Web App does not use the latest version of TLS encryption

ID

app_service_minimum_tls_version

Severity

low

Vendor

Azure

Resource

App Service

Tags

reachable

Description

App Service should use at least TLS 1.2.

Transport Layer Security is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. Evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0 provide corporations with the incentive to disable TLS 1.0 entirely.

Microsoft recommends customers to go ahead and disable TLS 1.0. TLS 1.2 should be used instead.

See Deprecating weak cryptographic standards (TLS 1.0 and 1.1) in Azure DevOps Services.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "name": "bad", (1)
      "location": "[parameters('location')]",
      "kind": "app",
      "properties": {
        "siteConfig": {
          "http20Enabled": "true",
          "minTlsVersion": "1.0"
        }
      }
    }
  ]
}
json
1 App Service uses an insecure version of TLS.

Terraform

resource "azurerm_app_service" "bad" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
  site_config {
    min_tls_version = "1.1" (1)
  }
}
go
1 App Service uses an insecure version of TLS.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2018-11-01",
      "name": "good", (1)
      "location": "[parameters('location')]",
      "kind": "app",
      "properties": {
        "siteConfig": {
          "http20Enabled": "true",
          "minTlsVersion": "1.2"
        }
      }
    }
  ]
}
json
1 App Service uses TLS 1.2.

Terraform

resource "azurerm_app_service" "good" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
  site_config {
    min_tls_version = "1.2" # Fixed
  }
}
go

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

  • Navigate to App Services, and for each App, click App.

    • Navigate to the Setting section.

    • Click SSL settings.

    • Navigate to the Protocol Settings section.

    • Set Minimum TLS Version to 1.2.

CLI Command

  • To set TLS Version for an existing app, use the following command:

$ az webapp config set
--resource-group <resource group name>
--name <app name>
--min-tls-version 1.2

See Set a web app’s configuration.