Update applications-dont-support-tls-1-2.md

mimckitt · web-flow · commit f2e4018edc83 · 2020-03-16T12:00:59.000-07:00
diff --git a/articles/cloud-services/applications-dont-support-tls-1-2.md b/articles/cloud-services/applications-dont-support-tls-1-2.md
@@ -15,21 +15,21 @@ ms.workload:
 ms.date: 01/17/2020
 ms.author: tagore
 ---
- 
+
 # Troubleshooting applications that don’t support TLS 1.2
 This article describes how to enable the older TLS protocols (TLS 1.0 and 1.1) as well as applying legacy cipher suites to support the additional protocols on the Windows Server 2019 cloud service web and worker roles. 
 
-> [!IMPORTANT]
-> We understand that while we are taking steps to deprecate TLS 1.0 and TLS 1.1, our customers may need to support the older protocols and cipher suites until they can [plan](https://azure.microsoft.com/updates/azuretls12/) for their deprecation.  While we don't recommend re-enabling these legacy values, we are providing guidance to help customers. We encourage customers to evaluate the risk of regression before implementing the changes outlined in this article. 
-
+We understand that while we are taking steps to deprecate TLS 1.0 and TLS 1.1, our customers may need to support the older protocols and cipher suites until they can plan for their deprecation.  While we don't recommend re-enabling these legacy values, we are providing guidance to help customers. We encourage customers to evaluate the risk of regression before implementing the changes outlined in this article. 
 
 > [!NOTE]
-> Guest OS Family 6 releases enforces TLS 1.2 by explicitly disabling TLS 1.0 and 1.1 and defining a specific set of cipher suites.
+> Guest OS Family 6 releases enforces TLS 1.2 by disabling 1.0/1.1 ciphers. 
 
 
 ## Dropping support for TLS 1.0, TLS 1.1 and older cipher suites 
 In support of our commitment to use best-in-class encryption, Microsoft announced plans to start migration away from TLS 1.0 and 1.1 in June of 2017.   Since that initial announcement, Microsoft announced our intent to disable Transport Layer Security (TLS) 1.0 and 1.1 by default in supported versions of Microsoft Edge and Internet Explorer 11 in the first half of 2020.  Similar announcements from Apple, Google, and Mozilla indicate the direction in which the industry is headed.   
 
+For more information, see [Preparing for TLS 1.2 in Microsoft Azure](https://azure.microsoft.com/updates/azuretls12/)
+
 ## TLS configuration  
 The Windows Server 2019 cloud server image is configured with TLS 1.0 and TLS 1.1 disabled at the registry level. This means applications deployed to this version of Windows AND using the Windows stack for TLS negotiation will not allow TLS 1.0 and TLS 1.1 communication.   
 
@@ -46,51 +46,308 @@ The server also comes with a limited set of cipher suites:
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
 ```
 
+## Step 1: Create the PowerShell script to enable TLS 1.0 and TLS 1.1 
 
-## Step 1: Open your existing Azure Web Role project
+Use the following code as an example to create a script that enables the older protocols and cipher suites. For the purposes of this documentation, this script will be named: **TLSsettings.ps1**. Store this script on your local desktop for easy access in later steps. 
 
-> [!NOTE]
-> The entireity of these steps and scripts can be found in the following [GitHub Repo](https://github.com/microsoft/azure-ssl-configure).
 
-Open your own existing Azure Web Role project to begin this process
+```Powershell
+# You can use the -SetCipherOrder (or -sco) option to also set the TLS cipher 
+# suite order. Change the cipherorder variable below to the order you want to set on the 
+# server. Setting this requires a reboot to take effect.
 
-## Step 2: Add the startup scripts to your project
+Param(
+ [parameter(Mandatory=$false)]
+ [alias("sco")]
+ [switch]$SetCipherOrder)
 
-Add a new folder in your web role/worker role project called "Startup", copy [SSLConfigure.cmd](https://github.com/microsoft/azure-ssl-configure/blob/master/AzureCloudServiceSample/WebRoleSample/Startup/SSLConfigure.cmd) and [SSLConfigure.ps1](https://github.com/microsoft/azure-ssl-configure/blob/master/AzureCloudServiceSample/WebRoleSample/Startup/SSLConfigure.ps1) files into this folder, and add these files into your project.
