Forum Discussion

Cormac O'Brien's avatar
Cormac O'Brien
Copper Contributor
Jul 11, 2017

Azure WAF gets SSLLABS B rating even after disabling TLS 1.0 and 1.1

I have set up an Azure Application Gateway and WAF, and set DisabledSslProtocols to disable TLSv1_0 & TLSv1_1   Unfortunately even after these steps the SSL Labs SSL test (https://www.ssllabs.com/s...
azure
networking
Cormac O'Brien's avatar
Cormac O'Brien
Copper Contributor
Aug 14, 2017

Since posting this query last month we are now back to getting an A+ rating on SSL Labs report.

 

Did something change in recent weeks to cause this? Were the weak DH key exchange parameters removed? Either way it's a positive outcome, just wondering if anyone can point me at release notes or something for my own peace of mind.

  • davidfischer's avatar
    davidfischer
    Copper Contributor
    Apr 29, 2019

    As of April 2019, App Gateways have a few predefined SSL Policies:

    • AppGwSslPolicy20150501
    • AppGwSslPolicy20170401
    • AppGwSslPolicy20170401S

    The older 2015 policy gets a B on ssllabs tests due to the weak Diffie Hellman parameters like you were seeing. However, that's the only policy that supports TLS v1.0. The newer policies are TLS v1.1+ and TLS v1.2+ respectively but should get an A on ssllabs.

     

    If you can drop support for TLS v1.0, you can use the newer policies. Otherwise, you'll have to live with a B or create a custom policy without the TLS_DHE_RSA_WITH_AES* ciphers. I don't see any way to manually set the DH parameters.

Resources