At the end of October, we announced that Azure would begin disabling support for SSL 3.0 starting December 1, 2014 in response to an industry-wide vulnerability in SSL 3.0, commonly known as POODLE. Today, we are providing an update and additional information for customers on upcoming changes.
Completed Services
Azure Websites
SSL 3.0 has been disabled across Azure Websites. This no longer requires customer configuration changes.
Additional Services
Azure engineering teams have disabled SSL 3.0 support on the following services:
- Azure Portal
- Azure Preview Portal
- Azure Service Bus
Pending Services
Azure Cloud Service (Web Roles and Worker Roles)
The January 2015 Guest OS release will have SSL 3.0 disabled by default. This image will start deploying to customers configured for automatic Guest OS updates shortly after January 13, 2015. Customers wishing to enable SSL 3.0 may do so by using startup tasks.
Azure Virtual Machines
Windows Server
Azure Infrastructure as a Service (IaaS) images utilizes standard Windows Server, which means SSL 3.0 will continue to be enabled by default for new deployments. Customers wishing to disable SSL 3.0 in new or existing IaaS deployments may do so by following the guidance in Security Advisory 3009008.
Linux
Refer to your Linux distribution’s publisher for more information regarding plans to disable or deprecate SSL 3.0.
Remaining Azure Services
Remaining Azure services will disable support for SSL 3.0 in the coming months.