you have until the end of the month to remove older versions of TLS to remain PCI compliant.
Well, if you are using Application Gateways in Azure to secure your web servers, you're in luck, because setting a custom SSL policy is pretty easy. You just have to do it via PowerShell.
Now, this script assumes you've already created your Application Gateway. If you are trying to configure one from scratch, you'll have to keep Googling my friend... Sorry.
Before you can run your script, you must first connect to Azure via PowerShell, and select your subscription.
- Select-AzureRmsubscription -SubscriptionName "<Subscription name>"
After that, you can copy and paste the below script to set your custom SSL policy. Be sure to replace the Application Gateway Name and the Resource Group Name to match your environment.
Here's the script:
# get an application gateway resource $gw= Get-AzureRmApplicationGateway -Name <Application Gateway Name> -ResourceGroup <Resource Group Name> # set the SSL policy on the application gateway Set-AzureRmApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Custom -MinProtocolVersion TLSv1_2 -CipherSuite "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256" # validate the SSL policy locally Get-AzureRmApplicationGatewaySslPolicy -ApplicationGateway $gw # update the gateway with validated SSL policy Set-AzureRmApplicationGateway -ApplicationGateway $gw
After that, your Application Gateway will only support TLS 1.2, and will use the following ciphers in order:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384Pretty easy right? Did this help you out? Let us know in the comments!