Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
TLS 1.2 will be enforced non IP-SSL hostnames if SNI header is not present in the SSL handshake request #104
As part of the Azure TLS 1.2 compliance initiative, Azure App Service now offers per site configuration for the minimum version of TLS to be used for a site. We recommend customers use TLS 1.2 as the minimum required version for the site for security reasons. Note that TLS 1.2 is also the maximum version you can negotiate with Azure App Service.
Clients using TLS 1.0 hitting an IP-SSL hostname, or clients using TLS 1.0 with an SNI extension header will be subjected to the checks of min-TLS version specified for the site.
A side effect of this change is that, if an SSL client arrives without the SNI header (https://en.wikipedia.org/wiki/Server_Name_Indication) on a non-IP SSL binding, then our system has to ensure that TLS 1.2 is used for the connection to ensure compliance.
If a client tries to negotiate TLS 1.0 over such a scenario, the request will fail with connection reset.
The work around for sites which require to support TLS 1.0 clients which could potentially make requests without SNI header is to add IP-SSL hostname bindings for the target web app.