How do I configure Perfect Forward Secrecy in Windows Azure (OS, or Websites)

Question

I want to move my website to Windows Azure, but need to make sure that I\'m using PFS on all my instances and roles. (regular web roles and Websites as well)

How do

Answer 1

I believe that forcing PFS from the server side required a registry change. This can be achieved for Web Roles using a start up script as described here

Given the need to change the registry, I don't think this is possible for Windows Azure Websites.

Answer 2

This excellent article by André N. Klingsheim explains detailed options for hardening the SSL/TLS configuration on Windows Server and Windows Azure. This includes

• Disabling SSL
• Enabling TLS
• Changing Cipher Suite Priorities

The author additionally provides a NuGet package as well as related source code for handling these updates during Azure role startup.

If you want to enforce (perfect) forward secrecy over just enabling it you will probably want to disable all cipher suites not supporting that. Looking at the relevant powershell script all TLS_RSA_*-suites need to be removed from $preferredCipherSuites. Note that this will drop compatibility with some (mostly legacy) browsers/clients.

Please also see this answer that contains several resources on cipher suite recommendations.