Does Azure App Service Support TLS 1.3

Harsh Thakor 116 Reputation points
2023-10-17T14:00:40.0266667+00:00

Does Azure App Service Support TLS 1.3 for both inbound and outbound calls? If yes, how can that configuration be made?

Needs to understand this for both Windows and Linux App services for all the Plans.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,902 questions
0 comments
Accepted answer
  1. Terae E 80 Reputation points
    2023-10-17T14:08:29.7266667+00:00

    Hello @Harsh Thakor

    The answer to your question is yes both support TLS 1.3.

    Here's how you can configure TLS 1.3 for both Windows and Linux App Services in Azure:

    Windows App Service:

    • To enable TLS 1.3 for your Windows App Service, you typically don't need to make any specific configuration changes on the App Service level. Azure manages the TLS settings for you. However, you can control the TLS version supported by your application code if needed.
    • You can configure your application code to use TLS 1.3 by modifying the application's code or application framework settings (e.g., .NET Core or ASP.NET). Most modern frameworks and libraries should automatically use the highest TLS version available, which includes TLS 1.3 if the client and server support it.
    1. Linux App Service:

    For Linux-based App Services, you can configure the TLS settings at the server level, which includes support for TLS 1.3.

    • To enable TLS 1.3 for your Linux App Service, you can make use of a custom Nginx configuration file. Here's how:
      • Access your Linux App Service through SSH.
      • Navigate to the /home/site/wwwroot directory.
      • Create an .nginx.conf file with your custom Nginx configuration.
      • In the configuration file, you can specify TLS settings, including enabling TLS 1.3. Here's an example of the TLS settings in the Nginx configuration:
          nginxCopy code
      ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
      
      ```

               - Save the configuration file.

                        - Finally, restart the Nginx service to apply the changes:

                        
```yaml
                        bashCopy code
                        systemctl restart nginx
                        
                        
                        ```
    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Grmacjon-MSFT 18,451 Reputation points
    2023-10-27T04:31:25.03+00:00

    Hi @Harsh Thakor adding to Terae answer-

    ETA for TLS 1.3 support is Q1 of next year.

    • For Windows App Service, TLS 1.3 is not yet supported. The underlying Windows Server 2016 OS does not include TLS 1.3 support.
    • For Linux App Service, TLS 1.3 is supported on the latest stack versions - Debian 10 and Ubuntu 18.04 or higher. Lower versions do not include TLS 1.3 support.
    • To check the Linux stack version, go to the App Service and under Settings > Configuration > General Settings view the current Linux OS type.
    • You can enforce a minimum TLS version of 1.2 for all App Services under SSL settings, but not 1.3 yet.
    • To identify the negotiated TLS version and cipher suite in use, enable diagnostics logging and look for the TLS handshake details in the logs. You can also use Fiddler or openssl to test connections.
    • For calling external APIs, App Services will negotiate the highest common TLS version supported by both endpoints.

    Hope that helps.

    -Grace

    2 people found this answer helpful.
    0 comments
  2. Stéphane Escandell 0 Reputation points
    2024-07-02T07:57:27.1966667+00:00

    Hi @Grmacjon-MSFT ,

    For Windows App Service, TLS 1.3 is not yet supported. The underlying Windows Server 2016 OS does not include TLS 1.3 support.

    Do you have any ETA for this? We are in situations where we consumme API allowing TLS1.3 only. This is currently not working (because as you said the Windows OS does not supports it).

    Regards,

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.