update Security/TLS Configuration.md for Tls13#319
Open
jagilber wants to merge 8 commits intoAzure:masterfrom
Open
update Security/TLS Configuration.md for Tls13#319jagilber wants to merge 8 commits intoAzure:masterfrom
jagilber wants to merge 8 commits intoAzure:masterfrom
Conversation
- Add TLS 1.3 requirements (SF 10.1CU2+, Windows Server 2022, .NET 4.8+) - Add Service Fabric TLS 1.3 cluster configuration section - Update registry configuration for TLS 1.3 protocol and cipher suites - Add deprecation warnings for TLS 1.0/1.1 (retiring Aug 31, 2025) - Remove/mark deprecated cipher suites (DHE, 3DES, RC4) - Update .NET Framework guidance with version compatibility table - Add comprehensive troubleshooting section with PowerShell scripts - Update Linux section with OpenSSL 1.1.1+ TLS 1.3 support - Modernize all reference links to learn.microsoft.com - Document expanded from 264 to 760 lines
- Correct httpGatewayTokenAuthEndpointPort usage (only needed for token auth) - Change example port from 19081 to 19079 per Microsoft docs - Add separate sections for certificate-only vs token-based authentication - Clarify that port 19081 is reverse proxy, not TLS 1.3 related - Add port reference table (19080 gateway, 19079 token auth, 19081 reverse proxy) - Document that httpGatewayTokenAuthEndpointPort goes in nodeTypes section - Emphasize enableHttpGatewayExclusiveAuthMode is required for all TLS 1.3
Critical Findings (CF): - CF-1: Fix .NET Framework TLS 1.3 code - remove non-existent Tls13 enum, use SystemDefault with AppContextSwitchOverrides - CF-2: Correct Linux TLS 1.3 claims - explicitly state Windows-only per official migration guide - CF-3: Remove non-existent PowerShell cmdlets (Enable-/Reset-TlsCipherSuite), replace with Group Policy/registry guidance - CF-4: Fix Nmap verification ports from 1026 to Service Fabric ports (19080/19000/19079) - CF-5: Mark Option 3 per-exe registry as unsupported/undocumented per Microsoft guidance High-Severity (HS): - HS-1: Add Windows 10 compatibility manifest requirement for TLS 1.3 transport endpoints - HS-2: Clarify exclusive auth mode rationale - runtime constraint and no TLS 1.3 renegotiation - HS-3: Note preview API versions and recommend tracking for GA releases Medium-Severity (MS): - MS-1: Emphasize OS defaults preference for registry protocol configuration - MS-2: Update cipher guidance to prefer GCM over CBC - MS-3: Add Windows Update 0x80072EFE reference - MS-4: Add service-specific TLS retirement enforcement references (ARM, App Gateway) Low-Severity/Editorial (LS): - LS-1: Update terminology to Microsoft Entra ID (formerly Azure AD) - LS-2: Add Service Fabric port reference table (19080/19079/19000/19081) - LS-3: Add full ARM examples for LB rule + NSG for token auth port 19079 - LS-4: Add comprehensive rollback plan section All changes based on authoritative Microsoft Learn documentation including: - TLS version supported by Azure Resource Manager - How to migrate to TLS 1.3 for Service Fabric - TLS registry settings - Application Gateway TLS policy overview
- Add TLS 1.3 configuration to vmss-cse-tls.ps1 script - Remove undocumented Option 3 per-exe registry configuration - Add PowerShell equivalent for Azure CLI cluster rollback command - Add API reference links for enableHttpGatewayExclusiveAuthMode and httpGatewayTokenAuthEndpointPort - Update rollback procedures to use reg.exe and Azure VMSS-specific restart commands - Add executive summary with quick start guide and critical requirements - Consolidate redundant content (removed ~67 lines of duplicate prerequisites, port tables, backup commands) - Align document with Azure VMSS best practices (CSE-based configuration, model updates) - Correct VMSS deployment guidance to focus on Custom Script Extension during instance provisioning - Clarify that Service Fabric manages upgrade orchestration, not VMSS upgrade policy - Remove rollback plan section per user request - Convert all registry commands to reg.exe syntax for cleaner command-line interface - Replace .reg file format with reg add/query/delete commands throughout - Update troubleshooting commands to use reg.exe consistently Technical review feedback applied: - All critical, high, medium, and low severity issues addressed - PowerShell/Azure CLI command parity achieved - Microsoft Learn API documentation references added - Azure VMSS best practices documented - Proper extension sequencing for CSE before Service Fabric extension - Configuration as code approach emphasized
…bricClusterManifest for Azure cluster compatibility - Get-ServiceFabricClusterConfiguration only works with standalone clusters - Get-ServiceFabricClusterManifest works with both Azure (Classic and Managed) and standalone clusters - Updated troubleshooting section 'TLS 1.3 Not Working' step 4 - Validated all commands against live Azure Classic VMSS cluster
- Added -NoRestart switch parameter to suppress automatic reboot - Useful for testing, scheduled maintenance, or orchestration-managed reboots - Script still logs warning that reboot is required for changes to take effect - Updated script version from v1.0 to v1.1 - Updated TLS Configuration.md to document new parameter and other script options - Reboot remains randomized (30-600 seconds) when not suppressed for cluster safety
Add -RandomizeRestart parameter to make the 30-600 second reboot delay optional. Default behavior changed to 10-second delay (no randomization) because CSE runs during instance provisioning before nodes join the cluster, where coordinated reboot timing is unnecessary. Use -RandomizeRestart for large cluster operations where staggered reboots are desired to prevent thundering herd scenarios. Updated documentation with parameter guidance. Version bumped to v1.2.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
update Security/TLS Configuration.md for Tls13
Add TLS 1.3 requirements (SF 10.1CU2+, Windows Server 2022, .NET 4.8+)
Add Service Fabric TLS 1.3 cluster configuration section
Update registry configuration for TLS 1.3 protocol and cipher suites
Add deprecation warnings for TLS 1.0/1.1 (retiring Aug 31, 2025)
Remove/mark deprecated cipher suites (DHE, 3DES, RC4)
Update .NET Framework guidance with version compatibility table
Add comprehensive troubleshooting section with PowerShell scripts
Update Linux section with OpenSSL 1.1.1+ TLS 1.3 support
Modernize all reference links to learn.microsoft.com
Document expanded from 264 to 760 lines
Add separate sections for certificate-only vs token-based authentication
Add port reference table (19080 gateway, 19079 token auth, 19081 reverse proxy)
Document that httpGatewayTokenAuthEndpointPort goes in nodeTypes section
Emphasize enableHttpGatewayExclusiveAuthMode is required for all TLS 1.3