Share via
Madaan (Wipro), Sanket 26Reputation points
In the following article there are steps mentioned on how to disable or set your own cipher suite order for your App Service Environment.
https://learn.microsoft.com/en-us/azure/app-service/environment/app-service-app-service-environment-custom-settings#change-tls-cipher-suite-order
But I want to know if I go ahead with the changes on App Service Environment, will the change be reflected on every app in that App Service Environment.
If yes, suppose I only put the two ciphers mentioned in the article in cluster settings, these two ciphers are supported by TLS 1.2 only. Does that mean the application only supports TLS 1.2 even if the Minimum TLS Version on TLS Settings is 1.0. Will it cause any problems?
Azure App Configuration
An Azure service that provides hosted, universal storage for Azure app configurations.
225 questions
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,658 questions
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,365 questions
Sign in to follow
0 commentsNo comments
0{count} votes
Sign in to comment
2 answers
Sort by: Most helpful
Michael Taylor 53,726Reputation points
2022-10-17T15:46:37.313+00:00 SSL consists of 2 pieces - the protocol being used and the ciphers involved. When a site attempts to connect it sends along the TLS version and the supported ciphers. The server looks at the supported ciphers and sends back all the ciphers it supports. If there are none then the SSL connection fails. So if you are using ciphers that are not supported prior to TLS 1.2 then no client using a lesser version will have any ciphers the server allows. Therefore there is no benefit in supporting the earlier protocols.
Most sites only support TLS 1.2 anyway as the earlier protocols are not supported. Therefore I would say support only TLS 1.2 and remove any deprecated ciphers. However there are more than a couple ciphers that are still secure. You should enable all the secure ones. The less ciphers you support the more likely you are to have clients that don't support one of your ciphers and therefore fail to connect.
0 commentsNo comments
Sign in to comment
SENU DANIEL PHILIP 1Reputation point
2022-12-01T06:45:15.993+00:00 Does "Allow TLS 1.0 and 1.1" put to "Off" state before implementing
"clusterSettings": [
{
"name": "FrontEndSSLCipherSuiteOrder",
"value": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
}
],Secondly, does ASE needs to be restarted to make all the app services affective in the single tenant isolated ASE
Michael Taylor 53,726Reputation points
2022-12-01T14:56:42.267+00:00 I don't understand your first question. If you're asking whether the changes need to be before or after the TLS settings then it doesn't matter. This is a JSON configuration file. All you're doing is setting the "fields" that control the behavior. The ordering doesn't matter.
As for how long it takes, the docs specify that any configuration changes can take up to 30 minutes * # of apps to take effect after you apply the changes. Furthermore during this change you cannot make other changes. So this is likely something you'll want to plan for.
Sign in to comment
Sign in to answer