在Azure Portal上将最低TLS版本设置为1.2是否足够? [英] Is setting the minimum TLS version to 1.2 on Azure Portal sufficient?
问题描述
我们使用Azure Web应用程序(App Services)来运行我们的网站.我们最近将网络应用程序更改为TLS 1.2(SSL设置下的最低TLS版本).但是我们应用程序的Web.config文件读取httpRuntime targetFramework ="4.6.2"
是否还有其他措施(例如,https://docs.microsoft.com/zh-cn/dotnet/framework/network-programming/tls#for-net-framework-46---462-and-not -wcf)是Azure应用服务所必需的,以防止漏洞?当我尝试使用以下方式连接到我的网站时 使用TLS 1.1或更低版本的PowerShell无法建立连接.但这是否意味着针对.NET 4.6.2的我的网站仅需要Azure上的SSL设置(最低TLS版本为&而已?在此先感谢
博客,用于处理低于TLS 1.2的客户端.
我们现在对没有SNI标头的客户端实施TLS 1.2.请注意,这些通常是不支持SNI的旧版浏览器客户端或编写的编程客户端 很久以前,尚未更新为包括SNI标头名称.
对于未配置自定义域名的网站: li>
这些主机名始终为SNI-SSL(或更类似于SNI必需).
对于这些网站,使用的主机名是默认的sitename.azurewebsites.net.客户可以在此站点上将最低要求的TLS版本配置为1.0或更高版本,我们将 尊重它.
但是,如果在客户端HELLO消息中没有SNI扩展名的请求到达,则无法确定请求最终要到达的确切站点,以及 因此出于合规性原因,我们要求此请求至少为TLS 1.2.
配置了自定义域的网站:
SNI -SSL:
对于这些网站,就像默认主机名一样,可以设置最低TLS版本的配置,将受到系统的尊重.但是,如果没有收到请求 (例如CLIENT HELLO中的SNI扩展名),我们要求此客户端至少协商TLS 1.2,就像默认主机名一样.
IP-SSL:没有重大变化,一切都应该照常进行.
对于IP-SSL绑定,由于主机名具有专用IP,因此我们的系统可以正确确定基于传入IP地址的目标站点,因此没有 没有SNI标头的请求的SNI标头要求或最低TLS版本要求.该Web应用程序的最低配置TLS版本将生效.
上面的内容 您提到的文档描述了对于Switch.System.Net.DontEnableSchUseStrongCrypto的值为false会导致您的应用使用强密码技术.对于"DontEnableSchUseStrongCrypto"用途的值"false" 更安全的网络协议(TLS 1.2,TLS 1.1和TLS 1.0)并阻止不安全的协议."
----------- -------------------------------------------------- ----------------------------------------
如果此答案有帮助,请单击标记为答案"或投票.为了在您的论坛上提供其他反馈 体验,请单击 解决方案
You may check this blog for dealing with clients of less than TLS 1.2.
What are the breaking changes with TLS 1.2 compliance initiative?
We now enforce TLS 1.2 for clients which arrive without SNI header. Note that these are typically old browser clients which do not support SNI or programmatic clients which were written long ago and not updated to include the SNI header name.
- For sites which did not have a custom domain name configured:
These hostnames are always SNI-SSL (or more like SNI-Required).
For these sites, the hostnames used is the default sitename.azurewebsites.net. Customers can configure the minimum required TLS version on this site to be 1.0 and above, and we will honor it.
However, if a request arrives without the SNI extension in the CLIENT HELLO message, we are unable to identify the exact site the request is eventually destined to, and hence we require this request to be at least of TLS 1.2 for compliance reasons.
- Sites with custom domain configured:
- SNI -SSL:
For these sites just like default host name, the configuration for the minimum required TLS version can be set and will be honored by the system. However, if a request arrives without the SNI extension in the CLIENT HELLO, we require this client to at least negotiate TLS 1.2, just like the case of default hostname.
- IP-SSL: No breaking change, everything should continue to work as is.
For IP-SSL bindings, since there is a dedicated IP for the hostname, our system can correctly determine the destination site based on the incoming IP address, and hence there is no requirement of SNI header or minimum TLS version requirement on requests without the SNI header. The minimum configured TLS version for the web app will take effect.
The above document which you have mentioned describes that "A value of false for Switch.System.Net.DontEnableSchUseStrongCrypto causes your app to use strong cryptography. A value of false for DontEnableSchUseStrongCrypto uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure."
-----------------------------------------------------------------------------------------------------
If this answer was helpful, click "Mark as Answer" or Up-Vote. To provide additional feedback on your forum experience, click here
这篇关于在Azure Portal上将最低TLS版本设置为1.2是否足够?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
