This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 95%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVY%3C/text%3E%3C/svg%3E)
Hi,
We have started using a Azure Web App service for one of the Nodejs app on windows with code.
Our security team has run a penetration testing , using Qualys. The report flagged the Web App to be vulnerable for - TLS Protocol Session Renegotiation Security Vulnerability. Here is the snippet of the report.
How should we fix/explain this on Web app service?
Threat
Transport Layer Security (TLS) is a cryptographic protocol that provides security for communications over networks at the Transport Layer.
TLS protocol is prone to a security vulnerability that allows for man-in-the-middle attacks. Note that this issue does not allow attackers to decrypt encrypted data
Specifically, the issue exists in a way applications handle the session renegotiation process and may allow attackers to inject arbitrary plaintext into the beginning
of application protocol stream. The attack has been confirmed to work with HTTP as the application protocol but it is believed to be also possible with other
protocols that are layered on TLS.
Impact
In case of the HTTP protocol used with the vulnerable TLS implementation, this attack is carried out by intercepting 'Client Hello' requests and then forcing
session renegotiation. An unauthorized attacker can then cause the webserver to process arbitrary requests that would otherwise require valid client side
certificate for authorization. Please note that the attacker will not be able to gain direct access to the server response.
A proof of concept attacks have been demonstrated where the user credentials were extracted using this vulnerability.
Mitigating factors: To successfully exploit this vulnerability a full man-in-the-middle control of the TCP connection is required. The attacker needs to accept the
TCP connection from the client and establish a new connection to the server.
Solution
For Microsoft Windows, refer to MS10-049 for further information.
For Cisco products refer to Document ID:1454786328728104 for further information.
Disable renegotiation completely.
Workaround:
OpenSSL has provided a version (0.9.8l) that has a workaround. Please refer to OpenSSL Change Log (Changes between 0.9.8k and 0.9.8l Section) to obtain
additional details.
Microsoft has provided the following workaround:
Hi @Vijay yadav ,
Thanks for bringing this to our attention. I am checking internally with the engineering team to see if this is a known issue and will get back to you when I hear back from them. We appreciate your patience
best,
Grace
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 46%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERE%3C/text%3E%3C/svg%3E)
Hello, I have the same issue.
I saw that we have the issue when scanning the binding using our custom domain, but the issue dissapears when scanning the binding *.azurewebsites.net
Any help would be very appreciated!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 7.000000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Hey, I have a similar issue. We also ran a penetration test this week on an app that makes requests to azure functions.
The pen test states, that "Secure Client Initiated Renegotiation" is used, which is a security issue.
Is there any way to disable Renegotiation on azure? There is no documentation on this topic.
Thanks in advance!
Hi @Ramon Espuga ,
This is a known issue, and the engineering team is working to roll out a fix. Can you please send me an email at azcommunity@microsoft.com with the subject "ATTN: Grace" and in the body of the email include your Azure Subscription ID.
Thanks,
Grace
Hi @Andy Grüning ,
This is a known issue, and the engineering team is working to roll out a fix. Can you please send me an email at azcommunity@microsoft.com with the subject "ATTN: Grace" and in the body of the email include your Azure Subscription ID.
Thanks!
Grace
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 47%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Hi,
I was wondering if there are any further updates on this?
Also, is there any official comm where Microsoft acknowledges this issue?
Thanks
Is there any way to disable Renegotiation on azure? There is no documentation on this topic.
Hi,
I was wondering if there are any further updates on this?
Also, is there any official comm where Microsoft acknowledges this issue?
Thanks
Hi,
I was wondering if there are any further updates on this?
Also, is there any official comm where Microsoft acknowledges this issue?
Thanks
Hi,
I was wondering if there are any further updates on this?
Also, is there any official comm where Microsoft acknowledges this issue?
Thanks
Hi,
UPDATE: As of 5/31/22 this issue has been resoloved. Secure or Insecure Client-Initiated Renegotiation support, related to the vulnerabilities, has been disabled across all App Services. For more info please see Suwat's answer below.
This is a known issue. The App Service engineering team is working to roll out a fix that should be completed by end of May 2022.
If you need your app service to be mitigated before that time, please feel free to us an email at azcommunity@microsoft.com with the subject "ATTN: Grace" and in the body of the email include your sitenames and Azure Subscription ID.
We will update this thread if there are have additional updates to share. We appreciate your patience as we work to resolve this issue.
Best,
Grace
Hi,
I was wondering if there are any further updates on this?
Also, is there any official comm where Microsoft acknowledges this issue?
Thanks
Hi,
I was wondering if there are any further updates on this?
Also, is there any official comm where Microsoft acknowledges this issue?
Thanks
Is there any official comm where
Microsoft acknowledges this issue?
Thanks
Hello @Sana'a Ma'rouf Al-Hussien (Al Sabaiba'a) & @Jose Lopez , the global fix is being rolled out and will be complete by early next week.
We appreciate your patience.
Thanks!
Grace
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 89%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
Hello All,
Our client has found 'TLS Protocol Session Renegotiation Security Vulnerability' using the Qualys tool.
I have some questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 6%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Different tools may report vulnerabilities differently - for instance, ssllabs do not report it. We would suggest to check with the tool providers for clarification on vulnerability and those questions.
Hi,
I was wondering if there are any further updates on this?
Also, is there any official comm where Microsoft acknowledges this issue?
Thanks
Please see the reply at the bottom of this. It has been mitigated a week ago.
Hi,
I was wondering if there are any further updates on this?
Also, is there any official comm where Microsoft acknowledges this issue?
Thanks
App Services team has mitigated the issue. Secure or Insecure Client-Initiated Renegotiation support, related to the vulnerabilities, has been disabled across all App Services. If you still encounter the issue, please file a ticket and we will look into it. Please do not confuse with typical Secure Renegotiation which has been and continues to be supported. Make sure to use scan tools (such as ssllabs) to perform the scan since certain tools may not report all types of renegotiation.
Is there any official comm where Microsoft acknowledges this issue?