SSL routines:tls_post_process_client_hello:no shared cipher.
The other party confirms they support TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (in fact they support multiple TLS_ECDHE_ECDSA_* but no TLS_ECDHE_RSA_*).
Supposing SSL Labs is correct then I would understand there is no shared cipher. But Get-TlsCipherSuite still shows the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 at first position..
So which one is correct?