Merge pull request #106344 from mimckitt/patch-83

American-Dipper · web-flow · commit 7f721e41a422 · 2020-03-03T13:33:59.000-08:00
Update applications-dont-support-tls-1-2.md
diff --git a/articles/cloud-services/applications-dont-support-tls-1-2.md b/articles/cloud-services/applications-dont-support-tls-1-2.md
@@ -15,6 +15,7 @@ ms.workload:
 ms.date: 01/17/2020
 ms.author: tagore
 ---
+
 # Troubleshooting applications that don’t support TLS 1.2
 This article describes how to enable the older TLS protocols (TLS 1.0 and 1.1) as well as applying legacy cipher suites to support the additional protocols on the Windows Server 2019 cloud service web and worker roles. 
 
@@ -23,7 +24,7 @@ We understand that while we are taking steps to deprecate TLS 1.0 and TLS 1.1, o
 > [!NOTE]
 > Guest OS Family 6 releases enforces TLS 1.2 by disabling 1.0/1.1 ciphers. 
 
-  
+
 ## Dropping support for TLS 1.0, TLS 1.1 and older cipher suites 
 In support of our commitment to use best-in-class encryption, Microsoft announced plans to start migration away from TLS 1.0 and 1.1 in June of 2017.   Since that initial announcement, Microsoft announced our intent to disable Transport Layer Security (TLS) 1.0 and 1.1 by default in supported versions of Microsoft Edge and Internet Explorer 11 in the first half of 2020.  Similar announcements from Apple, Google, and Mozilla indicate the direction in which the industry is headed.   
 
@@ -32,7 +33,7 @@ The Windows Server 2019 cloud server image is configured with TLS 1.0 and TLS 1.
 
 The server also comes with a limited set of cipher suites: 
 
-```Powershell
+```
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
@@ -42,14 +43,15 @@ The server also comes with a limited set of cipher suites:
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
 ```
- 
+
 ## Step 1: Create the PowerShell script to enable TLS 1.0 and TLS 1.1 
 
-Use the following code as an example to create a script that enables the older protocols and cipher suites.   For the purposes of this documentation, this script will be named: TLSsettings.ps1. 
-  
+Use the following code as an example to create a script that enables the older protocols and cipher suites. For the purposes of this documentation, this script will be named: **TLSsettings.ps1**. Store this script on your local desktop for easy access in later steps. 
+
+
 ```Powershell
 #******************* FUNCTION THAT ACTUALLY UPDATES KEYS; WILL RETURN REBOOT FLAG IF CHANGES *********************** 
-
+ 
 Function Set-CryptoSetting {  
     param (  
         $regKeyName,  
@@ -64,64 +66,64 @@ Function Set-CryptoSetting {
     If (!(Test-Path -Path $regKeyName)) {  
         New-Item $regKeyName | Out-Null  
     }  
-
+ 
     # Get data of registry value, or null if it does not exist  
     $val = (Get-ItemProperty -Path $regKeyName -Name $value -ErrorAction SilentlyContinue).$value  
-
+ 
     If ($val -eq $null) {  
         # Value does not exist - create and set to desired value  
         New-ItemProperty -Path $regKeyName -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null  
         $restart = $true 
     } 
-
+ 
     Else {  
         # Value does exist - if not equal to desired value, change it  
         If ($val -ne $valuedata) {  
             Set-ItemProperty -Path $regKeyName -Name $value -Value $valuedata  
             $restart = $true  
         }  
     }  
-
+ 
     $restart  
 }  
-
+ 
 #*************************************************************************************************************** 
-
+ 
 #****************************** CIPHERSUITES FOR OS VERSIONS WINDOWS 10 AND ABOVE ****************************** 
-
+ 
 function Get-BaseCipherSuitesWin10Above() 
 { 
-        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" 
-        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" 
-        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" 
-        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" 
-        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" 
-        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" 
-        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" 
-        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" 
-
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384," 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384," 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," 
+ 
 # Legacy cipher suites 
-        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256" 
-        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256" 
-        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256" 
-        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256" 
-        $cipherorder += "TLS_RSA_WITH_AES_256_GCM_SHA384"  
-        $cipherorder += "TLS_RSA_WITH_AES_128_GCM_SHA256"  
-        $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256"  
-        $cipherorder += "TLS_RSA_WITH_AES_128_CBC_SHA256"  
-        $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA" 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256," 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256," 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256," 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256," 
+        $cipherorder += "TLS_RSA_WITH_AES_256_GCM_SHA384,"  
+        $cipherorder += "TLS_RSA_WITH_AES_128_GCM_SHA256,"  
+        $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256,"  
+        $cipherorder += "TLS_RSA_WITH_AES_128_CBC_SHA256,"  
+        $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA," 
         $cipherorder += "TLS_RSA_WITH_AES_128_CBC_SHA" 
-
-  return $cipherorder 
+ 
+ return $cipherorder 
 } 
+ 
 
