Share via

Inquiry on TLS 1.2 Cipher Suite Compatibility and Possible Extension for Azure Storage

PANNARAT, MASSATRON 0 Reputation points
2026-04-29T15:07:31.6833333+00:00

Dear Azure Support Team,

We have noticed the following notification on our Azure Storage account:

“Storage retired support for TLS 1.0 and 1.1 on February 3, 2026. Please upgrade your minimum TLS version to 1.2.”

Based on this message, we would like to seek clarification regarding the impact on our existing embedded devices.

Currently, our embedded devices support TLS 1.2, however they are using the following cipher suite:

  • TLS_RSA_WITH_AES_256_CBC_SHA256

We would like to confirm the following points:

Compatibility Will embedded devices that support TLS 1.2 but use the cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 still be able to connect to Azure Storage and download files after the TLS 1.0/1.1 retirement?

Impact if Not Supported If this cipher suite is no longer supported by Azure Storage, will the connection or file download fail completely?

Extension / Grace Period In case the devices are affected, is it possible to request an extension, exception, or temporary grace period to allow continued access while we work on upgrading the firmware and cipher suites on the embedded devices?

Required Actions If an extension is possible, could you please advise:

  • The required process or request method
    • Any limitations or conditions
      • The recommended cipher suites we should migrate to for long-term compatibility

This information is critical for us, as updating embedded device firmware requires careful planning and deployment.

Thank you very much for your support. We look forward to your guidance.Dear Azure Support Team,

We have noticed the following notification on our Azure Storage account:

“Storage retired support for TLS 1.0 and 1.1 on February 3, 2026. Please upgrade your minimum TLS version to 1.2.”

Based on this message, we would like to seek clarification regarding the impact on our existing embedded devices.

Currently, our embedded devices support TLS 1.2, however they are using the following cipher suite:

  • TLS_RSA_WITH_AES_256_CBC_SHA256

We would like to confirm the following points:

Compatibility
Will embedded devices that support TLS 1.2 but use the cipher suite
TLS_RSA_WITH_AES_256_CBC_SHA256 still be able to connect to Azure Storage and download files after the TLS 1.0/1.1 retirement?

Impact if Not Supported
If this cipher suite is no longer supported by Azure Storage, will the connection or file download fail completely?

Extension / Grace Period
In case the devices are affected, is it possible to request an extension, exception, or temporary grace period to allow continued access while we work on upgrading the firmware and cipher suites on the embedded devices?

Required Actions
If an extension is possible, could you please advise:

  • The required process or request method
    • Any limitations or conditions
      • The recommended cipher suites we should migrate to for long-term compatibility

This information is critical for us, as updating embedded device firmware requires careful planning and deployment.

Thank you very much for your support. We look forward to your guidance.

Azure Blob Storage
Azure Blob Storage

An Azure service that stores unstructured data in the cloud as blobs.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ravi Varma Mudduluru 11,235 Reputation points Microsoft External Staff Moderator
    2026-04-29T16:00:28.58+00:00

    Hello @ PANNARAT, MASSATRON

    Thank you for reaching out to Microsoft Q&A.

    I understand your concern, especially when embedded device updates require careful planning.

    The good news is that your devices should continue to work with Azure Storage after the retirement of TLS 1.0 and TLS 1.1, as long as they successfully negotiate TLS 1.2.

    Your current cipher suite, TLS_RSA_WITH_AES_256_CBC_SHA256, is a valid TLS 1.2 cipher suite. Since Azure Storage will continue to support TLS 1.2, devices using this cipher suite should still be able to connect and download files, provided the TLS handshake completes successfully.

    If Azure Storage and the client are unable to agree on a mutually supported cipher suite, the TLS handshake will fail. In that case, the connection will be rejected, and any file transfer operation will not proceed.

    Regarding an extension or grace period, Microsoft is retiring support only for TLS 1.0 and TLS 1.1. Since your devices already support TLS 1.2, no exception should be necessary. At this time, Microsoft has not announced any extension program for legacy TLS versions.

    For long-term security and compatibility, Microsoft recommends moving to modern cipher suites that support Perfect Forward Secrecy (PFS), such as:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    As a next step, recommend validating connectivity from one of your devices after setting the Storage account minimum TLS version to 1.2. If possible, capture the TLS handshake to confirm the negotiated protocol and cipher suite.

