Problem
I recently came across an interesting problem. We have a public web app hosted using Azure App Service. We decided to perform penetration/security testing for this app. One issue logged was that the app supports certain weaker cypher suits.
Note that app implements TLS 1.2 and has HTTPS Only. (as recommended). So we were wondering that will suffice, but apparently not!
Security testing flagged that it supports weaker cypher suits. Screenshot below shows the results from SLL Labs.
So how to solve this issue for a web app hosted using Azure App Service?
Does the app service support the customization of the TLS at that level?
Does Azure App Service allow to pick and choose which cypher suits are allowed and which are not?
The answer is – big fat no. Not yet!
While searching about options, came across a couple of options from various forums.
Option 1 – Application Gateway/Front Door
Deploy your App Service behind an App Gateway + WAF or Azure Front Door. These components do support customizing the cypher suits. While recommended by the experts for the public web apps, these services are expensive. Also it will have an impact on your network topology, architecture since you need to implement Virtual Network etc.
Option 2 – Application Service Environment
Deploy your web application in the ASE. ASEs also are notoriously expensive. For a single digit requests/day – we were not looking to invest in this mammoth. It was not justifiable.
Option 3 – The Hack
Finally came across this solution. It’s a hack, but gets the job done and is not expensive, complex at all.
So apparently, Azure App Service has a property called minTlsCipherSuite that talks about Minimum TLS Cipher Suite supported. This property is not exposed through the Azure Portal yet, but can be edited using the Azure Source Explorer.
The minimum TLS cipher suite feature comes with a pre-determined list of cipher suites that cannot be reordered nor reprioritized. Since the service is already using the ideal priority order, it is not recommended to reprioritize the the cipher suite order.
We can rather leave the web app exposed if weaker cipher suites are prioritized over the stronger ones. Also one cannot add newer or different cipher suites to the list of supported cipher suites. When a minimum cipher suite is selected, all the cipher suites that are less secure than the selected minimum one would be disabled for the web app. There is no support to make exceptions and to disable only some of the cipher suites that are weaker than the selected minimum cipher suite.
I issued a PATCH request and updated minTlsCipherSuite to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. This means the app service will support this suite as minimum and the Open SSL test came back with a less number of weak cipher suits.
Important Note : Standard App Service Skus do not support this operation. You need to have a App Service Premium Sku.
References
Shiny Objects 