Closed jonnyry closed 2 months ago
The Azure App Gateway does not specify a TLS policy version explicitly:
https://github.com/microsoft/AzureTRE/blob/main/core/terraform/appgateway/appgateway.tf
And so relies on the default:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
Defaults:
Given Azure resources are created by terraform, we are reliant on the Azure API version used by the Terraform Azure Provider to determine the above default.
See Terraform Azure Provider ticket relating to this exact issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/23995#issuecomment-1840538128
Therefore, suggest we explicitly set the TLS policy version in Terraform, to prevent picking up the default.
Logged upstream https://github.com/microsoft/AzureTRE/issues/3914
Fixed in upstream and merged back down
TLS 1.0 and 1.1 are considered insecure and should be removed from internet exposed web endpoints (managed by the App Gateway), leaving TLS 1.2 and above available.
App Gateway TLS config documentation: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview
By default, the TRE is using 20150501 and should move to at least 20220101
Currently status scanning the TRE web portal: