Security changes coming to Azure Web Apps, affecting Azure Bot Service

Beginning tomorrow,  from May 15th to May 30th 2018 (03/15/2018 – 03/30/2018), Azure Web Apps will be rolling out stricter protocol enforcement world-wide. This will impact clients that are using TLS 1.0 without an SNI header. The only resolution is to upgrade the clients to use TLS 1.2 (preferable), TLS 1.1, or TLS 1.0 with an SNI header.

Overview

Azure Web Apps is stopping support for TLS 1.0 without an SNI header. Click here to read the announcement.

Since the Azure Bot Service runs on Azure Web Apps, some of our customers may be impacted by this change as well.

What this means is that clients communicating with Azure Web Apps must negotiate TLS 1.1+ OR send an SNI header with their TLS 1.0 handshake requests. Most modern clients won’t have a problem, as TLS 1.0 has been phasing out for several for years (it is not secure), however some clients (both on customer machines and in partner datacenters) may be impacted. When a caller uses TLS 1.0 without an SNI header they will receive a “Connection Reset,” and the call will be rejected at the Azure Web Apps layer and will not reach our application code. This is ultimately a good change for customer security.

With recent enforcement of stricter, safer TLS protocols, your application may be impacted. If you suddenly cannot connect to Azure Bot Service sites, please upgrade your application to use TLS 1.2. This offers greater security than TLS 1.0 and is now required to keep our customer’s data safe during transmission.

Other options include using TLS 1.1 or including an SNI header with TLS 1.0 handshake requests, but eventually all of Azure will require TLS 1.2 so it is by far the preferred solution.

Thank you, from the Azure Bot Service Team.

References: