How to discover the attempts of using TLS 1.0 and 1.1 after upgrading the SSL policy to 20220101 version in app gateway?

Samuel Lee 20

We recently upgraded our SSL policy to 20220101 to enforce TLS 1.2 or later for connections to Azure application gateway.

We're concerned about potential failed connection attempts from legacy clients that may still be trying to connect using TLS 1.0 or 1.1.

How can we effectively monitor and identify these failed connection attempts? Are there specific logs or metrics within Azure that we can leverage to detect these?

Sai Prasanna Sinde 1,260 Reputation points Microsoft Vendor

2024-11-04T10:15:47.44+00:00

Hi @Samuel Lee,

Welcome to the Microsoft Q&A Platform. Thank you for posting your query here. We are looking into it and reviewing the documents and will get back to you soon.

Regards,

Sai Prasanna.
Sai Prasanna Sinde 1,260 Reputation points Microsoft Vendor

2024-11-05T01:11:06.89+00:00
Hi @Samuel Lee,

Greetings!

We understand that you want to effectively monitor and identify failed connection attempts due to clients attempting to use legacy TLS versions (such as TLS 1.0 or 1.1) with your upgraded Azure Application Gateway SSL policy (20220101).

Enable diagnostic logging for your Azure Application Gateway. This will capture detailed information about incoming requests, including connection attempts that fail due to unsupported TLS versions.

You can also store these logs after collecting into Azure Monitor, Log Analytics, or a storage account for further analysis.

Go to Application gateway > Monitoring > Diagnostic Settings > In diagnostic settings choose the logs you want to collect, like ApplicationGatewayAccessLog, ApplicationGatewayPerformanceLog, ApplicationGatewayErrorLog.

You can choose ApplicationGatewayAccessLog and it contains all the logs to view Application Gateway access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. For your reference: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/agwaccesslogs

You can check the Backend Health status of your Application Gateway configuration. If the backend servers are receiving requests marked as failed due to TLS issues, this can provide insights into underlying TLS compatibility problems. For your reference: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#how-to-check-backend-health

Utilizing Azure Monitor along with Log Analytics can provide deeper insights into your access logs. You can also set up alerts in Azure Monitor to notify you when certain thresholds are met, such as a spike in error responses, which could imply that clients are failing to connect using unsupported TLS versions. For your reference: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Sai Prasanna.
Sai Prasanna Sinde 1,260 Reputation points Microsoft Vendor

2024-11-06T00:53:26.4066667+00:00

Hi @Samuel Lee,

Greetings of the day!

I would like to follow up with the thread.

Could you please go through the last comment and provide us the required information to drive the thread further.

If you need any further assistance, please don't hesitate to reach out to us. We are happy to assist you.

Regards,

Sai Prasanna.
Samuel Lee 20 Reputation points

2024-11-06T00:59:50.56+00:00

Hi Sai,

We performed a test in our environment (Upgrade to 20220101 and try to connect via 1.0 and 1.1. But we could not see the TLS connection errors from ApplicationGateway Access log. What we can see only the client IP address with HTTP error code 400 without any cipher information from the log. Is there any better way that can tell what cipher the legacy clients trying to connect with?

Best regards,

Samuel
Sai Prasanna Sinde 1,260 Reputation points Microsoft Vendor

2024-11-07T08:27:49.5566667+00:00

Hi @Samuel Lee,

Greetings!

A quick way to determine what TLS version will be requested by various clients when connecting to your online services is by referring to the Handshake Simulation at Qualys SSL Labs. This simulation covers client OS/browser combinations across manufacturers.

Reference: https://learn.microsoft.com/en-us/security/engineering/solving-tls1-problem#figure-1-security-protocol-support-by-os-version

Please refer to the below document for a detailed example showing the TLS protocol versions negotiated by various simulated client OS/browser combinations.

Refer: https://learn.microsoft.com/en-us/security/engineering/solving-tls1-problem#appendix-a-handshake-simulation

If not already complete, it is highly recommended to conduct an inventory of operating systems used by your enterprise, customers and partners (the latter two via outreach/communication or at least HTTP User-Agent string collection). This inventory can be further supplemented by traffic analysis at your enterprise network edge. In such a situation, traffic analysis will yield the TLS versions successfully negotiated by customers/partners connecting to your services, but the traffic itself will remain encrypted.

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Sai Prasanna.
Sai Prasanna Sinde 1,260 Reputation points Microsoft Vendor

2024-11-08T08:02:01.9333333+00:00

Hi @Samuel Lee,

Greetings of the day!

Following up to see if the above suggestion was useful.

If you need any further assistance, please don't hesitate to reach out to us. We are happy to assist you.

Regards,

Sai Prasanna.
Samuel Lee 20 Reputation points

2024-11-08T09:01:56.1633333+00:00

Thanks Sai,

We opted for a different approach: we configured an new application gateway with an upgraded SSL policy. and then we use an OpenSSH client to generate some TLSv1 connection attempts to the server. With access logs enabled as recommended, we observed HTTP status code 400 without user-agent and cipher details. However, the logs captured the client IP address, allowing us to identify the specific clients and encourage them to upgrade their connection ciphers.

Warm regards,

Samuel

Accepted answer

Sai Prasanna Sinde 1,260 Reputation points Microsoft Vendor

2024-11-08T09:20:23.41+00:00

Hi @Samuel Lee,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue:

How to discover the attempts of using TLS 1.0 and 1.1 after upgrading the SSL policy to 20220101 version in app gateway?

Solution:

We opted for a different approach: we configured an new application gateway with an upgraded SSL policy. and then we use an OpenSSH client to generate some TLSv1 connection attempts to the server. With access logs enabled as recommended, we observed HTTP status code 400 without user-agent and cipher details. However, the logs captured the client IP address, allowing us to identify the specific clients and encourage them to upgrade their connection ciphers.

Please remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution.

Regards,

Sai Prasanna.
Please sign in to rate this answer.
Sai Prasanna Sinde 1,260 Reputation points Microsoft Vendor

2024-11-11T04:39:41.3966667+00:00

Hi @Samuel Lee,

Greetings of the day!

Please "Accept Answer" so that others in the community facing similar issues can easily find the solution.

Your contribution is highly appreciated.

Regards,

Sai Prasanna.

Sai Prasanna Sinde 1,260 Reputation points Microsoft Vendor

2024-11-12T07:41:04.1+00:00

Hi @Samuel Lee,

Greetings!

Please "Accept Answer" so that others in the community facing similar issues can easily find the solution.

Your contribution is highly appreciated.

Regards,

Sai Prasanna.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to discover the attempts of using TLS 1.0 and 1.1 after upgrading the SSL policy to 20220101 version in app gateway?

0 additional answers

Your answer