Cipher Suite Change

Microsoft is announcing the removal of RC4 from the supported list of negotiable ciphers on our service endpoints in Microsoft Azure.

This change is to update the SSL cipher suite order and the removal of the RC4 ciphers from the suite.

The Cipher Suite order determines the cipher suites used by the SSL/TLS.

The following cipher suite order is used:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Please let us know if you have any questions by posting in the Comments section below.

Thanks!

Tom

Comments

• Anonymous
  May 27, 2016
  Dear Microsoft,I have run an SSLLABS report and it tells me that my server accepts RC4 cipher which I understand from this report, you say it is removed. Can you please advise if there is any manual activity I am required to do to remove this; my understanding is that it was removed automatically.Thanks for a quick reply,Nick De Blasio
  • Anonymous
    June 01, 2016
    Hi Nick - the Azure platform has deprecated RC4 and new images are targeted. However, old ones will need to be updated.
• Anonymous
  July 11, 2016
  The comment has been removed
  • Anonymous
    July 20, 2016
    Hi Bart -Thanks! We'll look into this - thanks for the pointer.Tom
• Anonymous
  November 21, 2016
  With the SWEET32 vulnerability https://sweet32.info/ (CVE-2016-2183, CVE-2016-6329), the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher should be removed from this list and 3-DES disabled on the server ASAP.It would be useful if we could opt-out with a configuration on the Azure portal.