Minimum TLS version#
Security · IoT Hub · Rule · 2023_03 · Critical
IoT Hubs should reject TLS versions older than 1.2.
Description#
The minimum version of TLS that IoT Hubs accept is configurable. Older TLS versions are no longer considered secure by industry standards, such as PCI DSS.
Azure lets you disable outdated protocols and require connections to use a minimum of TLS 1.2. By default, TLS 1.0, TLS 1.1, and TLS 1.2 is accepted.
Recommendation#
Configure the minimum supported TLS version to be 1.2.
Examples#
Configure with Azure template#
To deploy IoT Hubs that pass this rule:
- Set the
properties.minTlsVersion
property to1.2
.
For example:
{
"type": "Microsoft.Devices/IotHubs",
"apiVersion": "2022-04-30-preview",
"name": "[parameters('iotHubName')]",
"location": "[parameters('location')]",
"sku": {
"name": "S1",
"capacity": 1,
},
"properties": {
"minimumTlsVersion": "1.2",
}
}
Configure with Bicep#
To deploy IoT Hubs that pass this rule:
- Set the
properties.minTlsVersion
property to1.2
.
For example:
resource IoTHub 'Microsoft.Devices/IotHubs@2022-04-30-preview' = {
name: iotHubName
location: location
sku: {
name: 'S1'
capacity: 1
}
properties: {
minTlsVersion: '1.2'
}
}
Notes#
The minimum TLS version feature is currently only supported in these regions: - East US - South Central US - West US 2 - US Gov Arizona - US Gov Virginia
The minTlsVersion
property is read-only and cannot be changed once your IoT Hub resource is created.
It is therefore important to properly test and validate that all oT devices and services are compatible with TLS 1.2 and the recommended ciphers in advance.
Links#
- Data encryption in Azure
- Transport Layer Security (TLS) support in IoT Hub
- Preparing for TLS 1.2 in Microsoft Azure
- Azure deployment reference