+ Function DisableRC4 {
+   param ( $restart)
+  $subkeys = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL"
+  $ciphers = $subkeys.OpenSubKey("Ciphers", $true)
+  if($ciphers.SubKeyCount -eq 0) {
+    $k1 = $ciphers.CreateSubKey("RC4 128/128")
+    $k1.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord)
+    $restart = $true
+    $k2 = $ciphers.CreateSubKey("RC4 64/128")
+    $k2.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord)
+    $k3 = $ciphers.CreateSubKey("RC4 56/128")
+    $k3.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord)
+    $k4 = $ciphers.CreateSubKey("RC4 40/128")
+    $k4.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWord)
+  }
 
-To ensure the scripts are uploaded with every update pushed from Visual Studio, the setting *Copy to Output Directory* needs to be set to *Copy Always*
+  $restart
 
-1) Under your WebRole, right-click on **SSLConfigure.cmd**
-2) Select **Properties**
-3) In the properties tab, change *Copy to Output Directory* to *Copy Always"*
-4) Repeat the steps for **SSLConfigure.ps1**
+}
+
+Function Set-CryptoSetting {
+  param (
+    $keyindex,
+    $value,
+    $valuedata,
+    $valuetype,
+    $restart
+  )
+
+  # Check for existence of registry key, and create if it does not exist
+  If (!(Test-Path -Path $regkeys[$keyindex])) {
+    New-Item $regkeys[$keyindex] | Out-Null
+  }
+
+  # Get data of registry value, or null if it does not exist
+  $val = (Get-ItemProperty -Path $regkeys[$keyindex] -Name $value -ErrorAction SilentlyContinue).$value
+
+  If ($null -eq $val) {
+    # Value does not exist - create and set to desired value
+    New-ItemProperty -Path $regkeys[$keyindex] -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null
+    $restart = $True
+    Write-Host "Configuring $regkeys[$keyindex]...."
+  } Else {
+    # Value does exist - if not equal to desired value, change it
+    If ($val -ne $valuedata) {
+      Set-ItemProperty -Path $regkeys[$keyindex] -Name $value -Value $valuedata
+      $restart = $True
+      Write-Host "Configuring $regkeys[$keyindex]..."
+    }
+  }
+
+  $restart
+
+}
+
+$regkeys = @(
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0",
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client",
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server", #2
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1",
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client", #4
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server",
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2",        #6
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server", #8
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0",
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client", #10
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server",
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0",        #12
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client",
+"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server", #14
+"HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002"
+)
+
+Function Set-Windows10PlusCurveOrder {
+    param ( $reboot)
+    $desiredOrder = "NistP384;NistP256".Split(";")
+    If ([Environment]::OSVersion.Version.Major -ge 10) {
+        If (!(Test-Path -Path $regkeys[15])) {
+            New-Item $regkeys[15] | Out-Null
+            $reboot = $True
+        }
+
+        $val = (Get-Item -Path $regkeys[15] -ErrorAction SilentlyContinue).GetValue("EccCurves", $null)
+
+        if( $null -eq $val) {
+            New-ItemProperty -Path $regkeys[15] -Name EccCurves -Value $desiredOrder -PropertyType MultiString | Out-Null
+            $reboot = $True
+        } else {
+            if ([System.String]::Join(';', $val) -ne [System.String]::Join(';', $desiredOrder)) {
+                Write-Host "The original curve order ", `n, $val, `n, "needs to be updated to ", $desiredOrder
+                Set-ItemProperty -Path $regkeys[15] -Name EccCurves -Value $desiredOrder
+                $reboot = $True
+            }
+        }
+    }
+
+    $reboot
+}
+
+If ([Environment]::OSVersion.Version.Major -lt 10) {
+  # This is for Windows before 10 
+  Write-Host "Configuring Windows before 10..."
+  $cipherorder =  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,"
+  $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,"
+  $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,"
+  $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,"
+  $cipherorder += "TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,"
+  $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,"
+  $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+
+} Else {
+
+ # this is for windows 10 or above
+ Write-Host "Configuring Windows 10+..."
