Minimum TLS version

Security · IoT Hub · Rule · 2023_03 · Critical

IoT Hubs should reject TLS versions older than 1.2.

Description

The minimum version of TLS that IoT Hubs accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

Recommendation

Configure the minimum supported TLS version to be 1.2.

Examples

Configure with Azure template

To deploy IoT Hubs that pass this rule:

• Set the properties.minTlsVersion property to 1.2.

For example:

Azure Template snippet

{
  "type": "Microsoft.Devices/IotHubs",
  "apiVersion": "2022-04-30-preview",
  "name": "[parameters('iotHubName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "S1",
    "capacity": 1,
  },
  "properties": {
    "minimumTlsVersion": "1.2",
  }
}

Configure with Bicep

To deploy IoT Hubs that pass this rule:

• Set the properties.minTlsVersion property to 1.2.

For example:

Azure Bicep snippet

resource IoTHub 'Microsoft.Devices/IotHubs@2022-04-30-preview' = {
  name: iotHubName
  location: location
  sku: {
    name: 'S1'
    capacity: 1
  }
  properties: {
    minTlsVersion: '1.2'
  }
}

Notes

The minimum TLS version feature is currently only supported in these regions: - East US - South Central US - West US 2 - US Gov Arizona - US Gov Virginia

The minTlsVersion property is read-only and cannot be changed once your IoT Hub resource is created. It is therefore important to properly test and validate that all oT devices and services are compatible with TLS 1.2 and the recommended ciphers in advance.

Links

• Data encryption in Azure
• Transport Layer Security (TLS) support in IoT Hub
• Preparing for TLS 1.2 in Microsoft Azure
• Azure deployment reference

Comments