Cipher Suite Change


Microsoft is announcing the removal of RC4 from the supported list of negotiable ciphers on our service endpoints in Microsoft Azure.

This change is to update the SSL cipher suite order and the removal of the RC4 ciphers from the suite.

The Cipher Suite order determines the cipher suites used by the SSL/TLS.

The following cipher suite order is used:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Please let us know if you have any questions by posting in the Comments section below.

Thanks!

Tom


Comments (5)

  1. Nick De Blasio says:

    Dear Microsoft,

    I have run an SSLLABS report and it tells me that my server accepts RC4 cipher which I understand from this report, you say it is removed. Can you please advise if there is any manual activity I am required to do to remove this; my understanding is that it was removed automatically.

    Thanks for a quick reply,

    Nick De Blasio

    1. Hi Nick – the Azure platform has deprecated RC4 and new images are targeted. However, old ones will need to be updated.

  2. Bart Verkoeijen says:

    Please add TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256 which is required in the HTTP/2 spec: https://http2.github.io/http2-spec/#rfc.section.9.2.2.

    “The black list includes the cipher suite that TLS 1.2 makes mandatory, which means that TLS 1.2 deployments could have non-intersecting sets of permitted cipher suites. To avoid this problem causing TLS handshake failures, deployments of HTTP/2 that use TLS 1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [TLS-ECDHE] with the P-256 elliptic curve [FIPS186].”

    1. Hi Bart –
      Thanks! We’ll look into this – thanks for the pointer.
      Tom

  3. Bart Verkoeijen says:

    With the SWEET32 vulnerability https://sweet32.info/ (CVE-2016-2183, CVE-2016-6329), the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher should be removed from this list and 3-DES disabled on the server ASAP.

    It would be useful if we could opt-out with a configuration on the Azure portal.

Skip to main content