Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Support for legacy TLS protocols and cipher suites in Azure Offerings

SecPmCj's avatar
SecPmCj
Icon for Microsoft rankMicrosoft
Oct 23, 2023

Overview
Updated date: Oct 25, 2024

Microsoft Azure services already operate in TLS 1.2-only mode by default. There are a limited number of services that still allow TLS 1.0 and 1.1 to be configured in order to support customers with legacy needs.  For customers who use services that still support legacy protocol versions and must meet compliance requirements, we have provided instructions on how to ensure legacy protocols and cipher suites are not negotiated. 

 

The list of remaining services supporting TLS 1.0 and TLS 1.1 

Azure Offering

TLS documentation and latest updates

API Management

https://learn.microsoft.com/azure/api-management/api-management-howto-manage-protocols-ciphers 

App Service

https://learn.microsoft.com/azure/app-service/overview-tls  

Application Gateway

https://learn.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview 

https://learn.microsoft.com/azure/application-gateway/application-gateway-configure-ssl-policy-powershell 

Application Insights availability tests

https://learn.microsoft.com/azure/azure-monitor/app/availability?tabs=standard#deprecating-tls-configuration

Azure App Service Static Web Apps

https://learn.microsoft.com/azure/app-service/overview-tls

Azure Arc

https://learn.microsoft.com/azure/azure-arc/servers/network-requirements?tabs=azure-cloud 
Azure Cache for Redis

https://learn.microsoft.com/azure/azure-cache-for-redis/cache-remove-tls-10-11

Azure Cosmos DB

https://learn.microsoft.com/en-us/azure/cosmos-db/self-serve-minimum-tls-enforcement

Azure Database for MariaDB

https://docs.microsoft.com/azure/mariadb/concepts-ssl-connection-security#tls-enforcement-in-azure-database-for-mariadb

https://docs.microsoft.com/azure/azure-sql/database/connectivity-settings#minimal-tls-version

Azure Database for MySQL

https://learn.microsoft.com/previous-versions/azure/mysql/single-server/concepts-ssl-connection-security#tls-enforcement-in-azure-database-for-mysql 
https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version 

Azure Database for PostgreSQL

https://learn.microsoft.com/previous-versions/azure/postgresql/single-server/concepts-ssl-connection-security 

Azure Database Migration Service

https://learn.microsoft.com/azure/dms/faq#is-all-data-in-transit-and-at-rest-encrypted-

Azure Front Door / Azure Front Door X

https://learn.microsoft.com/azure/frontdoor/end-to-end-tls?pivots=front-door-standard-premium

Azure Resource Manager

https://learn.microsoft.com/azure/azure-resource-manager/management/tls-support

Azure SQL Database

https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version 

Azure SQL Database Edge

https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version 

Azure SQL Managed Instance

https://learn.microsoft.com/azure/azure-sql/managed-instance/minimal-tls-version-configure?view=azuresql

Azure Synapse Analytics

https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version 

Azure Traffic Manager

https://learn.microsoft.com/azure/traffic-manager/traffic-manager-faqs#what-version-of-tls-is-required-by-traffic-manager

Azure Web Application Firewall

https://learn.microsoft.com/azure/application-gateway/application-gateway-ssl-policy-overview 
https://learn.microsoft.com/azure/application-gateway/application-gateway-configure-ssl-policy-powershell 

https://learn.microsoft.com/azure/frontdoor/front-door-faq 

Cloud Services

https://learn.microsoft.com/azure/cloud-services/applications-dont-support-tls-1-2 

Event Grid

https://azure.microsoft.com/updates/v2/TLS-changes-for-Azure-Event-Grid 

Event Hubs

https://learn.microsoft.com/azure/event-hubs/transport-layer-security-enforce-minimum-version  

Functions

https://learn.microsoft.com/azure/app-service/overview-tls  

IoT Hub

https://learn.microsoft.com/azure/iot-hub/iot-hub-tls-support 

Key Vault

https://learn.microsoft.com/azure/key-vault/general/security-features#tls-and-https 

Microsoft Azure Managed Instance for Apache Cassandra

https://learn.microsoft.com/azure/cosmos-db/self-serve-minimum-tls-enforcement 

Service Bus

https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-configure-minimum-version 

SQL Server Stretch Database

https://learn.microsoft.com/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version 

Storage

https://techcommunity.microsoft.com/t5/azure-storage-blog/tls-1-0-and-1-1-support-will-be-removed-for-new-amp-existing/ba-p/4026181

https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-migrate-to-tls2 

 

 

FAQ (Frequently Asked Questions)

 

What is meant by legacy protocols?

Legacy protocols are defined as anything lower than TLS 1.2. 

 

What is meant by legacy cipher suites?

Cipher suites that were considered safe in the past but are no longer strong enough or they PFS.  While these ciphers are considered legacy, they are still supported for some backward compatibility customer scenarios.

 

What is the Microsoft preferred cipher suite order?

 For legacy purposes, Windows supports a large list of ciphers by default.  For all Microsoft Windows Server versions (2016 and higher), the following ciphers are the preferred set of cipher suites. The preferred set of cipher suites is set by Microsoft's security policy.  It should be noted that Microsoft Windows uses the IANA (Internet Assigned Numbers Authority) cipher suite notation.  This link shows the IANA to OpenSSL mapping.  It should be noted that Microsoft Windows uses the IANA (Internet Assigned Numbers Authority) cipher suite notation.  This link shows the IANA to OpenSSL mapping.

 

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

 

Why is ChaCha20-Poly1305  not included in the list of approved ciphers?

ChaCha20-Poly1305 PolyChacha ciphers are supported by Windows and can be enabled in scenarios where customers control the OS. 

 

Why are CBC ciphers included in the Microsoft preferred cipher suite order?

The default Windows image includes CBC ciphers.  However, there are no known vulnerabilities related to the CBC mode cipher suites.  We have mitigations for CBC side-channel attacks.

 

Microsoft’s preferred cipher suite order for Windows includes 128-bit ciphers. Is there an increased risk with using these ciphers?

AES-128 does not introduce any practical risk but different customers may have different preferences with regard to the minimum key lengths they are willing to negotiate. Our preferred order prioritizes AES-256 over AES-128.  In addition, customers can adjust the order using the TLS Cmdlets.  There is also a group policy option detailed in this article: Prioritizing Schannel Cipher Suites - Win32 apps | Microsoft Docs.

 

Thanks for reading!

Updated Dec 10, 2024
Version 10.0