You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/frontdoor/diffie-hellman-ciphers.md
+13-3Lines changed: 13 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,14 +25,15 @@ You're affected if any of the following are true:
25
25
26
26
## How will I know if I'm impacted?
27
27
* Impacted subscriptions and resources will receive Azure service health notification and email notifications.
28
+
* The impacted connection leg ('client to service' or 'service to origin' or both) will be mentioned in the notification.
28
29
29
30
## What is the impact if I don't act?
30
31
* Connections that can only use the retired DHE ciphers will fail the TLS handshake (for clients) or fail on service to origin negotiation (for origins).
31
32
* Typical symptoms include handshake failure / no shared cipher errors / invalid cipher error in clients or origin server logs.
32
33
33
34
## Action required
34
-
1. Ensure your origin servers disable DHE ciphers and enable the recommended cipher suites.
35
-
2. Inform your clients to disable DHE ciphers and enable the recommended cipher suites.
35
+
1. Ensure your origin servers disable DHE ciphers and enable the recommended cipher suites.
36
+
3. Inform your clients to disable DHE ciphers and enable the recommended cipher suites.
36
37
37
38
## Recommended cipher suites
38
39
For best compatibility and security on Azure Front Door / Azure CDN endpoints and origins, we recommend using the following cipher suites:
@@ -43,14 +44,23 @@ For best compatibility and security on Azure Front Door / Azure CDN endpoints an
43
44
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
44
45
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
45
46
47
+
## Updating cipher suites for common origin types
48
+
49
+
| Service | Configuration Method |
50
+
| -- | -- |
51
+
| Azure App Service |[Use TLS/SSL settings to set a "Minimum TLS Version" or use ARM templates for fine-grained cipher control.](../app-service/configure-ssl-bindings.md)|
52
+
| Azure Application Gateway |[Create a SSL Policy (Predefined or Custom) to select specific cipher suites.](../application-gateway/application-gateway-ssl-policy-overview.md)|
53
+
| Azure API Management |[Modify the Service Instance Settings to disable specific ciphers via the "Protocols and Ciphers" blade.](../api-management/api-management-howto-manage-protocols-ciphers.md)|
54
+
55
+
46
56
## Frequently asked questions
47
57
- Does this affect both client and origin connections?
48
58
49
59
Yes. The retirement applies to both the client to service and service to origin legs. Update both sides to avoid issues.
50
60
51
61
- What if I still need legacy client compatibility?
52
62
53
-
Migrate clients to support TLS 1.2/1.3 with ECDHE. If you operate controlled clients, update their TLS policy.
63
+
The chances of a modern client or server requiring TLS_DHE ciphers as a "must-have" are extremely low as in most places these ciphers have been replaced with the more secure TLS_ECDHE ciphers. Inform your legacy clients to support TLS 1.2/1.3 with ECDHE. If you operate controlled clients, update their TLS policy.
54
64
55
65
- Should I make any changes to my Front Door or CDN profiles?
0 commit comments