How to disable TLS 1.0 and 1.1 on Cloud Service

It’s a usual requirement to make our Cloud Service safer to match business requirement. For example, by disabling TLS 1.0 and 1.1.

Since the TLS setting is not so related to Cloud Service configuration, but more related to the configuration of the Operation System in the underlying instance, this blog will focus more on how we can easily modify that specified configuration of the Cloud Service instance Operation System.

The aim of this blog is to change the value of the registry table which is related to TLS 1.0, 1.1 and 1.2 setting. If you prefer, you can also RDP into every instance to modify these values manually and reboot.

The registry tables which need to be modified are:

• HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server with Enabled as 0 and 

DisabledByDefault as 1

• HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client with Enabled as 0 and 

DisabledByDefault as 1

• HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server with Enabled as 0 and 

DisabledByDefault as 1

• HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client with Enabled as 0 and 

DisabledByDefault as 1

• HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server with Enabled as 1 and DisabledByDefault as 0
• HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client with Enabled as 1 and DisabledByDefault as 0

Pre-requirements:

Before starting, you must setup the environment at first. To setup a local development environment, you need to have:

• A running Cloud Service project with HTTPS enabled. If you don’t have one, please follow how to generate self-signed SSL certificate and how to use it to enable HTTPS for a Cloud Service project.

Important points to explain before starting:

This blog is written based on the classic Cloud Service which will be retired on August 31st, 2024, but this blog can be used on both classic Cloud Service and Cloud Service Extended Support (CSES). The reason is because the main idea of this blog is to use Startup task to run a PowerShell script to modify the Registry Table value. The steps of adding a such kind of Startup task in both classic Cloud Service and CSES are the same.

Otherwise, if we are using Guest OS Family 6, it will enforce TLS 1.2 by explicitly disabling TLS 1.0 and 1.1 and defining a specific set of cipher suites. Learn more.

Before implementation:

Once you are done with the preparation, you can use online tool https://www.ssllabs.com/ssltest to scan the status of TLS 1.0, 1.1 and 1.2. Please feel free to use other tools which you prefer.

Original status:  TLS 1.0, 1.1 and 1.2 are all enabled.

Original TLS setting before implementation

Steps to implement:

1. Open your Cloud Service project and add the following 3 lines into the Role definition part for a new Startup Task in the .csdef file. The file will be like following screenshot after modification.                                                                                                                       

   <Startup>
       <Task commandLine="Startup.cmd" executionContext="elevated" taskType="simple" />
   </Startup>​

   Startup task configuration in .csdef

    

2. Then we need to add 2 new files which will be used by the Startup task. Please pay attention here! The path to add these 2 files are different depending on whether the role which we need to change TLS setting is WebRole or WorkerRole.

  For WebRole:

• In Solution Explorer, under Roles in your cloud service project, right-click your web role and select Add > New Folder. Create a folder named bin.                                                                                                                                                                                create folder for WebRole

   

• Right-click the bin folder and select Add > New Item. Select the Text File and naming it startup.ps1.                                             Create files under folder bin 1create file under folder bin 2
• Repeat the above step but with a new file named Startup.cmd

For WorkerRole:

The process will be the almost the same as WebRole. The only difference is that we do NOT need to create the folder. The 2 files should be created under the WorkerRole directory such as:

WorkerRole file path

3. We need to modify the content of the two newly created file. Open Startup.cmd and paste the following 4 lines and save. This is an example of Startup task to run PowerShell script which can be found in official document.

REM   Run an unsigned PowerShell script and log the output
PowerShell -ExecutionPolicy Unrestricted .\startup.ps1 >> "%TEMP%\StartupLog.txt" 2>&1

REM   If an error occurred, return the errorlevel.
EXIT /B %errorlevel%

Then open the startup.ps1 and paste all the lines from this script.

4. Redeploy the new project and waiting for Cloud Service instances coming back to running/started status.

After implementation:

If you aren't blocked by any step, congratulations, you've done everything needed. You can use the same tool or whichever tool you want to scan again, and we'll find that the TLS 1.0 and 1.1 are disabled.

TLS setting after implementation