- Knowledge Base
- Microsoft Azure
- Application Gateway
- Check for Minimum TLS Version
Ensure that your Microsoft Azure Application Gateways are using the latest supported versions of the TLS protocol (i.e., TLS 1.2 and TLS 1.3) for client connections in order to enhance security by providing stronger encryption, protecting data integrity, reducing vulnerabilities to cyber attacks, and maintaining compatibility with modern browsers.
Security The Transport Layer Security (TLS) protocol addresses network security problems such as tampering and eavesdropping between a client and a server. Using weak and deprecated TLS protocols can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM), and downgrade attacks. Therefore, it is strongly recommended to use the latest TLS version supported by Azure Application Gateway.
Audit
To determine the TLS version configured for your Microsoft Azure Application Gateways, perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Application gateway for Value, then choose Apply to list the Azure Application Gateways available in the selected subscription.
05 Click on the name (link) of the Azure Application Gateway that you want to examine.
06 In the resource navigation panel, under Settings, select Listeners to access the SSL policy defined for the selected Application Gateway.
07 Select the Listeners tab and check the Min protocol version attribute value listed in the SSL Policy section to determine the TLS version configured for the selected resource. If Min protocol version is not set to TLSv1_2 or TLSv1_3, the selected Microsoft Azure Application Gateway does not use the latest supported versions of the TLS protocol.
08 Repeat steps no. 5 – 7 for each Azure Application Gateway available in the selected subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run network application-gateway list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure Application Gateway available in the selected subscription:
az network application-gateway list --query '[*].id'
05 The command output should return the requested Application Gateway IDs:
[ "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-project5-application-gateway", "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-prod-stack-application-gateway" ]
06 Run network application-gateway show command (Windows/macOS/Linux) with the name of the Azure Application Gateway that you want to examine as the identifier parameter and custom output filters to describe the SSL policy configured for the selected Application Gateway:
az network application-gateway show
--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/applicationGateways/cc-project5-application-gateway"
--query '{sslPolicy:sslPolicy}'
07 The command output should return the SSL policy (predefined or custom) configured for the selected Application Gateway:
- If the network application-gateway show command output returns null for "sslPolicy", as shown in the example below, the selected Application Gateway is using the default predefined SSL policy, which implements TLS version 1.2, i.e., "minProtocolVersion" is set to "TLSv1_2".
{ "sslPolicy": null } - If the command output returns "Predefined" for "policyType", as shown in the example below, the selected Application Gateway is using a predefined SSL policy that must be checked for TLS protocol version:
{ "sslPolicy": { "policyName": "AppGwSslPolicy20170401", "policyType": "Predefined" } }- Run network application-gateway ssl-policy predefined show command (Windows/macOS/Linux) with the name of the predefined SSL policy that you want to examine as the identifier parameter, to describe the TLS protocol version configured for the selected policy:
az network application-gateway ssl-policy predefined show --name AppGwSslPolicy20170401 --query 'minProtocolVersion'
- If the TLS version returned by the network application-gateway ssl-policy predefined show command output is "TLSv1_0" or "TLSv1_1", as shown in the example below, the selected Azure Application Gateway does not use the latest supported versions of the TLS protocol.
"TLSv1_1"
- Run network application-gateway ssl-policy predefined show command (Windows/macOS/Linux) with the name of the predefined SSL policy that you want to examine as the identifier parameter, to describe the TLS protocol version configured for the selected policy:
- If the command output returns "Custom" for "policyType", the selected Application Gateway is using a custom SSL policy. Check the "minProtocolVersion" property to determine the TLS version configured for the selected resource. If the TLS version returned by the network application-gateway show command output is "TLSv1_0" or "TLSv1_1", as shown in the example below, the selected Azure Application Gateway does not use the latest supported versions of the TLS protocol:
{ "sslPolicy": { "cipherSuites": [ "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256" ], "minProtocolVersion": "TLSv1_1", "policyType": "Custom" } }
08 Repeat steps no. 6 and 7 for each Azure Application Gateway deployed in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To ensure that your Microsoft Azure Application Gateways are using the latest supported versions of the TLS protocol (i.e., TLS 1.2 and TLS 1.3), perform the following operations:
Using Azure Portal
01 Sign in to the Microsoft Azure Portal.
02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.
04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and Application gateway for Value, then choose Apply to list the Azure Application Gateways available in the selected subscription.
