At the end of October, we announced that Azure would begin disabling support for SSL 3.0 starting December 1, 2014 in response to an industry-wide vulnerability in SSL 3.0, commonly known as POODLE. Today, we are providing an update and additional information for customers on upcoming changes.

 

Completed Services

Azure Websites

SSL 3.0 has been disabled across Azure Websites. This no longer requires customer configuration changes.

Additional Services

Azure engineering teams have disabled SSL 3.0 support on the following services:

• Azure Portal
• Azure Preview Portal
• Azure Service Bus

 

Pending Services

Azure Cloud Service (Web Roles and Worker Roles)

The January 2015 Guest OS release will have SSL 3.0 disabled by default. This image will start deploying to customers configured for automatic Guest OS updates shortly after January 13, 2015. Customers wishing to enable SSL 3.0 may do so by using startup tasks.

 

Azure Virtual Machines

Windows Server

Azure Infrastructure as a Service (IaaS) images utilizes standard Windows Server, which means SSL 3.0 will continue to be enabled by default for new deployments. Customers wishing to disable SSL 3.0 in new or existing IaaS deployments may do so by following the guidance in Security Advisory 3009008.

 

Linux

Refer to your Linux distribution’s publisher for more information regarding plans to disable or deprecate SSL 3.0.

Remaining Azure Services

Remaining Azure services will disable support for SSL 3.0 in the coming months.