Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Minimum TLS Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Microsoft Azure Function Apps are using the latest supported version of the TLS encryption protocol in order to secure the applications traffic over the Internet and comply with the industry standards.

Security
Reliability
Operational
excellence

The Transport Layer Security (TLS) protocol is designed to facilitate privacy and data security for communications over different types of networks, including the Internet. TLS versions 1.0 and 1.1 are known to be susceptible to certain Common Vulnerabilities and Exposures (CVE) weaknesses and attacks such as POODLE and BEAST. These two TLS protocol versions do not support the modern encryption methods and cipher suites recommended by the Payment Card Industry (PCI) compliance standards. To follow cloud security best practices and PCI security compliance standards, enforce using the latest version of the TLS protocol (TLS 1.2 or TLS 1.3) for all the requests made to your Azure Function Apps.

Audit

To determine if your Microsoft Azure Function Apps are configured to use TLS 1.2 or TLS 1.3, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to examine.

06 In the resource navigation panel, under Settings, select Configuration to access the configuration settings available for the selected Function App.

07 Select the General settings tab and check the Minimum Inbound TLS Version setting available under Platform settings to determine the minimum TLS version used by the selected resource. If Minimum Inbound TLS Version setting value is not set to 1.2 or 1.3, the selected Microsoft Azure Function App is not configured to use the latest version of the TLS protocol to encrypt data in transit.

08 Repeat steps no. 5 – 7 for each Azure Function App deployed in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Function App available in the selected subscription: 

az functionapp list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Function App names: 

Name                      ResourceGroup
----------------------    ------------------------------
cc-main-function-app      cloud-shell-storage-westeurope
cc-project5-function-app  cloud-shell-storage-westeurope

06 Run functionapp config show command (Windows/macOS/Linux) with the name of the Azure Function App that you want to examine and its associated resource group as the identifier parameters to describe the Transport Layer Security (TLS) protocol version configured for the selected Function App: 

az functionapp config show
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --query 'minTlsVersion'

07 The command output should return the TLS version used by the selected Function App: 

"1.0"

If the TLS version returned by the functionapp config show command output is different than "1.2" or "1.3", as shown in the output example above, the selected Microsoft Azure Function App is not configured to use the latest version of the TLS protocol to encrypt data in transit.

08 Repeat steps no. 6 and 7 for each Azure Function App available within the current Azure subscription.

09 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To update the configuration settings for your Microsoft Azure Function Apps in order to enforce the latest version of the TLS protocol, perform the following operations:

Your Azure Function App may restart if you are updating application settings or connection strings.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access your Azure cloud resources.

03 Select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Equals and choose Function App to list only the Microsoft Azure Function Apps available in the selected subscription.

05 Click on the name (link) of the Azure Function App that you want to configure.

06 In the resource navigation panel, under Settings, select Configuration to access the configuration settings available for the selected Function App.

07 Select the General settings tab and set the Minimum Inbound TLS Version setting to 1.2 or 1.3 to upgrade the TLS version required by clients connecting to your Function App.

08 Choose Save and select Continue to apply the configuration changes.

09 Repeat steps no. 5 – 8 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run functionapp update command (Windows/macOS/Linux) with the name of the Microsoft Azure Function App that you want to configure as the identifier parameter, to enforce the latest version of the TLS protocol (TLS 1.2 or TLS 1.3) for the selected Function App: 

az functionapp update
  --name cc-main-function-app
  --resource-group cloud-shell-storage-westeurope
  --set siteConfig.minTlsVersion=1.3

05 The command output should return the configuration settings available for the selected Azure Function App: 

{
	"availabilityState": "Normal",
	"clientAffinityEnabled": false,
	"clientCertEnabled": false,
	"clientCertExclusionPaths": null,
	"clientCertMode": "Required",
	"cloningInfo": null,
	"containerSize": 1536,
	"dailyMemoryTimeQuota": 0,
	"daprConfig": null,
	"defaultHostName": "cc-main-function-app.azurewebsites.net",
	"enabled": true,

	...

	"slotSwapStatus": null,
	"state": "Running",
	"storageAccountRequired": false,
	"suspendedTill": null,
	"targetSwapSlot": null,
	"trafficManagerHostNames": null,
	"type": "Microsoft.Web/sites",
	"usageState": "Normal",
	"vnetContentShareEnabled": false,
	"vnetImagePullEnabled": false,
	"vnetRouteAllEnabled": false,
	"workloadProfileName": null
}

06 Repeat steps no. 4 and 5 for each Azure Function App that you want to configure, deployed in the selected Azure subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 23, 2023

Related Functions rules