This article will provide you with an all-inclusive update around all App Service TLS related features. In the past year, we have announced a couple of updates in this area, and to keep things simple, this article will be broken down to these different areas/features:
TLS 1.3 Updates
As an update to the previous article about the upcoming TLS 1.3 changes on App Service, we have now fully rolled out TLS 1.3 globally. If you require all your inbound requests to be TLS 1.3, you can also set your “Minimum Inbound TLS Version” to be “TLS 1.3” on any client (ie. Portal, CLI, ARM).
Configuring Min TLS Version to TLS 1.3
Azure Portal
CLI
az webapp config set --min-tls-version "1.3" -g RG-NAME -n APP-NAME
TLS 1.3 Cipher Suites
With the new TLS 1.3 updates, you will also see new TLS cipher suites in your “Minimum TLS Cipher Suite” feature. This will include two cipher suites at the top of the cipher suite order.
Refer to the "Min TLS Cipher Suite (Preview)" section of the article for further updates on that feature.
App Service Environment (ASE) V3 with Cluster Setting “FrontEndSSLCipherSuiteOrder”
For ASE customers who have “FrontEndSSLCipherSuiteOrder” cluster setting configured, you will need to update your cluster settings to include our two TLS 1.3 cipher suites in the cluster setting (listed below) and to reboot your front-ends afterwards. You must still include the two required cipher suites as mentioned in the docs.
Min TLS Cipher Suite (Preview)
In a previous article about Min TLS Cipher Suite (Preview), we had called-out that we will be updating the cipher suite priority ordering based on the recommendations in TLS Cipher Suites in Windows 2022. You can expect this cipher suite priority order change to be completed by May 17th. Keep in mind that while the list of supported cipher suites along with its priority order may still be updated later, we don’t expect this to happen frequently.
This feature is currently still only available to Premium App Service Plans. We have plans to open this for Basic plans and above in the coming months – stay tuned!
Understanding Impact of Update
The main change that’s happening is that the “TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256” is moving to a lower priority to be consistent with Windows cipher suite ordering. Despite the change with the ordering, the front-end's OS would still pick the most secure cipher suite that is supported by both App Service and the client. In general, we expect this change to be a non-issue for almost all customers. If your clients have a hard dependency on a specific TLS cipher suite being chosen, you may want to review this as soon as possible.
Previous TLS Cipher Suite Priority Order
New TLS Cipher Suite Priority Order
Example Scenario 1
Depending on your app’s configured minimum TLS cipher suite, your app might end up disabling “TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256” cipher suite (#2 from previous list; #5 from new list) after the cipher suite order update. As an example, if your app’s current configured minimum is set to “TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256” (#5 from previous list; #4 from new list), your web app will allow client requests that uses “TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256”. However, after the update, your app will no longer allow client requests that use “TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256” cipher suite because that cipher suite would be less secure than the set minimum cipher suite.
Example Scenario 2
If you selected “TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256” TLS cipher suite (#2 from previous list; #5 from new list) as the minimum, your app would end up enabling more TLS cipher suites after this change. As an example, if your current minimum is set to the said TLS cipher suite, your web app will allow client requests that uses either of the top two TLS cipher suites from the previous list. After the update, your web app will allow client requests that uses one of the top five TLS cipher suites from the new list.
TLS 1.3 Cipher Suites
As mentioned in the previous section of this article, with the new support of TLS 1.3, we will be supporting two new TLS 1.3 cipher suites. You can reference the complete list of cipher suites below which will include TLS 1.3 cipher suites along with the newest update of cipher suite ordering as mentioned earlier in this section. This order will start from the strongest cipher suite on the list down to the weakest one.
Min TLS Cipher Suites with App Service Environment (ASE) Cluster Setting “FrontEndSSLCipherSuiteOrder”
If your App Service Environment (ASE) already has cluster setting “FrontEndSSLCipherSuiteOrder” configured, it is not recommended to also enable min TLS cipher suite for your web app. Doing so could lead to issues with conflicting cipher suites between the two configurations. You should only configure one or the other.
End-to-end (E2E) TLS Encryption (Preview)
In a previous article about E2E TLS Encryption (Preview) feature, we mentioned that this feature is only supported on Linux multi-tenants. We are excited to announce that this feature is now available for Windows multi-tenant web apps as well! It is available to Standard App Service Plans and above.
As a quick refresher, without E2E TLS encryption, incoming HTTPS requests would have TLS terminated on our front-ends and continue as HTTP to the workers running the application workloads. Once you enable this feature, front-end intra-cluster traffic between App Service front-ends and the workers running application workloads would now be encrypted. Below is a simple diagram to help you understand how the feature works.
Configuring E2E TLS Encryption (Preview)
Azure Portal
Sample API Call
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}?api-version=2022-03-01
{
"location": "<region>",
"properties": {
"endToEndEncryptionEnabled": true
}
}
Conclusion
This wraps up all the latest for App Service TLS feature area. Don't forget that Build 2024 is happening next week to catch all the other announcements for our other features/areas!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.