Vulnerability Scan on Azure SQL Server and found unexpected TLS 1.0, TLS 1.1, TLS 1.2 and SWEET32 issue

Question

Hi there,

Recently, I used the most popular vulnerability scanner to scan the Azure SQL Server (DB), and the results were unexpected. It showed a few vulnerabilities found, all of which were unexpected:

• TLS 1.0 FOUND
• TLS 1.1 FOUND
• TLS 1.2 with Weak Cipher Suite (SWEET32), for example.

Actually, I followed the KB to set up the minimum TLS version to 1.2. I have no idea why I still get the TLS 1.0, TLS 1.1 found. https://learn.microsoft.com/en-us/azure/azure-sql/database/connectivity-settings?view=azuresql&tabs=azure-portal#minimal-tls-version

Answer 1

Hi Carrr •,

Thanks for your patience.

I have got the below reply from the team:

Azure SQL Database has a shared Control Plane due to which we cannot selectively turn off specific version of TLS or weak cipher suites. When customers run scanners against our infra they will see these flagged and it is by design.

Going forward, Azure has announced deprecation of TLS < 1.2 by October 31st 2024; so that will eliminate majority of the weak ciphers. Additionally, we are working on adding TLS 1.3 to Minimal TLS Version so customer can use it to overcome Sweet32 vulnerability.

Are you in a position to use TLS 1.3 today? if yes then our infra does support TLS 1.3 connectivity even though it is not added as an option to Minimal TLS Version.

Hope this helps. Let us know if you have more queries.

Thank you.

Answer 2

Hi Carrr •,

After checking with the internal we got to know that they are working on removal of 3DES and thus SWEET32 from the list of findings.

ETA is yet to be finalized.

Sorry for the inconvenience.

Thanks