cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Azure Cache for Redis TLS versions
By
LuisFilipe
Published Aug 07 2020 10:37 AM 7,859 Views
LuisFilipe
Microsoft
‎Aug 07 2020 10:37 AM

Azure Cache for Redis TLS versions

‎Aug 07 2020 10:37 AM
Scenario:

Transport Layer Security (TLS) and its deprecated predecessor Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. SSL/TLS have some available versions to use, but the newer versions were created because of the security issues found on the previous ones.

It's important to use the latest TLS version to make sure to have a secure way to exchanging keys, encrypt data and authenticate message integrity during all the communications.


On September 2023, Microsoft announced TLS 1.0/1.1 retirement for Azure Cache for Redis service as an option for MinimumTLSVersion setting. Starting on March 1, 2024 new created caches will support only TLS 1.2.; existing caches won't be updated at this point. Client applications can still use the Azure portal or other management APIs to change the minimum TLS version to 1.0 or 1.1 for backward compatibility on the existing caches, and on October 1, 2024, the TLS 1.2 requirement will be enforced. - if client applications don't support TLS 1.2, will not be able to connect to Redis service.


As a part of this change, Azure Cache for Redis will also remove support for older cipher suites that aren't secure. The supported cypher suites will be restricted to the following when the cache is configured with a minimum TLS version of 1.2.

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

 

As a part of this effort, the following changes can be expected to Azure Cache for Redis:

  • Phase 1: Azure Cache for Redis stops offering TLS 1.0/1.1 as an option for MinimumTLSVersion setting for new cache creates. Existing cache instances won't be updated at this point. You can still use the Azure portal or other management APIs to change the minimum TLS version to 1.0 or 1.1 for backward compatibility.
  • Phase 2: Azure Cache for Redis stops supporting TLS 1.1 and TLS 1.0 starting October 1, 2024. After this change, your application must use TLS 1.2 or later to communicate with your cache. The Azure Cache for Redis service will be available while we update the MinimumTLSVerion for all caches to 1.2.

 

Important dates:

Date Description
September 2023 TLS 1.0/1.1 retirement announcement
March 1, 2024 Beginning March 1, 2024, you will not be able to set the Minimum TLS version for any cache to 1.0 or 1.1. Existing cache instances won't be updated at this point.
September 30, 2024 Ensure that all your applications are connecting to Azure Cache for Redis using TLS 1.2 and Minimum TLS version on your cache settings is set to 1.2
October 1, 2024 Minimum TLS version for all cache instances is updated to 1.2. This means Azure Cache for Redis instances will reject connections using TLS 1.0 or 1.1.

Important: 

This changes does not apply to Azure Cache for Redis Enterprise/Enterprise Flash because the Enterprise tiers only support TLS 1.2.

 

Actions:

As the client and server should support the same SSL/TLS version, the client application will be required to use TLS 1.2 or later to communicate with your cache.

 

1. Changing client application to use TLS 1.2

In StackExchange.Redis and in most of other client libraries you may need to change your connection string and add ssl=true and sslprotocols=tls12 parameters, but this may be a little bit different on each one of client libraries. Also some other changes may be needed.

You can follow this documentation Configure your application to use TLS 1.2 to verify what changed are needed and if some other client environment changes are needed to use the latest TLS version in your client application.

.NET Framework: StackExchange.Redis, ServiceStack.Redis
.NET Core: all .NET Core clients

Java: Jedis, Lettuce, and Redisson

Node.js: Node Redis, IORedis
PHP: Predis, PhpRedis
Python: Redis-py
GO: Redigo

 

 

2. Changing Redis Minimum TLS version on Azure side

To disable old TLS versions on your Azure Redis instance, you may need to change the minimum TLS Version to 1.2.

This may take some minutes to be applied and you may use the Powershell script bellow to make sure the changes have been applied.

 

- Using Azure Portal :

- On Azure Portal, on your Azure Redis blade, choose Advanced Settings

- Change the minimum TLS Version to 1.2

- Save the changes

 

ChangingRedisTLSversion.png

 

 

 

- Using PowerShell

You can do the same using PoweShell. You need the Az.RedisCache module already installed before run the command:

Set-AzRedisCache -Name <YourRedisName> -MinimumTlsVersion "1.2"

 

- Using CLI

Using CLI, the --minimum-tls-version are available only at Redis creation time and changing minimum-tls-version on an existing Azure Redis instance is not supported.

 

 

3. Check TLS versions supported by Redis endpoint

You can use this PowerShell script to verify what TLS versions are supported by your Azure Cache for Redis endpoint.

If your Redis instance have VNET integration implemented, you may need to run these PowerShell script from some VM inside your VNET, to have access to Azure Redis Instance:

param(
[Parameter(Mandatory=$true)]
[string]$redisCacheName,
[Parameter(Mandatory=$false)]
[string]$dnsSuffix = ".redis.cache.windows.net",
[Parameter(Mandatory=$false)]
[int]$connectionPort = 6380,
[Parameter(Mandatory=$false)]
[int]$timeoutMS = 2000
)
$redisEndpoint = "$redisCacheName$dnsSuffix"
$protocols = @(
    [System.Security.Authentication.SslProtocols]::Tls,
    [System.Security.Authentication.SslProtocols]::Tls11,
    [System.Security.Authentication.SslProtocols]::Tls12
)
$protocols | % {
    $ver = $_
    $tcpClientSocket = New-Object Net.Sockets.TcpClient($redisEndpoint, $connectionPort )
    if(!$tcpClientSocket)
    {
        Write-Error "$ver- Error Opening Connection: $port on $computername Unreachable"
        exit 1;
    }
    else
    {
        $tcpstream = $tcpClientSocket.GetStream()
        $sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false)
        $sslStream.ReadTimeout = $timeoutMS
        $sslStream.WriteTimeout = $timeoutMS
        try
        {
            $sslStream.AuthenticateAsClient($redisEndpoint, $null, $ver, $false)
            Write-Host "$ver Enabled"
        }
        catch [System.IO.IOException]
        {
            Write-Host "$ver Disabled"
        }
        catch
        {
            Write-Error "Unexpected exception $_"
        }
    }
}

 

Conclusion:

Due to TLS 1.0/1.1 retirement for Azure Cache for Redis service, all client applications that uses TLS 1.0/1.1 should be updated to use TLS 1.2 and the secure Cyphers TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256.
This change on client side should be completed ASAP, and before October 1, 2024.
Azure Cache for Redis instances will reject connections using TLS 1.0 or 1.1 after that date.


Related documentation:

Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis
Check whether your application is already compliant

PowerShell Az.RedisCache module

CLI Az Redis Create command

TLS security blog

 

I hope this can be useful !!!

 

 

Co-Authors
Version history
Last update:
‎Nov 13 2023 09:22 AM
Updated by:
Labels