-  
 #*************************************************************************************************************** 
-
-
+ 
+ 
 #********************************************** REGISTRY KEYS **************************************************** 
-
-  
+ 
+ 
 function Get-RegKeyPathToEnable() 
 { 
     $regKeyPath = @( 
@@ -137,112 +139,132 @@ function Get-RegKeyPathToEnable()
     ) 
     return $regKeyPath 
 } 
-
+ 
 #*************************************************************************************************************** 
-
+ 
 $localRegistryPath = @() 
-
+ 
 # Enable TLS 1.2, TLS 1.1 and TLS 1.0 
 $localRegistryPath += Get-RegKeyPathToEnable 
-
+ 
 #******************* CREATE THE REGISTRY KEYS IF THEY DON'T EXIST******************************** 
-
+ 
 # Check for existence of the registry keys, and create if they do not exist  
-For ($i = 0; $i -lt $localRegistryPath .Length; $i = $i + 1) {  
-   Write-Log -Message "Checking for existing of key: $($localRegistryPath [$i]) " -Logfile $logLocation  -Severity Information 
-   If (!(Test-Path -Path $localRegistryPath [$i])) {  
-        New-Item $localRegistryPath [$i] | Out-Null 
-               Write-Log -Message "Creating key: $($localRegistryPath [$i]) "  -Logfile $logLocation -Severity Information 
-           } 
+For ($i = 0; $i -lt $localRegistryPath.Length; $i = $i + 1) {  
+   Write-Host "Checking for existing of key: $($localRegistryPath[$i]) Severity Level: Information"
+   If (!(Test-Path -Path $localRegistryPath[$i])) {
+        New-Item $localRegistryPath [$i] | Out-Null
+    Write-Host "Creating key: $($localRegistryPath[$i]) Severity Level: Information"
+    }
 }  
-
+ 
 #********************************* EXPLICITLY Enable TLS12,  TLS11 and TLS10********************************* 
-
-For ($i = 0; $i -lt $localRegistryPath .Length; $i = $i + 1) { 
-    if ($localRegistryPath [$i].Contains("Client") -Or $localRegistryPath [$i].Contains("Server")) { 
-        Write-Log -Message "Enabling this key: $($localRegistryPath [$i]) "  -Logfile $logLocation -Severity Information  
-        $result = Set-CryptoSetting $localRegistryPath [$i].ToString() Enabled 1 DWord   
-        $result = Set-CryptoSetting $localRegistryPath [$i].ToString() DisabledByDefault 0 DWord  
+ 
+For ($i = 0; $i -lt $localRegistryPath.Length; $i = $i + 1) { 
+    if ($localRegistryPath[$i].Contains("Client") -Or $localRegistryPath[$i].Contains("Server")) { 
+      Write-Host "Enabling this key: $($localRegistryPath[$i]) Severity: Information "
+        $result = Set-CryptoSetting $localRegistryPath[$i].ToString() Enabled 1 DWord   
+        $result = Set-CryptoSetting $localRegistryPath[$i].ToString() DisabledByDefault 0 DWord  
         $reboot = $reboot -or $result 
     } 
 } 
  
 #**************************************** SET THE CIPHER SUITE ORDER******************************** 
-
+ 
 $cipherlist = @() 
-
+ 
 # Set cipher suite order 
 $cipherlist += Get-BaseCipherSuitesWin10Above 
-$cipherorder = [System.String]::Join(",", $cipherlist) 
 $CipherSuiteRegKey = "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"  
-
+ 
 if (!(Test-Path -Path $CipherSuiteRegKey))  
 {  
     New-Item $CipherSuiteRegKey | Out-Null  
     $reboot = $True  
-    Write-Log -Message "Creating key: $($CipherSuiteRegKey) "  -Logfile $logLocation -Severity Information 
+    Write-Host "Creating key: $($CipherSuiteRegKey) Severity: Information "
 }  
-
-Set-ItemProperty -Path $CipherSuiteRegKey -Name Functions -Value $cipherorder  
-
+ 
+#Set-ItemProperty -Path $CipherSuiteRegKey -Name Functions -Value $cipherorder  
+Set-ItemProperty -Path $CipherSuiteRegKey -Name Functions -Value $cipherlist  
 #********************************************* REBOOT ******************************************* 
-
+ 
 Write-Host "A reboot is required in order for changes to effect"  
 Write-Host "Rebooting now..."  
-shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4  
+shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4
 ```
-  
+
 ## Step 2: Create a command file 
 
-Create a CMD file with the following information . 
+Create a CMD file named **RunTLSSettings.cmd** using the below. Store this script on your local desktop for easy access in later steps. 
 
+```cmd
+PowerShell -ExecutionPolicy Unrestricted %~dp0TLSsettings.ps1
+REM This line is required to ensure the startup tasks does not block the role from starting in case of error.  DO NOT REMOVE!!!! 
+EXIT /B 0
 ```
-IF "%ComputeEmulatorRunning%" == "true" ( 
-   ECHO Not launching the script, since is DEV Machine >> "Log.txt" 2>&1 
-) ELSE ( 
 
