Document uses different Cipher notation in Known Issue, and is unclear on whether AppGW v1 is needed for certain Predefined TLS Policy

[jolauMSFT]

Change the cipher notation in the known issue section of the document to use the same IANA names as used elsewhere in the document. e.g. DHE_RSA_WITH_AES_256_GCMSHA384 == TLS DHE_RSA_WITH_AES_256_GCM_SHA384 as per https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_128_GCM_SHA256/

Make explicit in the Predefined TLS policy section that any policy that includes these ciphers such as AppGwSslPolicy20150501 is not supported on AppGW v2, which would limit the customer to deploying an AppGW v1 if they have clients that require support for TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, for example: Win7/IE11.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 4973b6d3-d3b9-69b6-75d1-6c6e03a37480
• Version Independent ID: 68ae78c3-5118-741a-58c9-9fdf9512a9f3
• Content: TLS policy overview for Azure Application Gateway
• Content Source: articles/application-gateway/application-gateway-ssl-policy-overview.md
• Service: application-gateway
• GitHub Login: @amsriva
• Microsoft Alias: amsriva

[SubhashVasarapu-MSFT]

@jolauMSFT, Thanks for reaching out. We will investigate and update this thread.

[kmcneelyshaw]

@jolauMSFT I was sent to this GH issue, that I believe is coming out of support request 120110524009993 . Our additional ask would be that all cipher names be accompanied by the IANA hex codes, just to completely disambiguate.

[jolauMSFT]

@SubhashVasarapu-MSFT . Can you please incorporate the customer's feedback posted above and look to include the IANA hex codes across the document to remove any ambiguity? Please also confirm we can track progress of this item using this GitHub issue so that customer has visibility.

[SubhashVasarapu-MSFT]

@kmcneelyshaw, @jolauMSFT, Appreciate your patience. We are working on the doc edits. Also, this issue has been assigned to the respective SME/author for updating the document accordingly. @amitsriva / @surajmb, could you please update the doc accordingly. Also, here the IANA names corresponding to the listed OpenSSL names, DHE-RSA-AES128-GCM-SHA256 --> DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA -->TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES256-GCM-SHA384 --> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-SHA --> TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-DSS-AES128-SHA256 --> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA --> TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES256-SHA256 --> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA --> TLS_DHE_DSS_WITH_AES_256_CBC_SHA

[kmcneelyshaw]

@SubhashVasarapu-MSFT are you sure about that first substitution? It doesn't seem to be changing anything.

[jolauMSFT]

@amitsriva / @surajmb . The first line of the change requested by @SubhashVasarapu-MSFT should read: DHE-RSA-AES128-GCM-SHA256 --> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

[SubhashVasarapu-MSFT]

@kmcneelyshaw, Apologies. It's my bad. @jolauMSFT, Thanks for the quick fix.

[jolauMSFT]

@SubhashVasarapu-MSFT and @amitsriva
Can you please consider the additional changes to the document below based on an internal conversation today.

1. Move the Known Issue section to the top of the article, as the first subsection after the introduction.
2. Change the first sentence in the known issue section from: Application Gateway v2 does not currently support the following ciphers: TO: Application Gateway v2 does not support the following ciphers listed below. As such, these ciphers will not be presented during TLS/SSL negotiation by an Application Gateway v2 even if they appear in the CipherSuite list of an applied TLS policy for that Application Gateway v2.

[surajmb]

This has been updated. @jolauMSFT , please take a look at let us know if you have any concerns. https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview

[vhorne]

please-close