05 Click on the name (link) of the Azure Application Gateway that you want to configure.
06 In the resource navigation panel, under Settings, select Listeners to access the SSL policy defined for the selected Application Gateway.
07 Select the Listeners tab and click on the (change) link next to the name of the SSL policy, in the SSL Policy section.
08 On the Change SSL policy configuration panel, choose from one of the predefined SSL policies or create a custom policy based on your security requirements. If you don't specify an SSL policy, the default policy will be used for your resource. Ensure that the selected SSL policy has Min protocol version set to TLSv1_2 or TLSv1_3. Choose Save to apply the changes.
09 Repeat steps no. 5 – 8 for each Azure Application Gateway that you want to configure, available within the selected Azure subscription.
10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:
az account list --query '[*].id'
02 The command output should return the requested subscription identifiers (IDs):
[ "abcdabcd-1234-abcd-1234-abcdabcdabcd", "abcd1234-abcd-1234-abcd-abcd1234abcd" ]
03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):
az account set --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
04 Run network application-gateway ssl-policy predefined list command (Windows/macOS/Linux) to list the predefined SSL policies available for Azure Application Gateways:
az network application-gateway ssl-policy predefined list
05 The command output should return the requested predefined SSL policies:
[
{
"cipherSuites": [
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
],
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/ApplicationGatewaySslPredefinedPolicy/AppGwSslPolicy20150501",
"minProtocolVersion": "TLSv1_0",
"name": "AppGwSslPolicy20150501",
"resourceGroup": ""
},
{
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA"
],
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/ApplicationGatewaySslPredefinedPolicy/AppGwSslPolicy20170401",
"minProtocolVersion": "TLSv1_1",
"name": "AppGwSslPolicy20170401",
"resourceGroup": ""
},
{
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA"
],
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/ApplicationGatewaySslPredefinedPolicy/AppGwSslPolicy20170401S",
"minProtocolVersion": "TLSv1_2",
"name": "AppGwSslPolicy20170401S",
"resourceGroup": ""
},
{
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
],
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/ApplicationGatewaySslPredefinedPolicy/AppGwSslPolicy20220101",
"minProtocolVersion": "TLSv1_2",
"name": "AppGwSslPolicy20220101",
"resourceGroup": ""
},
{
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
],
"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups//providers/Microsoft.Network/ApplicationGatewayAvailableSslOptions/default/ApplicationGatewaySslPredefinedPolicy/AppGwSslPolicy20220101S",
"minProtocolVersion": "TLSv1_2",
"name": "AppGwSslPolicy20220101S",
"resourceGroup": ""
}
]
06 To set a predefined SSL policy, run network application-gateway ssl-policy set command (Windows/macOS/Linux). For --name parameter, specify the name of the SSL policy that you want to use for your Azure Application Gateway, from the list of predefined policies returned in the previous step. Ensure that the selected policy has "minProtocolVersion" set to TLSv1_2:
az network application-gateway ssl-policy set --gateway-name cc-project5-application-gateway --resource-group cloud-shell-storage-westeurope --name AppGwSslPolicy20220101 --policy-type Predefined
07 The command output should return the configuration information available for the chosen SSL policy:
{
"policyName": "AppGwSslPolicy20220101",
"policyType": "Predefined"
}
08 To set a custom SSL policy, run network application-gateway ssl-policy set command (Windows/macOS/Linux). For --min-protocol-version parameter, set the TLS protocol version, i.e., TLSv1_2 or TLSv1_3
az network application-gateway ssl-policy set --gateway-name cc-project5-application-gateway --resource-group cloud-shell-storage-westeurope --policy-type Custom --min-protocol-version TLSv1_2 --cipher-suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256
09 The command output should return the configuration information available for the modified Application Gateway:
{
"cipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256"
],
"minProtocolVersion": "TLSv1_2",
"policyType": "Custom"
}
10 Repeat steps no. 4 - 9 for each Azure Application Gateway account that you want to configure, available within the selected subscription.
11 Repeat steps no. 3 – 10 for each Azure subscription created within your Microsoft Azure cloud account.
References
- Azure Official Documentation
- Application Gateway TLS policy overview
- Configure listener-specific SSL policies on Application Gateway through portal
- Azure Command Line Interface (CLI) Documentation
- az account list
- az account set
- az network application-gateway list
- az network application-gateway show
- az network application-gateway ssl-policy predefined show
- az network application-gateway ssl-policy predefined list
- az network application-gateway ssl-policy set
- az network application-gateway ssl-policy set