Background: I have an Azure App Gateway with the Web Application Firewall that is fronting an Azure App Service for http traffic.
Issue: Visiting the public URL of my web app in IE works fine, but in Chrome, I get an error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
What is the general cause?
According to this article,
“By default, IIS 10.0 (which is installed on Windows 2016 by default) has HTTP/2 enabled. This is not supported in the current default configuration of Google Chrome and Mozilla Firefox. “
I can confirm by going to the Azure Web App Kudu Advanced Tool, the web app is hosted in IIS 10.0
Go to your Azure Application Gateway > Listeners
Let’s look at the SSL Policy configuration
“An SSL policy offers control over the SSL protocol version as well as which ciphers are used during SSL handshakes. You can choose from one of the predefined security policies or create a custom security policy based on your security requirements. If you don’t specify an SSL policy, the default policy will be used for your gateway.” – as displayed in Azure Portal
Under SSL Policy, change setting from Custom to Predefined
I choose Policy name as AppGWSslPolicy20170401
What is a Cipher suite?
According to https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel,
“A cipher suite is a set of cryptographic algorithms. The schannel SSP implementation of the TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information. “
To validate, go to the Chrome browser and test the URL and it should load the web application as expected.