-PowerShell .\TLSsettings.ps1   
-  
-) 
+## Step 3: Add the startup task to the role’s service definition (csdef) 
 
-REM This line is required to ensure the startup tasks does not block the role from starting in case of error.  DO NOT REMOVE!!!! 
+Add the following snippet to your existing service definition file. 
 
-EXIT /B 0   
-```
 
-## Step 3: Add the startup task to the role’s service definition (csdef) 
+```
+	<Startup> 
+		<Task executionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
+		</Task> 
+	</Startup> 
+```
 
 Here is an example that shows both the worker role and web role. 
-  
+
 ```
-<?xml version="1.0" encoding="utf-8"?> 
-<ServiceDefinition name="NugetExampleCloudServices" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2015-04.2.6"> 
-  <WebRole name="WebRole1" vmsize="Standard_D1_v2"> 
-    <Sites> 
-      <Site name="Web"> 
-        <Bindings> 
-          <Binding name="Endpoint1" endpointName="Endpoint1" /> 
-        </Bindings> 
-      </Site> 
-    </Sites> 
-    <Startup> 
-      <Task executionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
-      </Task> 
-    </Startup> 
-    <Endpoints> 
-      <InputEndpoint name="Endpoint1" protocol="http" port="80" /> 
-    </Endpoints> 
-  </WebRole> 
-  <WorkerRole name="WorkerRole1" vmsize="Standard_D1_v2"> 
-    <Startup> 
-      <Task executionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
-      </Task> 
-    </Startup> 
-  </WorkerRole> 
+<?xmlversion="1.0"encoding="utf-8"?> 
+<ServiceDefinitionname="CloudServiceName"xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition"schemaVersion="2015-04.2.6"> 
+	<WebRolename="WebRole1"vmsize="Standard_D1_v2"> 
+		<Sites> 
+			<Sitename="Web"> 
+				<Bindings> 
+					<Bindingname="Endpoint1"endpointName="Endpoint1"/> 
+				</Bindings> 
+			</Site> 
+		</Sites> 
+		<Startup> 
+			<Taske xecutionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
+			</Task> 
+		</Startup> 
+		<Endpoints> 
+			<InputEndpointname="Endpoint1"protocol="http"port="80"/> 
+		</Endpoints> 
+	</WebRole> 
+<WorkerRolename="WorkerRole1"vmsize="Standard_D1_v2"> 
+	<Startup> 
+		<Task executionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
+		</Task> 
+	</Startup> 
+</WorkerRole> 
 </ServiceDefinition> 
 ```
 
-## Step 4: Validation 
+## Step 5: Add the scripts to your Cloud Service 
+
+1) In Visual Studio, right-click on your WebRole
+2) Select **Add**
+3) Select **Existing Item**
+4) In the file explorer, navigate to your desktop where you stored the **TLSsettings.ps1** and **RunTLSSettings.cmd** files 
+5) Select the two files to add them to your Cloud Services project
+
+## Step 6: Enable Copy to Output Directory
+
+To ensure the scripts are uploaded with every update pushed from Visual Studio, the setting *Copy to Output Directory* needs to be set to *Copy Always*
+
+1) Under your WebRole, right-click on RunTLSSettings.cmd
+2) Select **Properties**
+3) In the properties tab, change *Copy to Output Directory* to *Copy Always"*
+4) Repeat the steps for **TLSsettings.ps1**
+
+## Step 7: Publish & Validate
+
+Now that the above steps have been complete, publish the update to your existing Cloud Service. 
 
 You can use [SSLLabs](https://www.ssllabs.com/) to validate the TLS status of your endpoints 
 