+ $cipherorder = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,"
+ $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"
+ $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,"
+ $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,"
+ $cipherorder += "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,"
+ $cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,"
+ $cipherorder += "TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,"
+ $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,"
+ $cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
+}
+
+# If any settings are changed, this will change to $True and the server will reboot
+
+$reboot = $False
+
+# Check for existence of registry keys (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2), and create if they do not exist
+
+For ($i = 0; $i -le 14; $i = $i + 1) {
+  If (!(Test-Path -Path $regkeys[$i])) {
+    New-Item $regkeys[$i] | Out-Null
+  }
+}
+
+####################### Candace Made Changes Here#############################
 
-## Step 3: Update the Service Definition file
+# Ensure SSL 2.0 disabled for client/server
+$reboot = Set-CryptoSetting 10 DisabledByDefault 1 DWord $reboot
+$reboot = Set-CryptoSetting 10 Enabled 0 DWord $reboot
+$reboot = Set-CryptoSetting 11 DisabledByDefault 1 DWord $reboot
+$reboot = Set-CryptoSetting 11 Enabled 0 DWord $reboot
 
-Add these lines to your ServiceDefinition.csdef file in your Azure project, place it under the corresponding role element of your role project.
+# Ensure SSL 3.0 disabled for client/server
+$reboot = Set-CryptoSetting 13 DisabledByDefault 1 DWord $reboot
+$reboot = Set-CryptoSetting 13 Enabled 0 DWord $reboot
+$reboot = Set-CryptoSetting 14 DisabledByDefault 1 DWord $reboot
+$reboot = Set-CryptoSetting 14 Enabled 0 DWord $reboot
 
+# Ensure TLS 1.0 enabled for client/server
+$reboot = Set-CryptoSetting 1 DisabledByDefault 0 DWord $reboot
+$reboot = Set-CryptoSetting 1 Enabled 1 DWord $reboot
+$reboot = Set-CryptoSetting 2 DisabledByDefault 0 DWord $reboot
+$reboot = Set-CryptoSetting 2 Enabled 1 DWord $reboot
+
+# Ensure TLS 1.1 disabled for client/server
+$reboot = Set-CryptoSetting 4 DisabledByDefault 0 DWord $reboot
+$reboot = Set-CryptoSetting 4 Enabled 1 DWord $reboot
+$reboot = Set-CryptoSetting 5 DisabledByDefault 0 DWord $reboot
+$reboot = Set-CryptoSetting 5 Enabled 1 DWord $reboot
+
+# Ensure TLS 1.2 disabled for client/server
+$reboot = Set-CryptoSetting 7 DisabledByDefault 0 DWord $reboot
+$reboot = Set-CryptoSetting 7 Enabled 1 DWord $reboot
+$reboot = Set-CryptoSetting 8 DisabledByDefault 0 DWord $reboot
+$reboot = Set-CryptoSetting 8 Enabled 1 DWord $reboot
+
+####################### Candace Made Changes Here#############################
+
+$reboot = DisableRC4($reboot)
+
+If ($SetCipherOrder) {
+      If (!(Test-Path -Path $regkeys[15])) {
+        New-Item $regkeys[15] | Out-Null
+        $reboot = $True
+      }
+
+      $val = (Get-Item -Path $regkeys[15] -ErrorAction SilentlyContinue).GetValue("Functions", $null)
+
+      if ($val -ne $cipherorder)
+      {
+        Write-Host "The original cipher suite order needs to be updated", `n, $val
+        Set-ItemProperty -Path $regkeys[15] -Name Functions -Value $cipherorder
+        $reboot = $True
+      }
+  }
+
+$reboot = Set-Windows10PlusCurveOrder $reboot
+
+# If any settings were changed, reboot
+    # If any settings were changed, reboot 
+    If ($reboot) 
+    {      
+        Write-Host "Rebooting now..." 
+        Write-Host "Using this command: shutdown.exe /r /t 5 /c ""Crypto settings changed"" /f /d p:2:4 " 
+        shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4 
+    }
+    Else 
+    { 
+        Write-Host "Nothing get updated."       
