Server cipher suites and TLS requirements - Power Platform (2024)

Table of Contents
In this article Why do Dataverse SSL/TLS certificates use wildcard domains? See also FAQs
  • Article

A cipher suite is a set of cryptographic algorithms. This is used to encrypt messages between clients/servers and other servers. Dataverse is using the latest TLS 1.2 cipher suites as approved by Microsoft Crypto Board.

Before a secure connection is established, the protocol and cipher are negotiated between server and client based on availability on both sides.

You can use your on-premises/local servers to integrate with the following Dataverse services:

  1. Syncing emails from your Exchange server.
  2. Running Outbound plug-ins.
  3. Running native/local clients to access your environments.

To comply with our security policy for a secure connection, your server must have the following:

  1. Transport Layer Security (TLS) 1.2 compliance

  2. At least one of the following ciphers:

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    See Also
    Why 3DES or Triple DES is Officially Being Retired | Encryption ConsultingHow to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH {Easy Way}What is RC4 Encryption? (Working, Usage, Advantages & Disadvantages)How to disable 3DES and RC4 on Windows Server 2019? - Microsoft Q&A

    Important

    Older TLS 1.0 & 1.1 and cipher suites, (for example TLS_RSA) have been deprecated; see the announcement.Your servers must have the above security protocol to continue running the Dataverse services.

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 may show up as weak when you performed a SSL report test. This is due to known attacks toward OpenSSL implementation. Dataverse uses Windows implementation that is not based on OpenSSL and therefore is not vulnerable.

    You may either upgrade the Windows version or update the Windows TLS registry to make sure that your server endpoint supports one of these ciphers.

    To verify that your server complies with the security protocol, you can perform a test using a TLS cipher and scanner tool:

    1. Test your hostname using SSLLABS, or
    2. Scan your server using NMAP

  3. The following Root CA Certificates installed. Install only those that correspond to your cloud environment.

    For Public/PROD

    Certificate AuthorityExpiry dateSerial Number/ThumbprintDownload
    DigiCert Global Root G2Jan 15 20380x033af1e6a711a9a0bb2864b11d09fae5
    DF3C24F9BFD666761B268073FE06D1CC8D4F82A4    		PEM
    DigiCert Global Root G3Jan 15, 20380x055556bcf25ea43535c3a40fd5ab4572
    7E04DE896A3E666D00E687D33FFAD93BE83D349E    		PEM
    Microsoft ECC Root Certificate Authority 2017Jul 18, 20420x66f23daf87de8bb14aea0c573101c2ec
    999A64C37FF47D9FAB95F14769891460EEC4C3C5    		PEM
    Microsoft RSA Root Certificate Authority 2017Jul 18, 20420x1ed397095fd8b4b347701eaabe7f45b3
    3A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74    		PEM

    For Fairfax/Arlington/US Gov Cloud

    See Also
    Birthday attacks against TLS ciphers with 64bit (Sweet32) - Microsoft Q&A

    Certificate AuthorityExpiry dateSerial Number/ThumbprintDownload
    DigiCert Global Root CANov 10, 20310x083be056904246b1a1756ac95991c74a
    A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436    		PEM
    DigiCert SHA2 Secure Server CASep 22, 20300x02742eaa17ca8e21c717bb1ffcfd0ca0
    626D44E704D1CEABE3BF0D53397464AC8080142C    		PEM
    DigiCert TLS Hybrid ECC SHA384 2020 CA1Sep 22, 20300x0a275fe704d6eecb23d5cd5b4b1a4e04
    51E39A8BDB08878C52D6186588A0FA266A69CF28    		PEM

    For Mooncake/Gallatin/China Gov Cloud

    Certificate AuthorityExpiry dateSerial Number/ThumbprintDownload
    DigiCert Global Root CANov 10, 20310x083be056904246b1a1756ac95991c74a
    A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436    		PEM
    DigiCert Basic RSA CN CA G2Mar 4, 20300x02f7e1f982bad009aff47dc95741b2f6
    4D1FA5D1FB1AC3917C08E43F65015E6AEA571179    		PEM

    Why is this need?

    See TLS 1.2 Standards Documentation - Section 7.4.2 - certificate-list.

