Issue Resolution: App Gateway returning ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in Chrome

Background: I have an Azure App Gateway with the Web Application Firewall that is fronting an Azure App Service for http traffic.

Issue: Visiting the public URL of my web app in IE works fine, but in Chrome, I get an error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

What is the general cause?

According to this article,
“By default, IIS 10.0 (which is installed on Windows 2016 by default) has HTTP/2 enabled. This is not supported in the current default configuration of Google Chrome and Mozilla Firefox. “

I can confirm by going to the Azure Web App Kudu Advanced Tool, the web app is hosted in IIS 10.0

Resolution:

Go to your Azure Application Gateway > Listeners

Let’s look at the SSL Policy configuration

“An SSL policy offers control over the SSL protocol version as well as which ciphers are used during SSL handshakes. You can choose from one of the predefined security policies or create a custom security policy based on your security requirements. If you don’t specify an SSL policy, the default policy will be used for your gateway.” – as displayed in Azure Portal

Under SSL Policy, change setting from Custom to Predefined
I choose Policy name as AppGWSslPolicy20170401

What is a Cipher suite?

According to https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel,
“A cipher suite is a set of cryptographic algorithms. The schannel SSP implementation of the TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information. “

To validate, go to the Chrome browser and test the URL and it should load the web application as expected.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s