Azure WAF gets SSLLABS B rating even after disabling TLS 1.0 and 1.1

Copper Contributor

I have set up an Azure Application Gateway and WAF, and set DisabledSslProtocols to disable TLSv1_0 & TLSv1_1

 

Unfortunately even after these steps the SSL Labs SSL test (https://www.ssllabs.com/ssltest) gives a B rating, the reason being "This server supports weak Diffie-Hellman (DH) key exchange parameters.". This is disappointing as previously we were able to configure an A+ rating on Windows Server 2016 itself, but it seems that by using the WAF it seems we have to revert to a less secure TLS configuration.

 

Is there any way this can be changed in the WAF? I have the feeling not as disabling TLS protocols seems to be the only options available. If so are there plans to improve this in the future? Getting an A+ rating on SSL Labs is really important to us.

2 Replies

Since posting this query last month we are now back to getting an A+ rating on SSL Labs report.

 

Did something change in recent weeks to cause this? Were the weak DH key exchange parameters removed? Either way it's a positive outcome, just wondering if anyone can point me at release notes or something for my own peace of mind.

As of April 2019, App Gateways have a few predefined SSL Policies:

  • AppGwSslPolicy20150501
  • AppGwSslPolicy20170401
  • AppGwSslPolicy20170401S

The older 2015 policy gets a B on ssllabs tests due to the weak Diffie Hellman parameters like you were seeing. However, that's the only policy that supports TLS v1.0. The newer policies are TLS v1.1+ and TLS v1.2+ respectively but should get an A on ssllabs.

 

If you can drop support for TLS v1.0, you can use the newer policies. Otherwise, you'll have to live with a B or create a custom policy without the TLS_DHE_RSA_WITH_AES* ciphers. I don't see any way to manually set the DH parameters.