Closed jolauMSFT closed 2 years ago
@jolauMSFT, Thanks for reaching out. We will investigate and update this thread.
@jolauMSFT I was sent to this GH issue, that I believe is coming out of support request 120110524009993 . Our additional ask would be that all cipher names be accompanied by the IANA hex codes, just to completely disambiguate.
@SubhashVasarapu-MSFT . Can you please incorporate the customer's feedback posted above and look to include the IANA hex codes across the document to remove any ambiguity? Please also confirm we can track progress of this item using this GitHub issue so that customer has visibility.
@kmcneelyshaw, @jolauMSFT, Appreciate your patience. We are working on the doc edits. Also, this issue has been assigned to the respective SME/author for updating the document accordingly. @amitsriva / @surajmb, could you please update the doc accordingly. Also, here the IANA names corresponding to the listed OpenSSL names, DHE-RSA-AES128-GCM-SHA256 --> DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA -->TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES256-GCM-SHA384 --> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-SHA --> TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-DSS-AES128-SHA256 --> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA --> TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES256-SHA256 --> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA --> TLS_DHE_DSS_WITH_AES_256_CBC_SHA
@SubhashVasarapu-MSFT are you sure about that first substitution? It doesn't seem to be changing anything.
@amitsriva / @surajmb . The first line of the change requested by @SubhashVasarapu-MSFT should read: DHE-RSA-AES128-GCM-SHA256 --> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
@kmcneelyshaw, Apologies. It's my bad. @jolauMSFT, Thanks for the quick fix.
@SubhashVasarapu-MSFT and @amitsriva
Can you please consider the additional changes to the document below based on an internal conversation today.
This has been updated. @jolauMSFT , please take a look at let us know if you have any concerns. https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
Change the cipher notation in the known issue section of the document to use the same IANA names as used elsewhere in the document. e.g. DHE_RSA_WITH_AES_256_GCMSHA384 == TLS DHE_RSA_WITH_AES_256_GCM_SHA384 as per https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_128_GCM_SHA256/
Make explicit in the Predefined TLS policy section that any policy that includes these ciphers such as AppGwSslPolicy20150501 is not supported on AppGW v2, which would limit the customer to deploying an AppGW v1 if they have clients that require support for TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, for example: Win7/IE11.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.