Feature Request: Enable TLS cipher suites compatible with older OS

[italoaguiar]

This issue is a: (mark with an x)

• [x] bug report -> please search issues before submitting
• [ ] documentation issue or request
• [ ] regression (a behavior that used to work and stopped in a new release)

Issue description

I'm trying to establish a connection to a container application within a Windows Forms application, but I'm getting the error "The request was aborted: Could not create SSL/TLS secure channel".

Using the SSL Labs tool it was possible to find out that the TLS cipher algorithms supported by the container application are:

• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

But these cipher algorithms are not supported on older operating systems.

• See Windows 7
• See Windows 8

Steps to reproduce

1. Go to an older OS (Win 7, Win 8 or Windows Server 2012)
2. Make a web request to the container app or use the " Invoke-WebRequest" powershell command

Expected behavior [What you expected to happen.] A connection must be successfully established.

Actual behavior [What actually happened.] I'm getting the error "The request was aborted: Could not create SSL/TLS secure channel".

Additional context

Kubernetes has settings to modify the cipher algorithms used, but this setting is not available in azure container apps. tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, ... ]

[npehrsson]

This is very important for my organization. Any updates and ETA on this.

[italoaguiar]

@npehrsson In our organization we have done a workaround by putting an Azure Front Door in front of all containers to manage certificates

[npehrsson]

@npehrsson In our organization we have done a workaround by putting an Azure Front Door in front of all containers to manage certificates

Thank you for the suggestion, Our need is however Websockets which Azure Front Door doesn't have support for. Our specific use case is controlling multiple brands of EV Charging Stations which are communicating through Web sockets.

The specification of OCPP which is being used has an older cipher in it. In my mind, this restriction makes ACA hard to use in IoT solutions where it's widespread with older operative systems installed on the devices.

[magohl]

Our need is however Websockets which Azure Front Door doesn't have support for.

Could Azure Application Gateway be an alternative to Front Door maybe?

We had the same issue but were lucky that it (so far) was only one client affected so we put an NGINX on the client side. But we are also really hoping they will fix this soon.

[npehrsson]

Could be, but costly, at the moment we're considering using CloudFlare proxy. Could cost a bit as well, but believe it will be cheaper in the end.