Why do Dataverse SSL/TLS certificates use wildcard domains?

Wildcard SSL/TLS certificates are by design since hundreds of organization URLs must be accessible from each host server. SSL/TLS certificates with hundreds of Subject Alternate Names (SANs) have a negative impact on some web clients and browsers. This is an infrastructure constraint based on the nature of a software as a service (SAAS) offering, which hosts multiple customer organizations on a set of shared infrastructure.

See also

Connect to Exchange Server (on-premises)
Dynamics 365 Server-side sync
Exchange server TLS guidance
Cipher Suites in TLS/SSL (Schannel SSP)
Manage Transport Layer Security (TLS)
How to enable TLS 1.2

As a cybersecurity expert with extensive knowledge in cryptographic algorithms and secure communication protocols, I can confidently provide insights into the concepts discussed in the provided article.

Cipher Suites: A cipher suite is a combination of cryptographic algorithms used to secure communication between clients and servers. In the context of the article, Dataverse employs the latest TLS 1.2 cipher suites approved by the Microsoft Crypto Board. These cipher suites play a crucial role in encrypting messages exchanged between servers and clients.

TLS (Transport Layer Security) 1.2: TLS is a protocol that ensures privacy between communicating applications and users on the internet. The article emphasizes the importance of TLS 1.2 compliance for a secure connection. TLS 1.2 is the latest version at the time of the article and is considered more secure than older versions.

Cipher Negotiation: Before establishing a secure connection, the server and client negotiate the protocol and cipher based on availability on both sides. This negotiation process ensures that both parties agree on a set of cryptographic algorithms for secure communication.

Security Policy Requirements: To comply with the security policy for a secure connection with Dataverse services, servers must have TLS 1.2 compliance and support at least one of the specified cipher suites. Older TLS 1.0 and 1.1, as well as deprecated cipher suites like TLS_RSA, are no longer supported.

Cipher Suite Selection: The article lists specific cipher suites that servers must support, including examples like TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. This selection is critical for maintaining a secure connection.

Vulnerability Considerations: The article addresses concerns about the perceived weakness of certain cipher suites, such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. It clarifies that any weakness observed in SSL reports is due to known attacks towards OpenSSL implementation, and Dataverse uses a Windows implementation that is not vulnerable.

Security Testing: To verify server compliance with the security protocol, the article suggests performing tests using TLS cipher and scanner tools like SSLLABS or NMAP. These tools help assess the security posture of the server and ensure it meets the specified requirements.

Root CA Certificates: The article provides a list of Root CA (Certificate Authority) Certificates that need to be installed based on the cloud environment. This ensures the authenticity of the certificates used in the secure communication process.

Wildcard SSL/TLS Certificates: The article explains the use of wildcard SSL/TLS certificates in Dataverse. These certificates are designed to accommodate multiple organization URLs on a host server without negatively impacting web clients and browsers.

Documentation Reference: The need for the specified security measures is justified by referencing TLS 1.2 Standards Documentation, particularly Section 7.4.2, which likely provides detailed information on certificate lists and their significance.

In conclusion, the article provides a comprehensive overview of the cryptographic and security measures implemented by Dataverse to ensure secure communication, detailing the required protocols, cipher suites, and additional considerations for maintaining a robust security posture.

Server cipher suites and TLS requirements - Power Platform (2024)

FAQs

What is the difference between TLS and cipher suites? ›

In cryptography, a cipher is an algorithm that lays out the general principles of securing a network through TLS (the security protocol used by modern SSL certificates). A cipher suite comprises several ciphers working together, each having a different cryptographic function, such as key generation and authentication.

Read On
How do I enable TLS 1.2 Strong cipher suites? ›

Run a script to enable TLS 1.2 strong cipher suites
  1. Log in to the manager.
  2. Click Administration at the top.
  3. On the left, click Scheduled Tasks.
  4. In the main pane, click New.
  5. The New Scheduled Task Wizard appears.
  6. From the Type drop-down list, select Run Script.
May 8, 2023

Discover More Details
What is the minimum TLS version for PCI DSS? ›

Both TLS 1.0 and TLS 1.1 are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic. PCI standards recommend using TLS 1.2 or higher.

Continue Reading
What are the requirements for TLS? ›

For a website or application to use TLS, it must have a TLS certificate installed on its origin server (the certificate is also known as an "SSL certificate" because of the naming confusion described above). A TLS certificate is issued by a certificate authority to the person or business that owns a domain.

See Details
How do I check my TLS cipher suite? ›

Find the cipher using Chrome
  1. Launch Chrome.
  2. Enter the URL you wish to check in the browser.
  3. Click on the ellipsis located on the top-right in the browser.
  4. Select More tools > Developer tools > Security.
  5. Look for the line "Connection...". This will describe the version of TLS or SSL used.

Find Out More
Which TLS ciphers are recommended? ›

Cipher suites recommendations
Recommended security levelOther settings
ModernEnable TLS 1.3.
CompatibleEnable TLS 1.3.
LegacyEnable TLS 1.3.
Jan 17, 2024

Tell Me More
How do I make sure TLS 1.2 is enabled? ›

Google Chrome
  1. From the Start Menu > Open 'Internet Options' Options > Advanced tab.
  2. Scroll down to the Security category, manually check the option box for Use TLS 1.2 and un-check the option box for Use TLS 1.1 and Use TLS 1.0.
  3. Click OK.
  4. Close your browser and restart Google Chrome.
Oct 21, 2023

Show Me More
How to enable TLS 1.2 on the site servers and remote site systems? ›

How to enable TLS 1.2 on the site servers and remote site systems
  1. Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level.
  2. Update and configure the . NET Framework to support TLS 1.2.
  3. Update SQL Server and client components.
  4. Update Windows Server Update Services (WSUS)

Explore More
What is the vulnerability of TLS 1.2 cipher suites? ›

Forward Secrecy Vulnerability

TLS 1.2 does not enforce Forward Secrecy (it's optional at the server). This means that if someone gains access to the private key that is exchanged in the key exchange, they can use it to decrypt all past and future messages.

Continue Reading
What is the recommended TLS cipher suites NIST? ›

Thus the minimum commonly supported TLS version is 1.1; however, PCI-DSS and NIST strongly suggest the use of the more secure TLS 1.2 (and, as seen above, NIST recommends adoption of TLS 1.3 and plans to require support by 2024).

Show Me More

Does PCI DSS v3 2 require that TLS 1.0 be disabled entirely? ›

PCI DSS v3. 2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits." synopsis The remote service encrypts traffic using an older version of TLS.

Read The Full Story
What is PCI DSS 5.2 requirement? ›

5.2 Ensure that all anti-virus mechanisms are maintained

Depending on the goal of the system, the right choice should be made what kind of malware is common. This way the right scanner can be selected. Whatever choice is made, PCI DSS requires you to keep it current, meaning that any definitions should be up-to-date.

See Details
What cipher suites does TLS 1.2 support? ›

Supported cipher suites
Cipher nameMinimum protocolCipher suite
ECDHE-ECDSA-AES256-GCM-SHA384TLS 1.2[0xc02c]
ECDHE-ECDSA-AES256-SHA384TLS 1.2[0xc024]
ECDHE-RSA-AES256-GCM-SHA384TLS 1.2[0xc030]
ECDHE-RSA-AES256-SHA384TLS 1.2[0xc028]
19 more rows
Jul 11, 2024

Get More Info Here
What are the 4 protocols in TLS? ›

The TLS and SSL protocols can be divided into two layers. The first layer consists of the application protocol and the three handshaking protocols: the handshake protocol, the change cipher spec protocol, and the alert protocol. The second layer is the record protocol.

Continue Reading
What is the minimum acceptable TLS version? ›

Transport Layer Security (TLS)

Servers shall be configured to accept only approved cipher suites. All unapproved ciphers should be removed from the configuration to prevent their use. For further information, consult NIST SP 800-52,R2. The minimum acceptable version is TLS 1.2, and TLS 1.3 is highly recommended.

View More
What is the difference between TLS and encryption? ›

Understanding the difference between transport-layer encryption and end-to-end encryption. While Transport-layer encryption only delivers encryption between service providers and individual users, end-to-end encryption encrypts communication transmissions directly between users.

