Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove TLS 1.0/1.1 support #21

Closed
jonnyry opened this issue Jan 3, 2024 · 3 comments
Closed

Remove TLS 1.0/1.1 support #21

jonnyry opened this issue Jan 3, 2024 · 3 comments
Assignees
@jonnyry
Labels
enhancement New feature or request logged u/s Logged in upstream repo merged u/s When a fix has been merged upstream PR sent u/s

Comments

@jonnyry
Copy link

jonnyry commented Jan 3, 2024
edited
Loading

TLS 1.0 and 1.1 are considered insecure and should be removed from internet exposed web endpoints (managed by the App Gateway), leaving TLS 1.2 and above available.

App Gateway TLS config documentation: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview

By default, the TRE is using 20150501 and should move to at least 20220101

Currently status scanning the TRE web portal:

327127209-1ad2cbb2-ecb9-4d45-9eb5-91857e35aefb
@jonnyry jonnyry added the enhancement New feature or request label Jan 3, 2024
@jonnyry jonnyry self-assigned this Jan 3, 2024
@jonnyry
Copy link
Author

jonnyry commented Jan 3, 2024

The Azure App Gateway does not specify a TLS policy version explicitly:

https://github.com/microsoft/AzureTRE/blob/main/core/terraform/appgateway/appgateway.tf

And so relies on the default:

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview

Defaults:

  • 20150501 for API version < 2023-02-01
  • 20220101 for API version >= 2023-02-01

Given Azure resources are created by terraform, we are reliant on the Azure API version used by the Terraform Azure Provider to determine the above default.

See Terraform Azure Provider ticket relating to this exact issue: hashicorp/terraform-provider-azurerm#23995 (comment)

Therefore, suggest we explicitly set the TLS policy version in Terraform, to prevent picking up the default.

@jonnyry jonnyry added the logged u/s Logged in upstream repo label May 1, 2024
@jonnyry
Copy link
Author

jonnyry commented May 1, 2024

Logged upstream microsoft#3914

jonnyry added a commit that referenced this issue May 1, 2024
@jonnyry
Remove TLS1.0/1.1 support #21 (microsoft/azuretre/3914)
3910454
@jonnyry
Copy link
Author

jonnyry commented May 1, 2024

Fixed in upstream and merged back down

@jonnyry jonnyry closed this as completed May 1, 2024
@jonnyry jonnyry added merged u/s When a fix has been merged upstream PR sent u/s labels Jul 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonnyry jonnyry

Labels
enhancement New feature or request logged u/s Logged in upstream repo merged u/s When a fix has been merged upstream PR sent u/s
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jonnyry