Azure 存储最小的 TLS 版本为 1.2,在协议层面未强制执行。

huangapple go评论67阅读模式
英文:

Azure storage minimum TLS version 1.2 not enforced in protocol layer

问题

我阅读了这个帖子https://stackoverflow.com/questions/66481490/minimum-tls-version-in-azure-storage-account以及https://github.com/MicrosoftDocs/azure-docs/issues/84792,我想知道是否有一种方法可以强制所有层面的最低TLS 1.2,以便诸如ssllab之类的工具根本无法使用较低的版本。不幸的是,这些帖子没有解释这个问题。有人知道是否有一种方法可以在协议层面强制TLS 1.2吗?

英文:

I read this thread https://stackoverflow.com/questions/66481490/minimum-tls-version-in-azure-storage-account and https://github.com/MicrosoftDocs/azure-docs/issues/84792 and I was wondering whether there is a way to enforce TLS 1.2 minimum in all the layers so the tools such as ssllab would not be able to user lower versions at all. Unfortunately, those threads do not explain this issue. Does anybody know if there is a way for tls 1.2 to be enforced in protocol layer as well?

答案1

得分: 1

我创建了一个存储帐户,使用默认的最低 TLSv1.2,并创建了一个静态网站。位于 testwebsiteca.web.core.windows.net 的网站似乎支持 TLSv1.0/1.1:

Azure 存储最小的 TLS 版本为 1.2,在协议层面未强制执行。

当我扫描其他存储帐户站点时,它们返回了类似的结果:

testwebsiteca.blob.core.windows.net
testwebsiteca.queue.core.windows.net
testwebsiteca.table.core.windows.net
testwebsiteca.file.core.windows.net

根据我重新阅读的提供的链接,似乎存储帐户实际上支持 TLSv1.0/1.1,但在实际情况下,如果有人尝试使用较低级别的 TLS 连接,它们将返回 HTTP 400。

这将导致工具像 ssllab 将其标记为支持较低的 TLS 版本。我觉得微软允许较低的 TLS 连接有点奇怪;它以一种奇怪的方式实施 TLSv1.2,这会在扫描中显示为一个红旗。你可以尝试向 Microsoft 提交一个支持工单。目前,我看不到任何方式可以让 ssllab 扫描为你提供绿色的指示灯。

英文:

I created a storage account, with the default minimum TLSv1.2, and a static web site. The web site at testwebsiteca.web.core.windows.net appears to support TLSv1.0/1.1:

Azure 存储最小的 TLS 版本为 1.2,在协议层面未强制执行。

When I scanned the other storage account sites they returned similar results:

testwebsiteca.blob.core.windows.net
testwebsiteca.queue.core.windows.net
testwebsiteca.table.core.windows.net
testwebsiteca.file.core.windows.net

From rereading the link you provided it looks like, while storage accounts are actually supporting TLSv1.0/1.1, in practical terms they will return an HTTP 400 if someone tries to connect with a lower level TLS.

That's going to cause a tool like ssllab to mark it as supporting a lower TLS version. It seems strange to me that Microsoft allows the lower TLS connections; it's enforcing the TLSv1.2 in an odd way that shows up as a red flag to scans. You might try opening a support ticket with Microsoft. There doesn't appear to be any way that I can see to get the ssllab scan to give you a green light right now.

答案2

得分: 0

以下是微软的回复:

Azure存储是一个支持多租户的服务,承诺提供向后兼容性。我们为存储帐户提供了强大的控制,以选择启用TLS 1.2强制执行。

虽然我们鼓励所有应用程序启用TLS 1.2强制执行,但仍然有许多Azure存储客户端尚不支持最新的安全标准。为避免破坏这些以及其他已部署的服务,TLS版本和密码套件的强制执行是在应用层(HTTP)而不是在网络层(TCP/TLS)进行的。

这使客户能够检测、纠正并强制使用特定的TLS版本来处理其所有客户端。但这意味着像SSL Labs这样的端口扫描工具,它们不会向端点发送HTTP请求,将指示支持传统的TLS版本和密码套件,即使在帐户上强制执行最低TLS版本。

这是正常的,不会 compromise 存储帐户的安全性。使用不安全的TLS版本的任何请求将立即失败,并显示HTTP 4xx错误。有关如何配置TLS强制执行以及如何利用Azure策略和Azure监视来强制执行和监视存储帐户的详细信息,请参阅 https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version

有关Azure中TLS支持和弃用计划的更多信息,请参阅 https://azure.microsoft.com/en-us/updates/azuretls12/

英文:

Here is what microsoft replied:
Azure Storage is a multi-tenant service with a commitment to backwards compatibility. We provide strong controls for storage accounts to opt-in to TLS 1.2 enforcement.

While we encourage all applications to enable TLS 1.2 enforcement, there are a large number of Azure Storage clients that do not yet support the latest security standards. To avoid breaking these and other deployed services, TLS version and cipher suite enforcement is performed in the application layer (HTTP), rather than at the network layer (TCP/TLS).

This enables customers to detect, remediate, and enforce use of specific TLS versions across all their clients. However, it means that port scanning tools like SSL Labs, which do not send HTTP requests to the endpoint, will indicate that legacy TLS versions and cipher suites are supported even if a minimum TLS version is enforced on the account.

This is expected and does not compromise the security of your storage account. Any requests using an insecure TLS version will immediately fail with an HTTP 4xx error. For more information on how to configure TLS enforcement and leverage Azure Policy and Azure Monitor to enforce and monitor this across storage accounts, see https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version .

For more information about TLS support and deprecation plans in Azure, please see https://azure.microsoft.com/en-us/updates/azuretls12/

huangapple
  • 本文由 发表于 2023年3月8日 19:37:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/75672537.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定