View Details
What is the major difference between TLS and SSL? ›

SSL is technology your applications or browsers may have used to create a secure, encrypted communication channel over any network. However, SSL is an older technology that contains some security flaws. Transport Layer Security (TLS) is the upgraded version of SSL that fixes existing SSL vulnerabilities.

See More
What is the difference between TLS and AES encryption? ›

TLS is a set of industry-standard cryptographic protocols used for encrypting information that is exchanged over the network. AES-256 is a 256-bit encryption cipher used for data transmission in TLS. We recommend setting up encryption in transit on every client accessing the file system.

Learn More
Which is a key difference between TLS and IPsec? ›

SSL/TLS VPN products protect application traffic streams from remote users to an SSL/TLS gateway. In other words, IPsec VPNs connect hosts or networks to a protected private network, while SSL/TLS VPNs securely connect a user's application session to services inside a protected network.

Discover More Details
Top Articles
Common Scams | Office of the Attorney General
How Long Does It Take to Mine 1 Bitcoin? [2023]
Toa Guide Osrs
How To Fix Epson Printer Error Code 0x9e
Garrison Blacksmith Bench
Chalupp's Pizza Taos Menu
Lycoming County Docket Sheets
Nestle Paystub
fltimes.com | Finger Lakes Times
Nexus Crossword Puzzle Solver
Bjork & Zhulkie Funeral Home Obituaries
Oro probablemente a duna Playa e nomber Oranjestad un 200 aña pasa, pero Playa su historia ta bay hopi mas aña atras
Craigslist Blackshear Ga
60 X 60 Christmas Tablecloths
Commodore Beach Club Live Cam
Roster Resource Orioles
Lazarillo De Tormes Summary and Study Guide | SuperSummary
Willam Belli's Husband
Tygodnik Polityka - Polityka.pl
Lowes Undermount Kitchen Sinks
Poe Str Stacking
Chase Bank Pensacola Fl
Reviews over Supersaver - Opiness - Spreekt uit ervaring
Strange World Showtimes Near Savoy 16
Tokyo Spa Memphis Reviews
Roanoke Skipthegames Com
27 Modern Dining Room Ideas You'll Want to Try ASAP
Tactical Masters Price Guide
Infinite Campus Asd20
Bfsfcu Truecar
Neteller Kasiinod
Ice Dodo Unblocked 76
James Ingram | Biography, Songs, Hits, & Cause of Death
Tire Pro Candler
Go Smiles Herndon Reviews
Www Craigslist Com Brooklyn
South Bend Tribune Online
How To Upgrade Stamina In Blox Fruits
Colorado Parks And Wildlife Reissue List
Tsbarbiespanishxxl
Random Animal Hybrid Generator Wheel
Quiktrip Maple And West
Ferhnvi
Dontrell Nelson - 2016 - Football - University of Memphis Athletics
Craigslist Pet Phoenix
Bank Of America Appointments Near Me
Www Pig11 Net
Who uses the Fandom Wiki anymore?
Craigslist Pets Lewiston Idaho
Houston Primary Care Byron Ga
Famous Dave's BBQ Catering, BBQ Catering Packages, Handcrafted Catering, Famous Dave's | Famous Dave's BBQ Restaurant
Loss Payee And Lienholder Addresses And Contact Information Updated Daily Free List Bank Of America
Latest Posts
The Full Guide to Day Trading Using MetaTrader 5 (MT5)
How Much RAM Do I Need For Gaming? (8GB vs. 16GB vs. 32GB)
Article information

Author: Eusebia Nader

Last Updated:

Views: 5837

Rating: 5 / 5 (80 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Eusebia Nader

Birthday: 1994-11-11

Address: Apt. 721 977 Ebert Meadows, Jereville, GA 73618-6603

Phone: +2316203969400

Job: International Farming Consultant

Hobby: Reading, Photography, Shooting, Singing, Magic, Kayaking, Mushroom hunting

Introduction: My name is Eusebia Nader, I am a encouraging, brainy, lively, nice, famous, healthy, clever person who loves writing and wants to share my knowledge and understanding with you.