I read this thread Minimum TLS Version in Azure Storage Account and https://github.com/MicrosoftDocs/azure-docs/issues/84792 and I was wondering whether there is a way to enforce TLS 1.2 minimum in all the layers so the tools such as ssllab would not be able to user lower versions at all. Unfortunately, those threads do not explain this issue. Does anybody know if there is a way for tls 1.2 to be enforced in protocol layer as well?
2
Answers
Here is what microsoft replied: Azure Storage is a multi-tenant service with a commitment to backwards compatibility. We provide strong controls for storage accounts to opt-in to TLS 1.2 enforcement.
While we encourage all applications to enable TLS 1.2 enforcement, there are a large number of Azure Storage clients that do not yet support the latest security standards. To avoid breaking these and other deployed services, TLS version and cipher suite enforcement is performed in the application layer (HTTP), rather than at the network layer (TCP/TLS).
This enables customers to detect, remediate, and enforce use of specific TLS versions across all their clients. However, it means that port scanning tools like SSL Labs, which do not send HTTP requests to the endpoint, will indicate that legacy TLS versions and cipher suites are supported even if a minimum TLS version is enforced on the account.
This is expected and does not compromise the security of your storage account. Any requests using an insecure TLS version will immediately fail with an HTTP 4xx error. For more information on how to configure TLS enforcement and leverage Azure Policy and Azure Monitor to enforce and monitor this across storage accounts, see https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version .
For more information about TLS support and deprecation plans in Azure, please see https://azure.microsoft.com/en-us/updates/azuretls12/
I created a storage account, with the default minimum TLSv1.2, and a static web site. The web site at testwebsiteca.web.core.windows.net appears to support TLSv1.0/1.1:
When I scanned the other storage account sites they returned similar results:
From rereading the link you provided it looks like, while storage accounts are actually supporting TLSv1.0/1.1, in practical terms they will return an HTTP 400 if someone tries to connect with a lower level TLS.
That’s going to cause a tool like ssllab to mark it as supporting a lower TLS version. It seems strange to me that Microsoft allows the lower TLS connections; it’s enforcing the TLSv1.2 in an odd way that shows up as a red flag to scans. You might try opening a support ticket with Microsoft. There doesn’t appear to be any way that I can see to get the ssllab scan to give you a green light right now.