How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines

Microsoft recently released Security Advisory 3009008 to help address a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol and is not specific to any Microsoft or Azure implementation of the protocol. Azure Websites, Roles, and Windows Virtual Machines enable this protocol by default.

It is possible to disable SSLv3 on the server also. This ensures that all connections use the stronger TLS protocols, but it is important for customers to be aware that users on legacy browsers, which only support SSL 3.0, will no longer be able to connect to the server.

Today we have released guidance on how customers can disable SSL 3.0 in Azure Websites, Roles and Virtual Machines. Customers can disable the protocol in Roles and Virtual Machines now. The feature that allows changes in Azure Website will be live and available for customer to implement on Monday, October 20, 2014. We encourage customers to evaluate the risk of regression before implementing these changes.

Below are the steps you can take to configure your Azure Website, Roles and Virtual Machines to disallow SSL 3.0 connections.

Disable SSL 3.0 in Azure Websites

Method 1: Using the Disable SSLv3 Site Extension

Follow the instructions in this blog to install a new site extension for your web site using the new Azure management portal (https://portal.azure.com). Scroll through the list of site extensions and select the one called Disable SSL v3, as shown below.

If you are using the current Azure management portal (https://manage.windowsazure.com), you can install the site extension through your SCM site (https://.scm.azurewebsites.net/). Click on the Site Extensions link on the top and select the Gallery tab. Enter ‘SSL’ in the search box and you will see the Disable SSL v3 site extension that you can then add to your site. From your management portal, restart your site from the dashboard of the site and SSL 3.0 will be disabled for your site.

Method 2: Configuring URLRewrite rule in web.config

Behind the scenes, Azure Websites front end (load balancer) is sending a special request header called X-Forwarded-SSLv30 with its value set to 1 when a client establishes the HTTPS connection to your website using SSL 3.0. So you could write a URLRewrite rule like the sample shown below to configure a custom action if the client establishes an SSL 3.0 connection. The example below returns a 403 error response, but you could easily abort connections or redirect to some other site/URL if you want to. All you will need to do is merge the configuration snippet below into your web.config file for your site.

Disable SSL 3.0 in Azure Roles (Web Roles or Worker Roles)

The best way to make changes to the underlying operating system in Azure Platform as a Service (PAAS) roles is to use a startup task and redeploy the application. This is the only way to ensure that all role instances receive the configuration and that configuration survives any auto scale or service healing operations. This configuration change can only be made by redeploying the application.

It is highly recommended that the application be thoroughly tested for regressions in staging mode before being VIP Swapped to production.

Step 1: Build the startup scripts and place them in the role configuration

Create a new file DisableSslv3.cmd and place it in the Startup directory of each role’s definition

PowerShell -ExecutionPolicy Unrestricted .\DisableSslv3.ps1 >>“%TEMP%\StartupLog.txt” 2>&1

EXIT /B 0

Create a new file DisableSslv3.ps1 and place it in the Startup directory of each role’s definition.

$regkeys = @(
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server",
"HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL0010002"
)
$cipherorder = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,"
$cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,"
$cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,"
$cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,"
$cipherorder += "TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5"

# If any settings are changed, this will change to $True and the server will reboot
$reboot = $False

Function Set-CryptoSetting {

param (
$keyindex,
$value,
$valuedata,
$valuetype,
$restart
)

# Check for existence of registry key, and create if it does not exist
If (!(Test-Path -Path $regkeys[$keyindex])) {
New-Item $regkeys[$keyindex] | Out-Null
}

# Get data of registry value, or null if it does not exist
$val = (Get-ItemProperty -Path $regkeys[$keyindex] -Name $value -ErrorAction SilentlyContinue).$value

If ($val -eq $null) {
# Value does not exist - create and set to desired value
New-ItemProperty -Path $regkeys[$keyindex] -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null
$restart = $True
} Else {
# Value does exist - if not equal to desired value, change it
If ($val -ne $valuedata) {
Set-ItemProperty -Path $regkeys[$keyindex] -Name $value -Value $valuedata
$restart = $True
}
}
return $restart
}

# Check for existence of parent registry keys (SSL 2.0 and SSL 3.0), and create if they do not exist
For ($i = 9; $i -le 12; $i = $i + 3) {
If (!(Test-Path -Path $regkeys[$i])) {
New-Item $regkeys[$i] | Out-Null
}
}

# Ensure SSL 2.0 disabled for client
$reboot = Set-CryptoSetting 10 DisabledByDefault 1 DWord $reboot

# Ensure SSL 2.0 disabled for server
$reboot = Set-CryptoSetting 11 Enabled 0 DWord $reboot

# Ensure SSL 3.0 disabled for client
$reboot = Set-CryptoSetting 13 DisabledByDefault 1 DWord $reboot

# Ensure SSL 3.0 disabled for server
$reboot = Set-CryptoSetting 14 Enabled 0 DWord $reboot

# If any settings were changed, reboot
If ($reboot) {
Write-Host "Rebooting now..."
shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4
}

Step 2: Add the startup task to the role’s service definition (csdef)

Disable SSL 3.0 in Azure Virtual Machines

The PowerShell script provided above for Azure Roles (PaaS) will be equally effective at disabling SSL 3.0 on Windows Virtual Machines. This script can be manually distributed and run over Remote Desktop Protocol (RDP) or via your chosen infrastructure configuration management system (such as Puppet or Chef).

Follow your distribution’s guidance for Linux Virtual Machines.