Azure WAF gets SSLLABS B rating even after disabling TLS 1.0 and 1.1

%3CLINGO-SUB%20id%3D%22lingo-sub-86285%22%20slang%3D%22en-US%22%3EAzure%20WAF%20gets%20SSLLABS%20B%20rating%20even%20after%20disabling%20TLS%201.0%20and%201.1%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86285%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20set%20up%20an%20Azure%20Application%20Gateway%20and%20WAF%2C%20and%20set%20DisabledSslProtocols%20to%20disable%20TLSv1_0%20%26amp%3B%20TLSv1_1%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%20even%20after%20these%20steps%20the%20SSL%20Labs%20SSL%20test%20(%3CA%20href%3D%22https%3A%2F%2Fwww.ssllabs.com%2Fssltest%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.ssllabs.com%2Fssltest%3C%2FA%3E)%20gives%20a%20B%20rating%2C%20the%20reason%20being%20%22This%20server%20supports%20weak%20Diffie-Hellman%20(DH)%20key%20exchange%20parameters.%22.%20This%20is%20disappointing%20as%20previously%20we%20were%20able%20to%20configure%20an%20A%2B%20rating%20on%20Windows%20Server%202016%20itself%2C%20but%20it%20seems%20that%20by%20using%20the%20WAF%20it%20seems%20we%20have%20to%20revert%20to%20a%20less%20secure%20TLS%20configuration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20this%20can%20be%20changed%20in%20the%20WAF%3F%20I%20have%20the%20feeling%20not%20as%20disabling%20TLS%20protocols%20seems%20to%20be%20the%20only%20options%20available.%20If%20so%20are%20there%20plans%20to%20improve%20this%20in%20the%20future%3F%20Getting%20an%20A%2B%20rating%20on%20SSL%20Labs%20is%20really%20important%20to%20us.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-86285%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-95769%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20WAF%20gets%20SSLLABS%20B%20rating%20even%20after%20disabling%20TLS%201.0%20and%201.1%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-95769%22%20slang%3D%22en-US%22%3E%3CP%3ESince%20posting%20this%20query%20last%20month%20we%20are%20now%20back%20to%20getting%20an%20A%2B%20rating%20on%20SSL%20Labs%20report.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20something%20change%20in%20recent%20weeks%20to%20cause%20this%3F%20Were%20the%20weak%20DH%20key%20exchange%20parameters%20removed%3F%20Either%20way%20it's%20a%20positive%20outcome%2C%20just%20wondering%20if%20anyone%20can%20point%20me%20at%20release%20notes%20or%20something%20for%20my%20own%20peace%20of%20mind.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-500669%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20WAF%20gets%20SSLLABS%20B%20rating%20even%20after%20disabling%20TLS%201.0%20and%201.1%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-500669%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20of%20April%202019%2C%20App%20Gateways%20have%20a%20few%20predefined%20SSL%20Policies%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAppGwSslPolicy20150501%3C%2FLI%3E%3CLI%3EAppGwSslPolicy20170401%3C%2FLI%3E%3CLI%3EAppGwSslPolicy20170401S%3C%2FLI%3E%3C%2FUL%3E%3CP%3EThe%20older%202015%20policy%20gets%20a%20B%20on%20ssllabs%20tests%20due%20to%20the%20weak%20Diffie%20Hellman%20parameters%20like%20you%20were%20seeing.%20However%2C%20that's%20the%20only%20policy%20that%20supports%20TLS%20v1.0.%20The%20newer%20policies%20are%20TLS%20v1.1%2B%20and%20TLS%20v1.2%2B%20respectively%20but%20should%20get%20an%20A%20on%20ssllabs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20can%20drop%20support%20for%20TLS%20v1.0%2C%20you%20can%20use%20the%20newer%20policies.%20Otherwise%2C%20you'll%20have%20to%20live%20with%20a%20B%20or%20create%20a%20custom%20policy%20without%20the%20TLS_DHE_RSA_WITH_AES*%20ciphers.%20I%20don't%20see%20any%20way%20to%20manually%20set%20the%20DH%20parameters.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I have set up an Azure Application Gateway and WAF, and set DisabledSslProtocols to disable TLSv1_0 & TLSv1_1

 

Unfortunately even after these steps the SSL Labs SSL test (https://www.ssllabs.com/ssltest) gives a B rating, the reason being "This server supports weak Diffie-Hellman (DH) key exchange parameters.". This is disappointing as previously we were able to configure an A+ rating on Windows Server 2016 itself, but it seems that by using the WAF it seems we have to revert to a less secure TLS configuration.

 

Is there any way this can be changed in the WAF? I have the feeling not as disabling TLS protocols seems to be the only options available. If so are there plans to improve this in the future? Getting an A+ rating on SSL Labs is really important to us.

2 Replies
Highlighted

Since posting this query last month we are now back to getting an A+ rating on SSL Labs report.

 

Did something change in recent weeks to cause this? Were the weak DH key exchange parameters removed? Either way it's a positive outcome, just wondering if anyone can point me at release notes or something for my own peace of mind.

Highlighted

As of April 2019, App Gateways have a few predefined SSL Policies:

  • AppGwSslPolicy20150501
  • AppGwSslPolicy20170401
  • AppGwSslPolicy20170401S

The older 2015 policy gets a B on ssllabs tests due to the weak Diffie Hellman parameters like you were seeing. However, that's the only policy that supports TLS v1.0. The newer policies are TLS v1.1+ and TLS v1.2+ respectively but should get an A on ssllabs.

 

If you can drop support for TLS v1.0, you can use the newer policies. Otherwise, you'll have to live with a B or create a custom policy without the TLS_DHE_RSA_WITH_AES* ciphers. I don't see any way to manually set the DH parameters.