+    }  
+
+
+<# If ($reboot) {
+  # Randomize the reboot timing since it could be run in a large cluster.
+  $tick = [System.Int32]([System.DateTime]::Now.Ticks % [System.Int32]::MaxValue)
+  $rand = [System.Random]::new($tick)
+  $sec = $rand.Next(30, 600)
+  Write-Host "Rebooting after", $sec, " second(s)..."
+  Write-Host  shutdown.exe /r /t $sec /c "Crypto settings changed" /f /d p:2:4
+} Else {
+  Write-Host "Nothing get updated."
+} #>
 ```
-<WebRole>
-...
-  <Startup>
-    <Task commandLine="Startup\SSLConfigure.cmd" executionContext="elevated" taskType="simple">
-	    <Environment>
-          <Variable name="ComputeEmulatorRunning">
-            <RoleInstanceValue xpath="/RoleEnvironment/Deployment/@emulated" />
-          </Variable>
-        </Environment>
-    </Task>
-  </Startup>
-</WebRole>
+
+## Step 2: Create a command file 
+
+Create a CMD file named **RunTLSSettings.cmd** using the below. Store this script on your local desktop for easy access in later steps. 
+
+```cmd
+PowerShell -ExecutionPolicy Unrestricted %~dp0TLSsettings.ps1
+REM This line is required to ensure the startup tasks does not block the role from starting in case of error.  DO NOT REMOVE!!!! 
+EXIT /B 0
 ```
 
-## Step 4: Update the publish profile
+## Step 3: Add the startup task to the role’s service definition (csdef) 
 
-If you have an existing Azure Web Role deployed, the recommended AzureDeploymentReplacementMethod in your publish profile is "AutomaticUpgrade", instead of "DeleteAndCreate". If you don't have existing deployment, you can use DeleteAndCreate too.
+Add the following snippet to your existing service definition file. 
 
+```
+	<Startup> 
+		<Task executionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
+		</Task> 
+	</Startup> 
+```
+
+Here is an example that shows both the worker role and web role. 
+
+```
+<?xmlversion="1.0"encoding="utf-8"?> 
+<ServiceDefinitionname="CloudServiceName"xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition"schemaVersion="2015-04.2.6"> 
+	<WebRolename="WebRole1"vmsize="Standard_D1_v2"> 
+		<Sites> 
+			<Sitename="Web"> 
+				<Bindings> 
+					<Bindingname="Endpoint1"endpointName="Endpoint1"/> 
+				</Bindings> 
+			</Site> 
+		</Sites> 
+		<Startup> 
+			<Taske xecutionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
+			</Task> 
+		</Startup> 
+		<Endpoints> 
+			<InputEndpointname="Endpoint1"protocol="http"port="80"/> 
+		</Endpoints> 
+	</WebRole> 
+<WorkerRolename="WorkerRole1"vmsize="Standard_D1_v2"> 
+	<Startup> 
+		<Task executionContext="elevated" taskType="simple" commandLine="RunTLSSettings.cmd"> 
+		</Task> 
+	</Startup> 
+</WorkerRole> 
+</ServiceDefinition> 
+```
+
+## Step 5: Add the scripts to your Cloud Service 
 
+1) In Visual Studio, right-click on your WebRole
+2) Select **Add**
+3) Select **Existing Item**
+4) In the file explorer, navigate to your desktop where you stored the **TLSsettings.ps1** and **RunTLSSettings.cmd** files 
+5) Select the two files to add them to your Cloud Services project
+
+## Step 6: Enable Copy to Output Directory
+
+To ensure the scripts are uploaded with every update pushed from Visual Studio, the setting *Copy to Output Directory* needs to be set to *Copy Always*
+
+1) Under your WebRole, right-click on RunTLSSettings.cmd
+2) Select **Properties**
+3) In the properties tab, change *Copy to Output Directory* to *Copy Always"*
+4) Repeat the steps for **TLSsettings.ps1**
 
-## Step 5: Publish & Validate
+## Step 7: Publish & Validate
 
 Now that the above steps have been complete, publish the update to your existing Cloud Service. 
 
