You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-dps/tls-support.md
+11-8Lines changed: 11 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,21 +5,25 @@
5
5
author: kgremban
6
6
ms.service: iot-dps
7
7
ms.topic: conceptual
8
-
ms.date: 09/14/2020
8
+
ms.date: 09/15/2022
9
9
ms.author: kgremban
10
10
---
11
11
12
12
# TLS support in Azure IoT Hub Device Provisioning Service (DPS)
13
13
14
-
DPS uses [Transport Layer Security (TLS)](http://wikipedia.org/wiki/Transport_Layer_Security) to secure connections from IoT devices.
14
+
DPS uses [Transport Layer Security (TLS)](http://wikipedia.org/wiki/Transport_Layer_Security) to secure connections from IoT devices.
15
15
16
16
Current TLS protocol versions supported by DPS are:
17
17
18
18
* TLS 1.2
19
19
20
-
## Restrict connections to TLS 1.2
20
+
## Restrict connections to a minimum TLS version
21
21
22
-
For added security, it is advised to configure your DPS instances to *only* allow device client connections that use TLS version 1.2 and to enforce the use of [recommended ciphers](#recommended-ciphers).
22
+
You can configure your DPS instances to *only* allow device client connections that use a minimum TLS version or greater.
23
+
24
+
> [!IMPORTANT]
25
+
>
26
+
> Currently, DPS only supports TLS 1.2, so there is no need to specify the minimum TLS version when you create a DPS instance. This feature is provided for future expansion.
23
27
24
28
To do this, provision a new DPS resource setting the `minTlsVersion` property to `1.2` in your Azure Resource Manager template's DPS resource specification. The following example template JSON specifies the `minTlsVersion` property for a new DPS instance.
25
29
@@ -45,15 +49,15 @@ To do this, provision a new DPS resource setting the `minTlsVersion` property to
45
49
}
46
50
```
47
51
48
-
You can deploy the template with the following Azure CLI command.
52
+
You can deploy the template with the following Azure CLI command.
49
53
50
54
```azurecli
51
55
az deployment group create -g <your resource group name> --template-file template.json
52
56
```
53
57
54
58
For more information on creating DPS resources with Resource Manager templates, see, [Set up DPS with an Azure Resource Manager template](quick-setup-auto-provision-rm.md).
55
59
56
-
The DPS resource created using this configuration will refuse devices that attempt to connect using TLS versions 1.0 and 1.1. Similarly, the TLS handshake will be refused if the device client's HELLO message does not list any of the [recommended ciphers](#recommended-ciphers).
60
+
The DPS resource created using this configuration will refuse devices that attempt to connect using TLS versions 1.0 and 1.1.
57
61
58
62
> [!NOTE]
59
63
> The `minTlsVersion` property is read-only and cannot be changed once your DPS resource is created. It is therefore essential that you properly test and validate that *all* your IoT devices are compatible with TLS 1.2 and the [recommended ciphers](#recommended-ciphers) in advance.
@@ -63,8 +67,7 @@ The DPS resource created using this configuration will refuse devices that attem
63
67
64
68
## Recommended ciphers
65
69
66
-
DPS instances that are configured to accept only TLS 1.2 will also enforce the use of the following cipher suites:
67
-
70
+
DPS instances enforce the use of the following recommended and legacy cipher suites:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments