Merge pull request #101428 from mimckitt/patch-332

v-albemi · web-flow · commit a6547ac9e14d · 2020-02-04T12:15:00.000-08:00
Applications-dont-support-tls-1-2
diff --git a/articles/cloud-services/applications-dont-support-tls-1-2.md b/articles/cloud-services/applications-dont-support-tls-1-2.md
@@ -0,0 +1,249 @@
+---
+title: Troubleshooting issues caused by applications that don’t support TLS 1.2 | Microsoft Docs
+description: Troubleshooting issues caused by applications that don’t support TLS 1.2
+services: cloud-services
+documentationcenter: ''
+author: MicahMcKittrick-MSFT
+manager: vashan
+editor: ''
+tags: top-support-issue
+ms.assetid: 
+ms.service: cloud-services
+ms.topic: troubleshooting
+ms.tgt_pltfrm: na
+ms.workload: 
+ms.date: 01/17/2020
+ms.author: tagore
+---
+# Troubleshooting applications that don’t support TLS 1.2
+This article describes how to enable the older TLS protocols (TLS 1.0 and 1.1) as well as applying legacy cipher suites to support the additional protocols on the Windows Server 2019 cloud service web and worker roles. 
+
+We understand that while we are taking steps to deprecate TLS 1.0 and TLS 1.1, our customers may need to support the older protocols and cipher suites until they can plan for their deprecation.  While we don't recommend re-enabling these legacy values, we are providing guidance to help customers. We encourage customers to evaluate the risk of regression before implementing the changes outlined in this article. 
+
+> [!NOTE]
+> Guest OS Family 6 releases enforces TLS 1.2 by disabling 1.0/1.0 ciphers. 
+
+  
+## Dropping support for TLS 1.0, TLS 1.1 and older cipher suites 
+In support of our commitment to use best-in-class encryption, Microsoft announced plans to start migration away from TLS 1.0 and 1.1 in June of 2017.   Since that initial announcement, Microsoft announced our intent to disable Transport Layer Security (TLS) 1.0 and 1.1 by default in supported versions of Microsoft Edge and Internet Explorer 11 in the first half of 2020.  Similar announcements from Apple, Google, and Mozilla indicate the direction in which the industry is headed.   
+
+## TLS configuration  
+The Windows Server 2019 cloud server image is configured with TLS 1.0 and TLS 1.1 disabled at the registry level. This means applications deployed to this version of Windows AND using the Windows stack for TLS negotiation will not allow TLS 1.0 and TLS 1.1 communication.   
+
+The server also comes with a limited set of cipher suites: 
+
+```Powershell
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
+```
+ 
+## Step 1: Create the PowerShell script to enable TLS 1.0 and TLS 1.1 
+
+Use the following code as an example to create a script that enables the older protocols and cipher suites.   For the purposes of this documentation, this script will be named: TLSsettings.ps1. 
+  
+```Powershell
+#******************* FUNCTION THAT ACTUALLY UPDATES KEYS; WILL RETURN REBOOT FLAG IF CHANGES *********************** 
+
+Function Set-CryptoSetting {  
+    param (  
+        $regKeyName,  
+        $value,  
+        $valuedata,  
+        $valuetype       
+    )  
+    
+    $restart = $false 
+  
+    # Check for existence of registry key, and create if it does not exist  
+    If (!(Test-Path -Path $regKeyName)) {  
+        New-Item $regKeyName | Out-Null  
+    }  
+
+    # Get data of registry value, or null if it does not exist  
+    $val = (Get-ItemProperty -Path $regKeyName -Name $value -ErrorAction SilentlyContinue).$value  
+
+    If ($val -eq $null) {  
+        # Value does not exist - create and set to desired value  
+        New-ItemProperty -Path $regKeyName -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null  
+        $restart = $true 
+    } 
+
+    Else {  
+        # Value does exist - if not equal to desired value, change it  
+        If ($val -ne $valuedata) {  
+            Set-ItemProperty -Path $regKeyName -Name $value -Value $valuedata  
+            $restart = $true  
+        }  
+    }  
+
+    $restart  
+}  
+
+#*************************************************************************************************************** 
+
+#****************************** CIPHERSUITES FOR OS VERSIONS WINDOWS 10 AND ABOVE ****************************** 
+
+function Get-BaseCipherSuitesWin10Above() 
+{ 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" 
+
+# Legacy cipher suites 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256" 
+        $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256" 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256" 
+        $cipherorder += "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256" 
+        $cipherorder += "TLS_RSA_WITH_AES_256_GCM_SHA384"  
+        $cipherorder += "TLS_RSA_WITH_AES_128_GCM_SHA256"  
+        $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256"  
+        $cipherorder += "TLS_RSA_WITH_AES_128_CBC_SHA256"  
+        $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA" 
+        $cipherorder += "TLS_RSA_WITH_AES_128_CBC_SHA" 
+
+  return $cipherorder 
+} 
+
+  
+#*************************************************************************************************************** 
+
+
+#********************************************** REGISTRY KEYS **************************************************** 
+
+  
+function Get-RegKeyPathToEnable() 
+{ 
+    $regKeyPath = @( 
+        "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2",         
+        "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",  
+        "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" , 
+        "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1",  
+        "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client", 
+        "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" , 
+        "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0",  
+        "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client",  
+        "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" 
+    ) 
+    return $regKeyPath 
+} 
+
+#*************************************************************************************************************** 
+
+$localRegistryPath = @() 
+
+# Enable TLS 1.2, TLS 1.1 and TLS 1.0 
+$localRegistryPath += Get-RegKeyPathToEnable 
+
+#******************* CREATE THE REGISTRY KEYS IF THEY DON'T EXIST******************************** 
+
+# Check for existence of the registry keys, and create if they do not exist  
+For ($i = 0; $i -lt $localRegistryPath .Length; $i = $i + 1) {  
+   Write-Log -Message "Checking for existing of key: $($localRegistryPath [$i]) " -Logfile $logLocation  -Severity Information 
+   If (!(Test-Path -Path $localRegistryPath [$i])) {  
+        New-Item $localRegistryPath [$i] | Out-Null 
+               Write-Log -Message "Creating key: $($localRegistryPath [$i]) "  -Logfile $logLocation -Severity Information 
+           } 
+}  
+
+#********************************* EXPLICITLY Enable TLS12,  TLS11 and TLS10********************************* 
+
+For ($i = 0; $i -lt $localRegistryPath .Length; $i = $i + 1) { 
+    if ($localRegistryPath [$i].Contains("Client") -Or $localRegistryPath [$i].Contains("Server")) { 
+        Write-Log -Message "Enabling this key: $($localRegistryPath [$i]) "  -Logfile $logLocation -Severity Information  
+        $result = Set-CryptoSetting $localRegistryPath [$i].ToString() Enabled 1 DWord   
+        $result = Set-CryptoSetting $localRegistryPath [$i].ToString() DisabledByDefault 0 DWord  
+        $reboot = $reboot -or $result 
+    } 
+} 
+ 
+#**************************************** SET THE CIPHER SUITE ORDER******************************** 
+
+$cipherlist = @() 
+
+# Set cipher suite order 
+$cipherlist += Get-BaseCipherSuitesWin10Above 
+$cipherorder = [System.String]::Join(",", $cipherlist) 
+$CipherSuiteRegKey = "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"  
+
+if (!(Test-Path -Path $CipherSuiteRegKey))  
+{  
+    New-Item $CipherSuiteRegKey | Out-Null  
+    $reboot = $True  
+    Write-Log -Message "Creating key: $($CipherSuiteRegKey) "  -Logfile $logLocation -Severity Information 
+}  
+
+Set-ItemProperty -Path $CipherSuiteRegKey -Name Functions -Value $cipherorder  
+
+#********************************************* REBOOT ******************************************* 
+
+Write-Host "A reboot is required in order for changes to effect"  
+Write-Host "Rebooting now..."  
+shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4  
+```
+  
+## Step 2: Create a command file 
+
+Create a CMD file with the following information . 
+
+```
+IF "%ComputeEmulatorRunning%" == "true" ( 
+   ECHO Not launching the script, since is DEV Machine >> "Log.txt" 2>&1 
+) ELSE ( 
+
+PowerShell .\TLSsettings.ps1   
+  
+) 
+
+REM This line is required to ensure the startup tasks does not block the role from starting in case of error.  DO NOT REMOVE!!!! 
+
+EXIT /B 0   
+```
+
+## Step 3: Add the startup task to the role’s service definition (csdef) 
+
+Here is an example that shows both the worker role and web role. 
+  
+```
+<?xml version="1.0" encoding="utf-8"?> 
+<ServiceDefinition name="NugetExampleCloudServices" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition" schemaVersion="2015-04.2.6"> 
+  <WebRole name="WebRole1" vmsize="Standard_D1_v2"> 
+    <Sites> 
+      <Site name="Web"> 
+        <Bindings> 
+          <Binding name="Endpoint1" endpointName="Endpoint1" /> 
+        </Bindings> 
+      </Site> 
+    </Sites> 
+    <Startup> 
+      <Task executionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
+      </Task> 
+    </Startup> 
+    <Endpoints> 
+      <InputEndpoint name="Endpoint1" protocol="http" port="80" /> 
+    </Endpoints> 
+  </WebRole> 
+  <WorkerRole name="WorkerRole1" vmsize="Standard_D1_v2"> 
+    <Startup> 
+      <Task executionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
+      </Task> 
+    </Startup> 
+  </WorkerRole> 
+</ServiceDefinition> 
+```
+
+## Step 4: Validation 
+
+You can use [SSLLabs](https://www.ssllabs.com/) to validate the TLS status of your endpoints 
+
+ 
diff --git a/articles/cloud-services/toc.yml b/articles/cloud-services/toc.yml
@@ -137,6 +137,8 @@
         href: /visualstudio/azure/vs-azure-tools-intellitrace-debug-published-cloud-services?toc=/azure/cloud-services/toc.json
     - name: Cloud Service allocation failure
       href: cloud-services-allocation-failures.md
+    - name: Applications don't support TLS 1.2
+      href: applications-dont-support-TLS-1-2.md
     - name: Common causes of Cloud Service roles recycling
       href: cloud-services-troubleshoot-common-issues-which-cause-roles-recycle.md
     - name: Default TEMP folder size too small for role
