Minimum TLS Version in Azure Storage Account - McMap

About

Minimum TLS Version in Azure Storage Account

Asked 4/3, 2021 at 19:7 Answered 5/3, 2021 at 23:50

Solved azure azure-storage tls1.2

T

1

9

I have an Azure Storage V2 account setup and I am trying to block TLS 1.0 and 1.1. I have set the Minimum TLS version to 1.2 but when I test the storage account using SSL Labs or other tools to test the TLS versions that are supported they still report TLS 1.0 and 1.1 being enabled.

Below is a screenshot of the configuration from the Azure portal. I also checked in Powershell and the Minimum TLS version reported is TLS1_2. Have I missed something or could this be because of something else?

Tomboy answered 4/3, 2021 at 19:7 Comment(5)

I can confirm this - just set TLS 1.2 on one of our storage accounts, was able to get a storage account context in Powershell setting [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls;. Also got a grade capped at B on ssllabs.com due to TLS 1.0/1.1 support. – Whispering 4/3, 2021 at 19:37

Thank you - at least I know it is not just me, I thought I missed something else that had to be set. – Tomboy 4/3, 2021 at 20:43

If this is important to you (it will be to me, just not at the moment), you might want to file a support ticket with Microsoft, and link this topic. – Whispering 4/3, 2021 at 20:46

I have opened a support ticket with Microsoft and will post the response here after I have a resolution. – Tomboy 4/3, 2021 at 20:51

Good, I've bookmarked the topic. – Whispering 4/3, 2021 at 20:59

T

7

During my attempts to reproduce this in a browser for my support ticket I was able to verify that TLS 1.0 and 1.1 ARE being blocked but not at the Session/Presentation layer (I know some debate exists whether TLS is at layer 5/6), they are blocked at the Application layer. The Azure Storage host accepts the TLS 1.0 connection and then checks your account's settings and if the Minimum TLS version is not met it throws an HTTP 400 error stating the TLS version is not permitted.

For my purposes I will try to get this accepted by the auditors as this will continue to fail the TLS-testing sites but for any practical matter TLS 1.0/1.1 is blocked.

This is what Azure returns when you browse to the site with an unsupported TLS version: And the GET HTTP Response is 400 -

To test this I found that you can force Firefox to a Minimum / Maximum TLS version and then test this in a browser. To configure Firefox to allow TLS 1.0 follow these steps (obviously remember to change this back after testing):

Go to about:config in the Firefox address bar
Set security.tls.version.enable-deprecated to true
Set security.tls.version.max to 1 (or 2 for TLS 1.1)
Set security.tls.version.min to 1

You can then test any site using TLS 1.0.

Tomboy answered 5/3, 2021 at 23:50 Comment(3)

Thanks for this answer, this helped my team a ton. I followed up with Microsoft here: github.com/MicrosoftDocs/azure-docs/issues/84792 and they updated the documentation here: learn.microsoft.com/en-us/azure/storage/common/… to include a note explaining that it's enforced at the application layer. – Vallation 10/12, 2021 at 4:54

If my storage account is disabled public access, does it mean I no need to worry about TLS? – Cortes 25/8, 2022 at 10:45

@Cortes Disabling public access to your storage account is a good security measure, but it does not mean that you don’t need to worry about TLS. Transport Layer Security (TLS) is a cryptographic protocol that ensures privacy and data integrity between clients and services over the Internet. – Confound 12/12, 2023 at 15:22

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.