Q1: What are cipher suites and how do they work on App Service?
- A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients and servers. By default, the front-end’s OS would pick the most secure cipher suite that is supported by both the front-end and the client. However, if the client only supports weak cipher suites, then the front-end’s OS would pick a weak cipher suite that they both support.
- App Service does SSL termination on the Frontend layer, which happens before the frontend instances forward requests to workers. See more at A Heavy Lift: Bringing Kestrel + YARP to Azure App Services - Microsoft Community Hub and Azure - Inside the Azure App Service Architecture | Microsoft Learn
Q2: How to confirm the supported cipher suites on App Service server side?
- You can check the registry table via Kudu CMD or PowerShell. Or scan for yourself via SSL Labs or Wireshark. See How to see the cipher suites on an Azure App Service | The Best C# Programmer In The World - Benjamin Perkins (thebestcsharpprogrammerintheworld.com)
Q3: Why does App Service support some weak cipher suites?
- For the purpose of backward compatibility when someone is using a legacy browser, which usually requires weak cipher suites to establish an SSL connection. Otherwise, the client will meet SSL errors.
Q4: What has Azure App Service done to make it as secure as possible?
- Azure Web App places the strongest and most secure cipher suites in the front of our cipher order.
- The cipher suite order is in line with guidance from Azure Security.
Q5: How to disable some of the weak cipher suites?
- Put your web app behind a proxy like Azure Application Gateway, where you can specify cipher suites TLS policy overview for Azure Application Gateway | Microsoft Learn.
- Or run your web app in an isolated stamp via ASE, where you can specify your own cipher suites order Configure custom settings - Azure App Service Environment | Microsoft Learn
- Or set a minimum TLS cipher suite on Premium SKU or above multi-tenant App Service. You can set it on Azure Portal Min TLS Cipher Suite (Preview) Now Available on Azure Portal and Info on Upcoming Changes Before GA - Microsoft Community Hub or some REST API Public Preview: Disabling Weaker TLS Cipher Suites for Web Apps on Multi-tenant Premium App Service Plans - Azure App Service. Basically, you just modify the value of "
minTlsCipherSuite" property. However, please notice that this feature is currently in public preview, so it's not recommended for Production environments until it goes GA (generally available).
Published Jul 26, 2023
Version 1.0
