|
| 1 | +--- |
| 2 | +title: DHE ciphers |
| 3 | +titleSuffix: Azure Front Door |
| 4 | +description: Learn about how to stop using DHE ciphers on Azure Front Door and CDN |
| 5 | +author: halkazwini |
| 6 | +ms.author: halkazwini |
| 7 | +ms.service: azure-frontdoor |
| 8 | +ms.topic: concept-article |
| 9 | +ms.date: 01/26/2025 |
| 10 | +zone_pivot_groups: front-door-tiers |
| 11 | +--- |
| 12 | + |
| 13 | +# TLS_DHE cipher suites on Azure Front Door and Azure CDN |
| 14 | + |
| 15 | +On April 1, 2026, Azure Front Door (Standard, Premium, and Classic) and Azure CDN from Microsoft (Classic) services will stop negotiating the following weak DHE cipher suites for both client to service and service to origin TLS connections: |
| 16 | +* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
| 17 | +* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
| 18 | + |
| 19 | +## Who is affected? |
| 20 | + |
| 21 | +You are affected if any of the following are true: |
| 22 | +* Your clients (browsers/agents/devices) must require one of the DHE cipher suites when connecting to your Front Door/CDN endpoint. |
| 23 | +* Your origins must require one of the retired DHE cipher suites when Front Door/ CDN connects to your origin. |
| 24 | + |
| 25 | +## How will I know if I am impacted? |
| 26 | +* Impacted subscriptions and resources will receive Azure service health notification and email notifications. |
| 27 | + |
| 28 | +## What is the impact if I do not act? |
| 29 | +* Connections that can only use the retired DHE ciphers will fail the TLS handshake (for clients) or fail on service to origin negotiation (for origins). |
| 30 | +* Typical symptoms include handshake failure / no shared cipher errors / invalid cipher error in clients or origin server logs. |
| 31 | + |
| 32 | +## Action required |
| 33 | +1. Ensure your origin servers disable DHE ciphers and enable the recommended cipher suites. |
| 34 | +2. Inform your clients to disable DHE ciphers and enable the recommended cipher suites. |
| 35 | + |
| 36 | +## Recommended cipher suites |
| 37 | +For best compatibility and security on Azure Front Door / Azure CDN endpoints and origins, we recommend using the following cipher suites: |
| 38 | +* TLS_AES_256_GCM_SHA384 (TLS 1.3 only) |
| 39 | +* TLS_AES_128_GCM_SHA256 (TLS 1.3 only) |
| 40 | +* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| 41 | +* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| 42 | +* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| 43 | +* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| 44 | + |
| 45 | +## Frequently asked questions |
| 46 | +1. Does this affect both client and origin connections? |
| 47 | +* Yes. The retirement applies to both the client to service and service to origin legs. Update both sides to avoid issues. |
| 48 | +2. What if I still need legacy client compatibility? |
| 49 | +* Migrate clients to support TLS 1.2/1.3 with ECDHE. If you operate controlled clients, update their TLS policy. |
| 50 | +3. Should I make any changes to my Front Door or CDN profiles? |
| 51 | +* As an optional measure, for Front Door Standard/Premium profiles, you can also use the [Configure Azure Front Door TLS policy](/articles/frontdoor/standard-premium/tls-policy.md) feature to disable the DHE ciphers in advance before 1 April 2026. This option is not available for other tiers. |
| 52 | +* For all Front Door (Standard, Premium, Classic) and Azure CDN from Microsoft (Classic) profiles, Microsoft team will disable the DHE ciphers after 1 April 2026. |
| 53 | + |
| 54 | + |
| 55 | + |
| 56 | + |
0 commit comments