At the end of October, Microsoft Azure announced that Azure services would begin disabling support for SSL 3.0 starting December 1, 2014 in response to an industry-wide vulnerability in SSL 3.0, commonly known as POODLE. Starting on February 20th, 2015 Azure Storage will discontinue support for SSL 3.0. Any client/browser that uses HTTPS to connect to Azure Storage and does not utilize TLS1.0 or higher, which supersedes SSL 3.0, will be prevented from connecting to Azure Storage when SSL 3.0 is disabled. Clients/browsers currently using HTTP to connect to Azure Storage will not be affected.
We recommend that you immediately investigate your applications and remove any dependencies on SSL 3.0.
- Make sure that you are not enforcing the use of SSL 3.0. For example, .NET applications that communicate with Azure services should NOT set
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
- If you are using IE 6.0 or earlier on Windows XP or earlier, most likely you are using SSL 3.0. In most cases, you can identify the browser type that your clients are using by enabling Azure Storage Analytics and looking at the User Agent in your Analytics logs. Guidance for end users and administrators to ensure clients are utilizing TLS 1.0 or higher and to disable SSL 3.0 proactively can be found here. Example of IE6 user agent on Win XP:
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
Summary and Links
Although analysis of connections to Microsoft Azure Storage shows few customers still use SSL 3.0, we are reminding customers of this change so they can update their impacted applications prior to us disabling SSL 3.0.
About Storage Analytics Logging
Windows Azure Storage Logging: Using Logs to Track Storage Requests
Protecting against the SSL 3.0 vulnerability
How to Disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines
Azure Security SSL 3.0 Update
Perry Skountrianos
Program Manager, Azure Storage