Merge pull request #295246 from kgremban/feb24-hubtls

Update tls cipher list

Author: JamesJBarnett

articles/iot-hub/iot-hub-tls-support.md

@@ -5,7 +5,7 @@
  author: kgremban
  ms.service: azure-iot-hub
  ms.topic: conceptual
- ms.date: 1/7/2025
+ ms.date: 02/24/2025
  ms.author: kgremban
 ---
 
@@ -18,7 +18,7 @@ IoT Hub uses Transport Layer Security (TLS) to secure connections from IoT devic
 >
 > It's therefore essential that you properly test and validate that *all* your IoT devices and services are compatible with TLS 1.2 and the [recommended ciphers](#cipher-suites) in advance. It's highly recommended to use the [minimum TLS enforcement feature](#enforce-iot-hub-to-use-tls-12-and-strong-cipher-suites) as the mechanism for testing and compliance
 >
-> To find out the version of TLS your IoT Hub devices are running, please refer to [TLS 1.0 and 1.1 end of support guide](#checking-tls-versions-for-iot-hub-devices). 
+> To find out the version of TLS your IoT Hub devices are running, refer to [TLS 1.0 and 1.1 end of support guide](#checking-tls-versions-for-iot-hub-devices).
 
 ## Mutual TLS support
 
@@ -44,40 +44,36 @@ For links to download these certificates, see [Azure Certificate Authority detai
 Root CA migrations are rare. You should always prepare your IoT solution for the unlikely event that a root CA is compromised and an emergency root CA migration is necessary.
 
 ## Cipher Suites
-To comply with Azure security policy for a secure connection, IoT Hub supports the following RSA and ECDSA cipher suites for TLS 1.2:
-   * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-   * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-   * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-   * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
-   * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-   * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-   * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-   * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
-
-The following cipher suites are currently allowed in IoT Hub. However, these cipher suites are no longer recommended by the Azure security guidelines. 
-
-| Cipher Suites                         | TLS Version support                |
-|---------------------------------------|------------------------------------|
-| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | TLS 1.2        |
-| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   | TLS 1.2        |
-| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256   | TLS 1.2        |
-| TLS_RSA_WITH_AES_256_GCM_SHA384       | TLS 1.2        |
-| TLS_RSA_WITH_AES_128_GCM_SHA256       | TLS 1.2        |
-| TLS_RSA_WITH_AES_256_CBC_SHA256       | TLS 1.2        |
-| TLS_RSA_WITH_AES_128_CBC_SHA256       | TLS 1.2        |
-| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA    | TLS 1.0/1.1/1.2|
-| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    | TLS 1.0/1.1/1.2|
-| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA    | TLS 1.0/1.1/1.2|
-| TLS_RSA_WITH_3DES_EDE_CBC_SHA         | TLS 1.0/1.1/1.2|
-| TLS_RSA_WITH_3DES_EDE_CBC_SHA         | TLS 1.0/1.1/1.2|
-| TLS_RSA_WITH_AES_128_CBC_SHA          | TLS 1.0/1.1/1.2|
-| TLS_RSA_WITH_AES_256_CBC_SHA          | TLS 1.0/1.1/1.2|
-
-A client can suggest a list of higher cipher suites to use during `ClientHello`. However, some of them might not be supported by IoT Hub (for example, `ECDHE-ECDSA-AES256-GCM-SHA384`). In this case, IoT Hub tries to follow the preference of the client, but eventually negotiate down the cipher suite with `ServerHello`. 
+
+To comply with Azure security policy for a secure connection, IoT Hub recommends the following RSA and ECDSA cipher suites that require minimum TLS 1.2 enforcement:
+
+* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+
+The following cipher suites are currently allowed in IoT Hub. However, these cipher suites are no longer recommended by the Azure security guidelines. These cipher suites work with TLS versions 1.0, 1.1, and 1.2.
+
+* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+* TLS_RSA_WITH_AES_256_GCM_SHA384
+* TLS_RSA_WITH_AES_128_GCM_SHA256
+* TLS_RSA_WITH_AES_256_CBC_SHA256
+* TLS_RSA_WITH_AES_128_CBC_SHA256
+* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+* TLS_RSA_WITH_AES_128_CBC_SHA
+* TLS_RSA_WITH_AES_256_CBC_SHA
+
+A client can suggest a list of higher cipher suites to use during `ClientHello`. However, IoT Hub might not support some of them, for example, `ECDHE-ECDSA-AES256-GCM-SHA384`. In this case, IoT Hub tries to follow the preference of the client but eventually negotiate down the cipher suite with `ServerHello`.
 
 ## Enforce IoT Hub to use TLS 1.2 and strong cipher suites
 
-To ensure your IoT devices are TLS 1.2 and [strong cipher suites](#cipher-suites) compliance, you can enforce compliance using minimum TLS enforcement feature in Azure IoT Hub. 
+To ensure your IoT devices are TLS 1.2 and [strong cipher suites](#cipher-suites) compliance, you can enforce compliance using minimum TLS enforcement feature in Azure IoT Hub.
 
 Currently this feature is only available in the following regions and during IoT Hub creation (other Azure regions will be supported in 2025):
 
@@ -94,7 +90,7 @@ To enable TLS 1.2 and strong cipher suites enforcement in Azure portal:
 3. Under **Management -> Advanced -> Transport Layer Security (TLS) -> Minimum TLS version**, select **1.2**. This setting only appears for IoT hub created in supported region.
 
     :::image type="content" source="media/iot-hub-tls-12-enforcement.png" alt-text="Screenshot showing how to turn on TLS 1.2 enforcement during IoT hub creation.":::
-4. Click **Create**
+4. Select **Create**
 5. Connect your IoT devices to this IoT Hub
 
 To use ARM template for creation, provision a new IoT Hub in any of the supported regions and set the `minTlsVersion` property to `1.2` in the resource specification: