You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-hub/iot-hub-tls-support.md
+10-13Lines changed: 10 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,7 +29,7 @@ IoT Hub uses Transport Layer Security (TLS) to secure connections from IoT devic
29
29
> - US Gov Arizona
30
30
> - US Gov Virginia (TLS 1.0/1.1 support isn't available in this region. TLS 1.2 enforcement must be enabled or IoT Hub creation fails).
31
31
>
32
-
> To find out the version of TLS your IoT Hub devices are running, refer to [TLS 1.0 and 1.1 end of support guide](#checking-tls-versions-for-iot-hub-devices).
32
+
> To find out the version of TLS your IoT Hub devices are running, refer to [TLS 1.0 and 1.1 end of support guide](#checking-tls-versions-and-cipher-suites-for-iot-hub-devices).
33
33
34
34
## Mutual TLS support
35
35
@@ -58,7 +58,7 @@ Root CA migrations are rare. You should always prepare your IoT solution for the
58
58
59
59
Starting **August 31, 2025**, IoT Hub enforces the use of recommended strong cipher suites for all existing and new IoT Hubs. Non-recommended (weak) cipher suites aren't supported past this date.
60
60
61
-
To comply with Azure security policy for a secure connection, IoT Hub only supports the following RSA and ECDSA cipher suites that require minimum TLS 1.2 enforcement:
61
+
To comply with Azure security policy for a secure connection, IoT Hub only supports the following RSA and ECDSA cipher suites:
62
62
63
63
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
64
64
* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
@@ -69,7 +69,7 @@ To comply with Azure security policy for a secure connection, IoT Hub only suppo
69
69
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
70
70
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
71
71
72
-
The following non-recommended cipher suites are allowed until August 31, 2025:
72
+
The following non-recommended cipher suites are allowed on hubs **without minTlsVersion:1.2**until August 31, 2025:
73
73
74
74
* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
75
75
* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
@@ -154,32 +154,29 @@ The created IoT hub resource using this configuration refuses device and service
154
154
> [!NOTE]
155
155
> Upon failover, the `minTlsVersion` property of your IoT Hub remains effective in the geo-paired region post-failover.
156
156
157
-
## Checking TLS versions for IoT Hub devices
157
+
## Checking TLS versions and cipher suites for IoT Hub devices
158
158
159
-
Azure IoT Hub provides the capability to check the TLS version and other device connection metrics to help monitor the security of IoT devices. You can either use IoT Hub metrics or diagnostic logs to track TLS version usage and other related properties like [Cipher Suites](#cipher-suites).
159
+
Azure IoT Hub provides the capability to check the TLS version, cipher suites, and other device connection metrics to help monitor the security of IoT devices. You can either use IoT Hub metrics or diagnostic logs to track TLS version usage and other related properties like [Cipher Suites](#cipher-suites).
160
160
161
-
### Checking TLS versions using IoT Hub metrics
161
+
### Checking TLS versions and cipher suites using IoT Hub metrics
162
162
163
-
If you want to validate that device traffic to IoT Hub is utilizing TLSv1.2, you can check IoT Hub’s metrics. This allows you to filter by TLS version or Cipher Suite and check the number of successful connections.
163
+
If you want to validate that device traffic to IoT Hub is utilizing TLSv1.2 and strong cipher suites, you can check IoT Hub’s metrics. This allows you to filter by TLS version or cipher suite and check the number of successful connections.
164
164
165
165
1. In the [Azure portal](https://portal.azure.com), go to your IoT hub.
166
166
1. In the left-side menu under **Monitoring**, select **Metrics**.
167
167
1. Add the metric **Successful Connects**.
168
168
169
169
:::image type="content" source="./media/iot-hub-tls-support/tls-versions-support-metrics.png" alt-text="Screenshot showing how to add the Successful Connects metric.":::
170
170
171
-
1. Filter by TLS Version or Cipher Suite by selecting the **Add filter** button and choosing the appropriate property, TLS Version or Cipher Suite, operator, for example "=", and value, for example, TLSv1.2.
171
+
1. Filter by TLS Version or cipher suite by selecting the **Add filter** button and choosing the appropriate property, TLS Version or cipher suite, operator, for example "=", and value, for example, TLSv1.2.
172
172
173
173
:::image type="content" source="./media/iot-hub-tls-support/tls-versions-support-metrics-filter.png" alt-text="Screenshot showing how to filter by TLS Version or Cipher Suite.":::
174
174
175
175
1. After applying the filter, you see the sum of devices with successful IoT Hub connections based on the filtered property and value(s).
176
176
177
-
> [!NOTE]
178
-
> TLS version query isn't available for devices using HTTPS connections.
179
-
180
-
### Checking TLS versions using IoT Hub diagnostic logs
177
+
### Checking TLS versions and cipher suites using IoT Hub diagnostic logs
181
178
182
-
Azure IoT Hub can provide diagnostic logs for several categories that can be analyzed using Azure Monitor Logs. In the connections log you can find the TLS version for your IoT Hub devices.
179
+
Azure IoT Hub can provide diagnostic logs for several categories that can be analyzed using Azure Monitor Logs. In the connections log you can find the TLS version and cipher suite for your IoT Hub devices.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments