Redis Cache minimum TLS version

Security · Azure Cache for Redis Enterprise · Rule · 2022_09 · Critical

Redis Cache should reject TLS versions older than 1.2.

Description

The minimum version of TLS that Redis Cache accepts was previously configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Depending on when your cache was deployed you may be using a default that specifies an older version of TLS. Any new deployments do not allow TLS 1.0 or 1.1 to be specified, however existing cache deployment may require updating.

Support for TLS 1.0 and TLS 1.1 will be removed in 1 November 2024.

Recommendation

Consider configuring the minimum supported TLS version to be 1.2. No action is required for new cache deployments, which only support a minimum of TLS 1.2.

Examples

Configure with Azure template

To deploy caches that pass this rule:

• Set the properties.minimumTlsVersion property to a minimum of 1.2 for existing caches with an old version of TLS configured. It is not possible to set the properties.minimumTlsVersion on new cache deployments. New cache deployments only support a minimum TLS version of 1.2.

For example:

Azure Template snippet

{
  "type": "Microsoft.Cache/redisEnterprise",
  "apiVersion": "2024-02-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Enterprise_E10"
  },
  "properties": {
    "minimumTlsVersion": "1.2"
  }
}

Configure with Bicep

To deploy caches that pass this rule:

• Set the properties.minimumTlsVersion property to a minimum of 1.2 for existing caches with an old version of TLS configured. It is not possible to set the properties.minimumTlsVersion on new cache deployments. New cache deployments only support a minimum TLS version of 1.2.

For example:

Azure Bicep snippet

resource cache 'Microsoft.Cache/redisEnterprise@2024-02-01' = {
  name: name
  location: location
  sku: {
    name: 'Enterprise_E10'
  }
  properties: {
    minimumTlsVersion: '1.2'
  }
}

Configure with Azure CLI

To deploy caches that pass this rule:

• Use the --set parameter. This parameter only applies to old cache deployments using TLS 1.0 or TLS 1.1.

For example:

Azure CLI snippet

az redis update -n '<name>' -g '<resource_group>' --set minimumTlsVersion=1.2

Configure with Azure PowerShell

To deploy caches that pass this rule:

• Use the -MinimumTlsVersion parameter. This parameter only applies to old cache deployments using TLS 1.0 or TLS 1.1.

For example:

Azure PowerShell snippet

Set-AzRedisCache -Name '<name>' -MinimumTlsVersion '1.2'

Links

• SE:07 Encryption
• DP-3: Encrypt sensitive data in transit
• Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis
• Configure Azure Cache for Redis settings
• TLS encryption in Azure
• Preparing for TLS 1.2 in Microsoft Azure
• Azure deployment reference

Comments