Post

Azure Support for TLS 1.0 and TLS 1.1 is Ending

Posted Updated
By The Azure Guys
2 min read

Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a client, like a web browser. This link ensures that all data passed between the server and the client remain private and encrypted.

To enhance security and provide best-in-class encryption for your data, Microsoft require interactions with Azure services to be secured using Transport Layer Security (TLS) 1.2 or later beginning 31 October 2024, when support for TLS 1.0 and 1.1 will end.

The Microsoft implementation of older TLS versions is not known to be vulnerable, however, TLS 1.2 and later offer improved security with features such as perfect forward secrecy and stronger cipher suites.

To avoid potential service disruptions, confirm that your resources that interact with Azure services are using TLS 1.2 or later. Then:

  • If they’re already exclusively using TLS 1.2 or later, you don’t need to take further action.
  • If they still have a dependency on TLS 1.0 or 1.1, transition them to TLS 1.2 or later by 31 October 2024.

Common Resources that use TLS

Azure App Services

Transport Layer Security (TLS) is a widely adopted security protocol designed to secure connections and communications between servers and clients. App Service allows customers to use TLS/SSL certificates to secure incoming requests to their web apps. App Service currently supports different set of TLS features for customers to secure their web apps.

While App Services support TLS versions 1.0, 1.1, 1.2, and 1.3, the minimum default is set to use TLS 1.2. So there should be nothing to worry about here unless you have customized the App Service to use 1.0 or 1.1.

Azure App Service TLS overview.

Azure Application Gateways

You can use Azure Application Gateway to centralize TLS/SSL certificate management and reduce encryption and decryption overhead from a backend server farm. This centralized TLS handling also lets you specify a central TLS policy that’s suited to your organizational security requirements. This helps you meet compliance requirements as well as security guidelines and recommended practices.

The TLS policy includes control of the TLS protocol version as well as the cipher suites and the order in which ciphers are used during a TLS handshake. Application Gateway offers two mechanisms for controlling TLS policy. You can use either a predefined policy or a custom policy.

Similarly to App Serivces, AppGW’s support TLS versions 1.0, 1.1, 1.2, and 1.3 and again use 1.3 by default. Custom policies can be applied to use other versions.

Application Gateway TLS policy overview.

Azure Front Door

Azure Front Door supports four versions of the TLS protocol: TLS versions 1.0, 1.1, 1.2 and 1.3. All Azure Front Door profiles created after September 2019 use TLS 1.2 as the default minimum with TLS 1.3 enabled, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.

Although Azure Front Door supports TLS 1.2, which introduced client/mutual authentication in RFC 5246, currently, Azure Front Door doesn’t support client/mutual authentication (mTLS) yet.

While AFD currently supports TLS 1.0 and 1.1, that support will end by the 1st December 2024.

End-to-end TLS with Azure Front Door.

Azure, Network, TLS
azure tls ciphers transport layer security
This post is licensed under CC BY 4.0 by the author.