Skip to content

Minimum TLS version#

Security · IoT Hub · Rule · 2023_03 · Critical

IoT Hubs should reject TLS versions older than 1.2.

Description#

The minimum version of TLS that IoT Hubs accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.

Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.

Recommendation#

Configure the minimum supported TLS version to be 1.2.

Examples#

Configure with Azure template#

To deploy IoT Hubs that pass this rule:

  • Set the properties.minTlsVersion property to 1.2.

For example:

Azure Template snippet
{
  "type": "Microsoft.Devices/IotHubs",
  "apiVersion": "2022-04-30-preview",
  "name": "[parameters('iotHubName')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "S1",
    "capacity": 1,
  },
  "properties": {
    "minimumTlsVersion": "1.2",
  }
}

Configure with Bicep#

To deploy IoT Hubs that pass this rule:

  • Set the properties.minTlsVersion property to 1.2.

For example:

Azure Bicep snippet
resource IoTHub 'Microsoft.Devices/IotHubs@2022-04-30-preview' = {
  name: iotHubName
  location: location
  sku: {
    name: 'S1'
    capacity: 1
  }
  properties: {
    minTlsVersion: '1.2'
  }
}

Notes#

The minimum TLS version feature is currently only supported in these regions: - East US - South Central US - West US 2 - US Gov Arizona - US Gov Virginia

The minTlsVersion property is read-only and cannot be changed once your IoT Hub resource is created. It is therefore important to properly test and validate that all oT devices and services are compatible with TLS 1.2 and the recommended ciphers in advance.

Comments