How do you adjust the Key Bit length for the cipher?

[quantumtunneling]

We are getting a grade 'B' in SSL Labs because we need to increase the key bit length from 1024 to 2048, but the only way I know how to do this is via the registry. Is there a way to configure this in the Application gateway? If not this seems like a significant oversight.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: ae11bd8c-20f5-dccc-45c6-694542e6e36b
• Version Independent ID: e39f8e43-304b-b345-add9-5a7388cad580
• Content: Configure SSL policy on Azure Application Gateway - PowerShell
• Content Source: articles/application-gateway/application-gateway-configure-ssl-policy-powershell.md
• Service: application-gateway
• GitHub Login: @vhorne
• Microsoft Alias: victorh

[TravisCragg-MSFT]

@quantumtunneling Thanks for the feedback. We are actively investigating and will get back to you soon.

[quantumtunneling]

Thanks @TravisCragg-MSFT

Edit: Please let me know if you need any additional details

[TravisCragg-MSFT]

@quantumtunneling If you need to increase the length of the certificate, you will need to upload a 2048bit SSL Certificate to your Application Gateway. This Document outlines how to create a self signed certificate and upload it to a new application gateway

You will likely need to specify the key length of the certificate to make sure that it is 2048 bit.

[quantumtunneling]

Hey Travis,

I do not believe the issue is the length of the certificate (which is already 2048 bits), its the bit length of the cipher key which is problematic. The length of the cipher keys are not configured in the SSL certificate, they have to be adjusted via the windows Registry.

On Thu, May 10, 2018 at 3:30 PM, TravisCragg-MSFT notifications@github.com wrote:

@quantumtunneling https://github.com/quantumtunneling If you need to increase the length of the certificate, you will need to upload a 2048bit SSL Certificate to your Application Gateway. This Document outlines how to create a self signed certificate and upload it to a new application gateway https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-portal

You will likely need to specify the key length of the certificate to make sure that it is 2048 bit.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/8412#issuecomment-388205472, or mute the thread https://github.com/notifications/unsubscribe-auth/ACNNP4MTgYpdsDpxCVRav5psR8FMPLuhks5txL-NgaJpZM4T6VN9 .

[quantumtunneling]

This is the SSL Labs security test I am referring to:

https://www.ssllabs.com/ssltest

This report shows that our Certificate is fine. Its the Diffie-Hellman key exchange parameters that are weak, as we support cipher suites with only 1024 bits:

On Thu, May 10, 2018 at 3:35 PM, Graham Henry graham@bizible.com wrote:

Hey Travis,

I do not believe the issue is the length of the certificate (which is already 2048 bits), its the bit length of the cipher key, and while I am no expert in cryptography, I believe that these are two separate things. Can you confirm this?

On Thu, May 10, 2018 at 3:30 PM, TravisCragg-MSFT < notifications@github.com> wrote:

@quantumtunneling https://github.com/quantumtunneling If you need to increase the length of the certificate, you will need to upload a 2048bit SSL Certificate to your Application Gateway. This Document outlines how to create a self signed certificate and upload it to a new application gateway https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-portal

You will likely need to specify the key length of the certificate to make sure that it is 2048 bit.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/8412#issuecomment-388205472, or mute the thread https://github.com/notifications/unsubscribe-auth/ACNNP4MTgYpdsDpxCVRav5psR8FMPLuhks5txL-NgaJpZM4T6VN9 .

[TravisCragg-MSFT]

If you look at the test Summary under "Cipher Suites", it will tell you what Cipher Suites are not secure enough.

I was able to get an "A" rating by using a custom SSL Policy. you can find a list of the SSL Labs recommended secure cipher suites Here and reference them with Azure Load Balancer supported Suites, and remove any that are below 2048.

Here is the Custom SSL Policy I used

# get an application gateway resource
 $gw = Get-AzureRmApplicationGateway -Name "YourGatewayName" -ResourceGroup "YourResourceGroupName"

# set the SSL policy on the application gateway
 Set-AzureRmApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Custom -MinProtocolVersion TLSv1_1 -CipherSuite "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"

#validate the SSL policy locally
 Get-AzureRmApplicationGatewaySslPolicy -ApplicationGateway $gw

 #update the gateway with validated SSL policy
 Set-AzureRmApplicationGateway -ApplicationGateway $gw

Please let me know if this works for you as well

[quantumtunneling]

That works, thanks Travis!

[TravisCragg-MSFT]

@quantumtunneling We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

[tocorobo]

@TravisCragg-MSFT I feel this issue should be re-opened. The minimum bit length of DH ciphers on azure app gateways should be either configurable or bumped up to a minimum length of 2048. The rationale is that more and more guidance is coming from the infosec community to disable TLS 1.1 and lower which leaves us only with TLS 1.2 (since app gateways don't yet support 1.3) and the available list of ciphers compatible with 1.2 and also considered strong (per qualsys and other prominent SSL quality test sites) is really short.

For example, qualsys only marks these as "strong" TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

And the last one [TLS_DHE_RSA_WITH_AES_128_GCM_SHA256] is only marked as non-weak if the underlying server supports a minimum bit length of 2048 for said cipher.

If we're terminating SSL on IIS/Windows Server the remediation is to set the following reg key with a value of 2048 (defaults to 1024 on some windows server versions):

$(Get-ItemProperty hklm:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman -ErrorAction SilentlyContinue).ServerMinKeyBitLength

Azure app gateways apparently defaulting to 1024 ServerMinBitLength which was the out of box config of I want to say Windows Server 2012 R2 and earlier. What's more, app gateways do not appear to be configurable in a similar way [no way to increase that to 2048 or higher] and turning off TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 leaving only TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is not desirable because it means chopping off support for IE11 on Windows 7 (and perhaps some other still widely deployed http clients).

With kind regards.

[TravisCragg-MSFT]

@tocorobo If you would like us to change how you can configure SSL, or add any additional features, please leave your feedback at Azure Networking's Azure Feedback page.