Hardening SSL/TLS on Azure Cloud Service for A+ on Qualys SSL Labs?

Question

We're using this powershell script as our Azure Cloud Service (PaaS) startup script and we're at an A- on the Qualys SSL Labs test

Specifically we're losing points for the following reasons:

Forward Secrecy : With some browsers (more info)
Downgrade attack prevention : No, TLS_FALLBACK_SCSV not supported (more info)

We'd like to set it up for an A+ on that one (and improve other aspects not covered in that test). How can we do so?

Anti-weakpasswords · Answer 1 · 2015-01-24T03:40:35.160

First, for an analysis of TLS version and cipher suite selection, see my answer to Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment?

The summary is: TLS_DHE_* and TLS_ECDHE_* support PFS, but AVOID DSS, RC4, and so on.
The reason you're getting points off for not having FS with some browsers is the TLS_RSA_* cipher suites; take them out of your startup script.

Then, for an additional technical "how do I do this on Azure", please read How do I configure Perfect Forward Secrecy in Windows Azure (OS, or Websites)

The summary is: Run an Azure startup task like the one in this NuGet package in this Codeplex project, and make sure to disable SSLv3 entirely.
- It sounds like your startup script is already doing a lot of this, which is great!

As far as TLS_FALLBACK_SCSV goes, your best bet is to get all your friends to give your feedback to Microsoft regarding the TLS_FALLBACK_SCSV Connect entry

FYI the TLS_FALLBACK_SCSV issue you linked to in Connect is for I.E., but to get an A+ on the SSLLabs test it would need to be implemented in IIS instead. — Xander, Jan 24 '15 at 17:40

Hardening SSL/TLS on Azure Cloud Service for A+ on Qualys SSL Labs?

1 Answers1