Yes it is possible to disable TLS 1.0 and even 1.1 without using App Service Environment (ASE). The solution is to use Azure Application Gateway and a custom hostname.
I like using Platform as a Service (PaaS) because it abstracts the complexities of managing the underlying layer. Of course it does incur additional cost but this is usually not a showstopper. An example of a showstopper is when there is a special need to bring forward disabling of less secure cryptography protocols. Failure which, switching to a different hosting option has to be considered!
Before jumping to the solution, I need to state that the way I am proposing is considered not supported by Azure.
I know I am not alone in facing this issue and I have been Googleing monthly in search for a viable solution. As at 4th July 2017, below are points that I have found to date:
If you are fine with either of these:
My solution involves use of Azure Application Gateway and a custom hostname over existing Web App.
The idea came after reading a comment by user Gwallace@MSFT (moderator) who stated the following comment on 18th May 2017:
Application Gateway forwards the request to the backend with the same host header it receives from the client, this is an issue with backends that are listening on a different hostname, which can be the case with WebApps.
The key bits are “same host header”.
In theory, it should work by doing the following:
I had to do a few extras so I would suggest following the steps below.
You have the following:
<your website>.azurewebsites.net. Note that DNS information may take up to 24 hours to propagate.
App Service. Then go to
Add hostname. Enter the FQDN of your subdomain and click on
Validate. Azure will perform an ownership check to ensure that you are the owner of the domain by checking your subdomain’s CNAME record. Ensure this passes before proceeding!
Standardtier is fine. Choose
WAFif you prefer.
Virtual network(or existing if you know what you are doing). You need to give a name. Address space, subnet name, and subnet address range have been prepropulated.
Public IP address.
HTTPS. You will need to create another listener for
HTTPlater (if you want this too) but I am not demonstrating that to focus on disabling specific TLS versions. Port number will automatically be set to
443. For testing purposes, I created a self-signed PFX which I will not detail as you can find plenty of tutorials elsewhere. The PFX must be password protected.
OKto proceed. Expect up to 20 minutes for gateway to be created.
Overviewas further configuration is required.
Backend pools. One has already been created named
appGatewayBackendPool. Click on it then add
<your website>.azurewebsites.net. Remember to click
Health probes. Add a new one that points to
<your website>.azurewebsites.net. Root (/) path is fine. Click
HTTP settings. Check
Use custom probeand point to the newly created probe.
Backend health. Ensure that the status is
Healthyotherwise you missed a step.
Firstly, verify the list of TLS protocol versions supported as-is. Go to Qualys SSL Labs SSL Server Test. A warning will appear if you used a self-signed certificate. Choose to proceed. You should now be seeing TLS 1.0, 1.1 and 1.2 marked
Start PowerShell and enter the following commands. Please note in the example below both TLS 1.0 and 1.1 are to be disabled. You can omit the latter if you prefer to keep it supported:
$gw = Get-AzureRmApplicationGateway -Name <your gateway name> -ResourceGroupName <your resource group> Set-AzureRmApplicationGatewaySslPolicy -DisabledSslProtocols TLSv1_0, TLSv1_1 -ApplicationGateway $gw $gw | Set-AzureRmApplicationGateway
Once the last command has completed, perform a new SSL test and you should now be seeing just TLS 1.2 marked