How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines

Microsoft recently released Security Advisory 3009008 to help address a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol and is not specific to any Microsoft or Azure implementation of the protocol. Azure Websites, Roles, and Windows Virtual Machines enable this protocol by default. It is possible to disable SSLv3 on the server also. This ensures that all connections use the stronger TLS protocols, but it is important for customers to be aware that users on legacy browsers, which only support SSL 3.0, will no longer be able to connect to the server. Today we have released guidance on how customers can disable SSL 3.0 in Azure Websites, Roles and Virtual Machines. Customers can disable the protocol in Roles and Virtual Machines now. The feature that allows changes in Azure Website will be live and available for customer to implement on Monday, October 20, 2014. We encourage customers to evaluate the risk of regression before implementing these changes. Below are the steps you can take to configure your Azure Website, Roles and Virtual Machines to disallow SSL 3.0 connections.

Disable SSL 3.0 in Azure Websites (updated!)

Azure Websites has disabled SSL 3.0 for all sites by default to protect our customers from the vulnerability mentioned before. Customers no longer need to take any action to disable SSL 3.0 in Azure Websites.  

Disable SSL 3.0 in Azure Roles (Web Roles or Worker Roles)

The best way to make changes to the underlying operating system in Azure Platform as a Service (PAAS) roles is to use a startup task and redeploy the application. This is the only way to ensure that all role instances receive the configuration and that configuration survives any auto scale or service healing operations. This configuration change can only be made by redeploying the application. It is highly recommended that the application be thoroughly tested for regressions in staging mode before being VIP Swapped to production.

Step 1: Build the startup scripts and place them in the role configuration

Create a new file DisableSslv3.cmd and place it in the Startup directory of each role’s definition

Update: The script has been updated to optionally set SSL cipher suite order on the server as well.

PowerShell -ExecutionPolicy Unrestricted .\DisableSslv3.ps1 >> "%TEMP%\StartupLog.txt" 2>&1

EXIT /B 0

Create a new file DisableSslv3.ps1 and place it in the Startup directory of each role’s definition.

# You can use the -SetCipherOrder (or -sco) option to also set the TLS cipher 
# suite order. Change the cipherorder variable below to the order you want to set on the 
# server. Setting this requires a reboot to take effect.

Param(
 [parameter(Mandatory=$false)]
 [alias(sco)]
 [switch]$SetCipherOrder)

$regkeys = @(
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client",
"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server",
"HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL0010002"
)
$cipherorder = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,"
$cipherorder += "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,"
$cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,"
$cipherorder += "TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"

# If any settings are changed, this will change to $True and the server will reboot
$reboot = $False

Function Set-CryptoSetting {
  param (
    $keyindex,
    $value,
    $valuedata,
    $valuetype,
    $restart
  )

  # Check for existence of registry key, and create if it does not exist
  If (!(Test-Path -Path $regkeys[$keyindex])) {
    New-Item $regkeys[$keyindex] | Out-Null
  }

  # Get data of registry value, or null if it does not exist
  $val = (Get-ItemProperty -Path $regkeys[$keyindex] -Name $value -ErrorAction SilentlyContinue).$value

  If ($val -eq $null) {
    # Value does not exist - create and set to desired value
    New-ItemProperty -Path $regkeys[$keyindex] -Name $value -Value $valuedata -PropertyType $valuetype | Out-Null
    $restart = $True
  } Else {
    # Value does exist - if not equal to desired value, change it
    If ($val -ne $valuedata) {
      Set-ItemProperty -Path $regkeys[$keyindex] -Name $value -Value $valuedata
      $restart = $True
    }
  }

  If ($SetCpiherOrder) {
    Set-ItemProperty -Path $regkeys[15] -Name functions -Value $cipherorder
    $restart = $True
  }
  return $restart
}

# Check for existence of parent registry keys (SSL 2.0 and SSL 3.0), and create if they do not exist
For ($i = 9; $i -le 12; $i = $i + 3) {
  If (!(Test-Path -Path $regkeys[$i])) {
    New-Item $regkeys[$i] | Out-Null
  }
}

# Ensure SSL 2.0 disabled for client
$reboot = Set-CryptoSetting 10 DisabledByDefault 1 DWord $reboot

# Ensure SSL 2.0 disabled for server
$reboot = Set-CryptoSetting 11 Enabled 0 DWord $reboot

# Ensure SSL 3.0 disabled for client
$reboot = Set-CryptoSetting 13 DisabledByDefault 1 DWord $reboot

# Ensure SSL 3.0 disabled for server
$reboot = Set-CryptoSetting 14 Enabled 0 DWord $reboot

# If any settings were changed, reboot
If ($reboot) {
  Write-Host "Rebooting now..."
  shutdown.exe /r /t 5 /c "Crypto settings changed" /f /d p:2:4
}

Step 2: Add the startup task to the role’s service definition (csdef)

<ServiceDefinition name="MyService" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition">
  <WebRole name="WebRole1">
    <Startup>
      <Task commandLine="DisableSslv3.cmd" executionContext="elevated" taskType="simple">
      </Task>
    </Startup>
  </WebRole>
<ServiceDefinition>

Disable SSL 3.0 in Azure Virtual Machines

The PowerShell script provided above for Azure Roles (PaaS) will be equally effective at disabling SSL 3.0 on Windows Virtual Machines. This script can be manually distributed and run over Remote Desktop Protocol (RDP) or via your chosen infrastructure configuration management system (such as Puppet or Chef). Follow your distribution’s guidance for Linux Virtual Machines.