Blog Post

Apps on Azure Blog
3 MIN READ

Upcoming TLS 1.3 on Azure App Service for Web Apps, Functions, and Logic Apps (Standard) Update

YutangLin's avatar
YutangLin
Icon for Microsoft rankMicrosoft
Nov 06, 2023

This article is an update to a previous article that mentioned the upcoming support of TLS 1.3 on App Service. This article will contain: 

  • Information on the upcoming TLS 1.3 support 
  • How the TLS 1.3 roll-out may affect your Web Apps, Functions, and Logic Apps (Standard)
  • Callouts regarding TLS 1.3 roll-out that you should be aware of 
  • Update for Minimum TLS Cipher Suite feature

 

When will TLS 1.3 (preview) support begin and fully roll-out? 

TLS 1.3 upcoming support is still planned for the end of 2023 and will continue into 2024. The initial preview support of TLS 1.3 for resources hosted on App Service, namely web apps, functions, and logic apps, began rolling out October 23rd. Users in US regions can expect TLS 1.3 support by January 2024. We will continue to roll-out TLS 1.3 support worldwide and expect to be done sometime early 2024. We will provide another update when TLS 1.3 has been fully rolled out in all regions. 

 

Note: TLS 1.3 will not be supported on App Service Environment (ASE) V1 and V2. 

 

What to expect with the initial TLS 1.3 (preview) support? 

Beginning October 23rd, some users may begin to intermittently see incoming client requests using TLS 1.3 handshakes if the clients also support TLS 1.3. You can expect these intermittent TLS 1.3 handshakes to stabilize starting January 2024. We do not recommend setting the minimum incoming TLS version of your web app to TLS 1.3 before January 2024 because this setting may cause issues to your web app. 

 

When TLS 1.3 may cause issues to the web app 

 

Setting TLS 1.3 as the minimum TLS version before January 2024 

During the initial release of TLS 1.3, you may notice that TLS 1.3 may intermittently be disabled should there be potential issues in the process of rolling it out. If you set the minimum TLS version of your web app to TLS 1.3 during this time, there’s a risk for this setting to cause connection failures, or for incoming requests to be denied if TLS 1.3 was intermittently disabled for your web app.  

 

Using client certificates with TLS 1.3 

Client certificates and TLS 1.3 generally would work together, however, there are specific scenarios where TLS 1.3 cannot be used together with client certificates: 

  1. When using exclusion paths with client certificates 
  2. When using “OptionalInteractive” (on API) or “Optional” mode (on Portal) for Client Certificate Mode setting

These scenarios mentioned are not supported with TLS 1.3 because they require renegotiation, which is not allowed with TLS 1.3. These scenarios above would have TLS 1.2 supported as the maximum TLS version. 

 

Manually configuring TLS handshakes for clients calling into App Service OR using Internet of Things (IOT) clients/devices connected to App Service 

We do not expect TLS 1.3 support to negatively impact customers. However, you may be impacted if you have manually configured the TLS handshakes of the clients connected to App Service. As an example, if you are using a client library, such as using a browser or .NET HTTP client, the upcoming TLS 1.3 support should not negatively impact you nor the clients talking to App Service. However, if for an example, you are manually configuring the TLS handshakes of your clients, such as IOT devices, that are connected to App Service, you may want to review your TLS handshakes to ensure compatibility with TLS 1.3. 

 

TLS 1.3 and minimum TLS cipher suite feature 

The upcoming TLS 1.3 support will provide additional TLS cipher suites that would be supported on App Service. This means that there’ll be a newer set of TLS cipher suites added to the minimum TLS cipher suite feature. Like minimum TLS version, we do not recommend setting minimum TLS cipher suites to a TLS 1.3 cipher suite for your incoming requests before January 2024. There’s a risk that this configuration can cause connection failures to your web app, or for incoming requests to be denied if TLS 1.3 was intermittently disabled for your web app. 

Updated Jan 23, 2025
Version 3.0
application modernization
azure app service
azure functions
azure logic apps
azure paas
modern apps
updates
web apps

16 Comments

Sort By
Show More
  • DaleR-SC's avatar
    DaleR-SC
    Copper Contributor
    Jan 30, 2024

    Hello YutangLin,

     

    We have been experiencing issues with TLS 1.3 in Azure Region US East since Thursday, January 23rd, 2024.
    Our environment was fully functional before this date; we had no changes or deployments that would have impacted our systems.  In researching the issue, we found this blog and no other resources.  We have two cases open with Microsoft, both pointing to this blog with a point of concern as we began to see our Azure Web Apps, Service Bus, and other Azure services begin communicating on TLSv1.3.  As a point of interest, our environment running the same configuration in the EU is not experiencing any issues.

    We, too, are experiencing this same error: "The SSL connection could not be established, see inner exception. Received an unexpected EOF or 0 bytes from the transport stream."

     

    We also see the error "The SSL connection could not be established."

    Azure support asked us to try to add a certificate path exclusion of "/" to our web app services - they suggested that this would enforce TLS 1.2, which we did.  However, this did not resolve anything. 

    [ web app -> configuration -> general settings -> Certificate exclusion path | value: / ]


    JamesRV @KevinWEdwards aaronhk Artem350 
    If you have any tickets open with Microsoft support, may you share them here?  I want to reference your issues to gain better support from Microsoft on this issue we are all facing.


    Microsoft Azure Sev A Support request ID: 2401270040001177

     

    If you have received any findings or details of a resolution, I would love to hear those, too!

     

    Thank you

  • Artem350's avatar
    Artem350
    Copper Contributor
    Jan 30, 2024

    hello guys!

    also started to experience an issues with TLS

    An unhandled exception occurred while processing the request.

    Win32Exception: The message received was unexpected or badly formatted.

    Unknown location

    AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'IllegalParameter'.

    System.Net.Security.SslStream.ForceAuthenticationAsync<TIOAdapter>(bool receiveFirst, byte[] reAuthenticationData, CancellationToken cancellationToken)

    HttpRequestException: The SSL connection could not be established, see inner exception.

    System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, bool async, Stream stream, CancellationToken cancellationToken)

    can you please help how to resolve?

  • aaronhw's avatar
    aaronhw
    Copper Contributor
    Jan 29, 2024

    We are having similar issues mentioned above, WebApps, Functions and Service Bus are experiencing TLS connectivity issues in which the communication between them sporadically fails.

     

    We are seeing TLS Issues arise in our logs - "The SSL connection could not be established, see inner exception. Received an unexpected EOF or 0 bytes from the transport stream."

     

    It appears something is blocking or cutting the connection between the two endpoints, our region is EastUS.

     

    KevinWEdwards were you able to resolve your problem?

  • KevinWEdwards's avatar
    KevinWEdwards
    Copper Contributor
    Jan 23, 2024

    We're having issues with TLS Connection failing, from azure availability tests and only from North Central US (where TLS 1.3 was neabled back in early december, 12/8, I believe). 

     

    No other issues from any other US regions. 

  • JamesRV's avatar
    JamesRV
    Brass Contributor
    Dec 07, 2023

    We have a situation where some calls to a vendor API are failing when we have TLS 1.3 enabled with a "HTTP Fault" code, the client and the service are both .NET applications and the WS call is a HTTP SOAP call.  
    Nothing is showing up on the error on the server side either on the F5 or the application.

     

    Anyone know anything about HTTP Fault and TLS 1.3???