Azure Web Application Gateway (WAF) Cipher Suites

%3CLINGO-SUB%20id%3D%22lingo-sub-84250%22%20slang%3D%22en-US%22%3EAzure%20Web%20Application%20Gateway%20(WAF)%20Cipher%20Suites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84250%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%2C%3C%2FP%3E%3CP%3EI've%20installed%20SSL%20certiifcate%20on%20Azure%20WAF.%20After%20a%20quick%20test%20on%20ssllabs%2C%20we've%20got%20a%20grade%20of%20B.%3C%2FP%3E%3CP%3EMain%20cause%20%3A%20%3CSTRONG%3ES%3C%2FSTRONG%3E%3CSTRONG%3Eerver%20supports%20weak%20Diffie-Hellman(DH)%20key%20exchange%20parameters.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20scrolling%20through%20the%20report%2C%20in%20the%20cipher%20suites%20section%20(TLS1.2)%2C%20there%20are%20certain%20weak%20suites%20that%20have%20been%20pointed%20out%20as%20per%20below%20screenshot.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F16725iCE7D9E4B51F6310E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22ssllabs.PNG%22%20title%3D%22ssllabs.PNG%22%20%2F%3E%3C%2FSPAN%3EIs%20this%20an%20issue%20%26nbsp%3Bwith%20my%20SSL%20certificate%20or%20with%20the%20ciphers%20being%20used%20on%20the%20WAF%3F%3C%2FP%3E%3CP%3EWhat%20can%20be%20done%20to%20solve%20the%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-84250%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84764%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Web%20Application%20Gateway%20(WAF)%20Cipher%20Suites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84764%22%20slang%3D%22en-US%22%3E%3CP%3Ethere%20is%20know%20security%20risks%20to%20leave%20it%20open%2C%20so%20unless%20you%20have%20legacy%20devices%2C%20then%20yes%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84747%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Web%20Application%20Gateway%20(WAF)%20Cipher%20Suites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84747%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20best%20practice%20to%20disable%20TLS%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-84729%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Web%20Application%20Gateway%20(WAF)%20Cipher%20Suites%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-84729%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EApplication%20Gateway%20supports%20disabling%20the%20following%20protocol%20version%3B%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ETLSv1.0%3C%2FSTRONG%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ETLSv1.1%3C%2FSTRONG%3E%3CSPAN%3E%2C%20and%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ETLSv1.2%3C%2FSTRONG%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Esee%20step%2011%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fapplication-gateway%2Fapplication-gateway-end-to-end-ssl-powershell%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello ,

I've installed SSL certiifcate on Azure WAF. After a quick test on ssllabs, we've got a grade of B.

Main cause : Server supports weak Diffie-Hellman(DH) key exchange parameters.

 

After scrolling through the report, in the cipher suites section (TLS1.2), there are certain weak suites that have been pointed out as per below screenshot.ssllabs.PNGIs this an issue  with my SSL certificate or with the ciphers being used on the WAF?

What can be done to solve the issue?

 

 

3 Replies
Highlighted

Application Gateway supports disabling the following protocol version; TLSv1.0TLSv1.1, and TLSv1.2.

 

see step 11 here

Highlighted

Is it best practice to disable TLS ?

Highlighted

there is know security risks to leave it open, so unless you have legacy devices, then yes