    Reference:
    https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments
  2. Vinodh247 42,206 Reputation points MVP Volunteer Moderator
    2026-04-29T15:38:09.85+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    Short answer: you have a risk. TLS 1.2 alone is not sufficient; the cipher suite matters.

    Azure Storage no longer guarantees support for legacy RSA key exchange + CBC suites like TLS_RSA_WITH_AES_256_CBC_SHA256. Modern Azure services are moving toward ECDHE + AES-GCM suites for security (forward secrecy + stronger integrity). So your current devices may fail.

    To answer you directly....

    Compatibility Not guaranteed. Even though your devices use TLS 1.2, the specific cipher suite you mentioned is considered legacy. Many Azure endpoints already reject RSA key exchange–based suites. You should expect connection failures either now or soon.

    Impact if not supported**:** Yes, it is a hard failure. TLS handshake will fail → no HTTPS connection → file download will not work at all. There is no fallback at application level.

    Extension / grace period: Practically no. Azure Storage does not offer per-account exceptions for weak cipher suites. The TLS 1.0/1.1 retirement is firm, and cipher hardening is platform-wide. You cannot request a temporary allowance for specific cipher suites.

    Required action : You need to upgrade firmware to support modern cipher suites. Minimum recommended:

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    If possible, even better to support:

    TLS_ECDHE_ECDSA_* variants (if you move to ECDSA certs later)

    Bottom line Your setup is not future-safe. Even if it works today in some regions, it can break without notice. Plan firmware upgrade as a priority.

    If you want, I can help you validate your device handshake against Azure Storage endpoints or suggest a fallback architecture (for ex, proxy layer to bridge old devices)

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    0 comments
  3. Jerald Felix 11,550 Reputation points Volunteer Moderator
    2026-04-29T15:36:25.5466667+00:00

    Hello PANNARAT, MASSATRON

    Greetings!

    Thanks for raising this question in Q&A forum.

    Great news, your devices support TLS 1.2, so you are already on the right protocol version. However, the concern here is specifically about the cipher suite your devices use: TLS_RSA_WITH_AES_256_CBC_SHA256. Let me address each of your points clearly.

    1. Compatibility

    This cipher suite (TLS_RSA_WITH_AES_256_CBC_SHA256) is a non-forward-secret cipher — it does not support Perfect Forward Secrecy (PFS). Microsoft has been progressively tightening Azure Storage's accepted cipher suites to favor stronger, PFS-enabled ones. While this cipher may still work today, it is considered weak by modern security standards and may be dropped by Azure Storage in a future update without much notice. You should treat this as an urgent firmware upgrade item.

    2. Impact if Not Supported

    Yes, if Azure Storage stops accepting this cipher suite, the TLS handshake will fail completely and your embedded devices will be unable to connect or download any files. There will be no partial access; it's an all-or-nothing TLS handshake.

    3. Extension / Grace Period

    Microsoft does not offer formal per-customer cipher suite exceptions or grace periods for Azure Storage, as these are platform-wide security decisions. The TLS 1.0/1.1 retirement already happened on February 3, 2026 with no rollback. The recommended path forward is to plan your firmware upgrade proactively.

    4. Recommended Actions

    Here's what you should do right now:

    Step 1: Test connectivity today Verify whether your devices can currently reach Azure Storage using their existing cipher suite. You can use a tool like openssl or nmap to simulate the TLS handshake from a test environment:

    openssl s_client -connect <yourstorageaccount>.blob.core.windows.net:443 -cipher "AES256-SHA256"

    If it connects, you still have time. If it fails, the cipher is already blocked.

    Step 2: Plan firmware upgrade Prioritize updating your embedded device firmware to support one of these recommended cipher suites that are modern, secure, and PFS-enabled:

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    Step 3: Open an Azure Support Ticket While a formal extension is unlikely, if your business impact is significant, raise a support request at the Azure Portal under your Storage account. Go to: Azure Portal → Your Storage Account → Support + Troubleshooting → New Support Request. Explain your embedded device constraints — Microsoft support can at least give you an official confirmation of the current cipher suite support status.

    Step 4: Monitor Microsoft announcements Keep an eye on the official Azure Storage TLS guidance page at https://aka.ms/azurestoragetls for any updates on cipher suite retirement timelines.

    The safest long-term solution is to move your embedded devices to a supported PFS cipher suite as soon as possible, as relying on weaker cipher suites poses a security risk beyond just compatibility.

    If this answer helps you kindly accept the answer which will help others who have similar questions.

    Best Regards,

    Jerald Felix.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.