【Azure 应用服务】Azure Web App 服务默认支持一些 Weak TLS Ciphers Suite，是否有办法自定义修改呢？

问题描述

当 Azure Web App 进行安全扫描后，发现依旧支持很多弱TLS加密套件(Weak TLS Ciphers Suite)，那么是否有办法来关闭这些弱的加密套件呢？

在Windows IIS环境中，可以通过修改注册表修改 For Microsoft IIS, you should make some changes to the system registry.

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

a. Click Start, click Run, type regedt32 or type regedit, and then click OK.

b. In Registry Editor, locate the following registry key: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

c. Set "Enabled" DWORD to "0x0" for the following registry keys:

• SCHANNEL\Ciphers\DES 56/56
• SCHANNEL\Ciphers\RC4 64/128
• SCHANNEL\Ciphers\RC4 40/128
• SCHANNEL\Ciphers\RC2 56/128
• SCHANNEL\Ciphers\RC2 40/128
• SCHANNEL\Ciphers\NULL
• SCHANNEL\Hashes\MD5

那么，在Azure Web App服务中，是否有办法来修改 Weak TLS Ciphers 呢？

问题解答

当前，Web App 已经开始提供通过 API 来修改 minTlsCipherSuite 属性，通过修改最低可接受的加密套件，来实现对弱加密套件的排除。 但是，当前只有高级层(Premium) 支持。

具体的HTTP请求为：

PATCH https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/web?api-version=2022-03-01

Request Body：

{
  "properties": {
    "minTlsCipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
  }
} 

而其他的定价层，当前并不支持，如果是高级层之下的Web App，当前并不支持修改 minTlsCipherSuite 的值。如果这些定价层的Web App需要解决弱加密套件问题，可以在前端加一个应用服务网关(Application Gateway), 网关服务支持修改加密套件。 详见：https://docs.azure.cn/zh-cn/application-gateway/application-gateway-ssl-policy-overview#custom-tls-policy

参考资料

Web Apps - Update Configuration : https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/update-configuration

Disabling Weaker TLS Cipher Suites for Web Apps on Multi-tenant Premium App Service Plans : https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html#supported-cipher-suites

What are cipher suites and how do they work on App Service?

A cipher suite is a set of instructions that contains algorithms and protocols to help secure network connections between clients and servers. By default, the front-end’s OS would pick the most secure cipher suite that is supported by both the front-end and the client. However, if the client only supports weak cipher suites, then the front-end’s OS would end up picking a weak cipher suite that is supported by them both.

If a customer’s organization has restrictions on what cipher suites are not be allowed, they may update their web app’s minimum TLS cipher suite property to ensure that the weaker cipher suites would be disabled for their web app. The next part of the article will go through the new minimum TLS cipher suite feature that is currently in public preview.

Minimum TLS Cipher Suite Feature

The minimum TLS cipher suite feature comes with a pre-determined list of cipher suites that cannot be reordered nor reprioritized. Since the service is already using the ideal priority order, it is not recommended for customers to reprioritize the the cipher suite order. Customers can potentially leave their web apps exposed if weaker cipher suites are prioritized over the stronger ones. Customers also cannot add newer or different cipher suites to the list of supported cipher suites. When a minimum cipher suite is selected, all the cipher suites that are less secure than the selected minimum one would be disabled for the web app. There is no support to make exceptions and to disable only some of the cipher suites that are weaker than the selected minimum cipher suite.