Azure API Management introducedTLS 1.3 support in theV1 and V2 tiers during the initial week of February 2024. As reported, the rollout will occur progressively across regions. Inbound traffic for both V1 and V2 tiers will inherently support TLS 1.3 for incoming requests from API clients.
As reported, for outbound traffic in V1 tiers, manual activation of TLS 1.3 will be required, while V2 tiers will receive support for outbound traffic with TLS 1.3 in a subsequent update. Additionally, an update will be released in the coming weeks for the enabling or disabling of ciphers of outbound traffic through various channels such as the Azure Portal, ARM API, CLIs, and SDKs.
TLS 1.3 represents the latest iteration of the widely used security protocol on the internet. It secures communication channels between endpoints by encrypting data, thus superseding outdated cryptographic algorithms, bolstering security compared to older versions, and prioritizing encryption throughout the handshake process.
Unlike previous versions, TLS 1.3 ensures confidentiality in client authentication without the need for additional round trips or CPU costs. At the same time, it enhances security measures significantly.
According to Microsoft, integrating API clients or services with TLS 1.3 protocol should not pose any issues for those employing client libraries like browsers or .NET HTTP clients. However, the manual configuration of TLS handshakes for clients connected to Azure API Management warrants review to ensure compatibility with TLS 1.3.
Developers are strongly encouraged to test TLS 1.3 in their applications and services. The simplified list of supported cipher suites reduces complexity and guarantees specific security features such as forward secrecy (FS).
Regarding the impact of TLS 1.3 Impact on API Clients, Fernando Mejia from Microsoft statedthe following:
We do not expect TLS 1.3 support to negatively impact customers. TLS 1.2 clients will continue to work as expected. However, client certificate renegotiation is not allowed with TLS 1.3;if your Azure API Management instance relies on client certificate renegotiation for receiving and validating client certificates, your instance of API Management will not be updated to enable TLS 1.3 by default and will default to TLS 1.2 to avoid any impact on your API clients.
The protocol enables encryption earlier in the handshake, providing better confidentiality and preventing interference from poorly designed middle boxes. TLS 1.3 encrypts the client certificate, so client identity remains private, and renegotiation is not required for secure client authentication.
In addition to the announcement, the original blog post includes an informative FAQ section addressing common questions from the community regarding the addition of TLS 1.3 support. One such question is, What to expect with the initial TLS 1.3 (preview) support?
Beginning February 5th, some customers may begin to see incoming client requests using TLS 1.3 handshakes if the clients also support TLS 1.3. Customers using Azure API Management will not have control over when the update arrives;it will be part of a general release. You can expect these TLS 1.3 handshakes to stabilize by the end of March 2024.
Lastly,Microsoft encourages users to provide feedback on the TLS 1.3 preview in Azure API Management. For questions, users can seek answers from community experts on Microsoft Q&A. Also, userswith support plans requiring technical assistance can create a support request using Azure Portal.
FAQs
Azure Storage has started to enable TLS 1.3 support on public HTTPS endpoints across its platform globally to align with security best practices. Azure Storage currently supports TLS 1.0, 1.1 (scheduled for deprecation by November 2024), and TLS 1.2 on public HTTPS endpoints.
How to check if TLS 1.3 is enabled? ›
Troubleshooting Tip: how to enable TLS 1.3 in Windows 10
- Open the 'Run' Windows by inputting 'Win + R' and type 'regedit' to execute 'Registry editor'.
- Browse to 'Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' and double-click on 'Enabled'.
Many of the major vulnerabilities in TLS 1.2 had to do with older cryptographic algorithms that were still supported. TLS 1.3 drops support for these vulnerable cryptographic algorithms, and as a result it is less vulnerable to cyber attacks.
How do I check my TLS version in Azure App Service? ›
On the "TLS/SSL settings" page select the Bindings tab, scroll down and under the "Protocol Settings" check the "Minimum TLS Version".
What is minimum TLS version in Azure? ›
It's generally recommended for customers to use TLS 1.2 or above as the minimum TLS version. When creating a web app, the default minimum TLS version would be TLS 1.2.
How do I enable TLS 1.3 on my web server? ›
To enable TLS 1.3, you can use the Registry Editor on your Windows Server. You will need to navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3 key. If this key does not exist, you can create it. Under the TLS 1.3 key, create a subkey named "Server".
Is TLS 1.3 supported by all browsers? ›
TLS 1.3 protocol has improved latency over older versions, has several new features, and is currently supported in both Chrome (starting with release 66), Firefox (starting with release 60), and in development for Safari and Edge browsers.
How can I check my TLS status? ›
For Chrome
- Open the Developer Tools (Ctrl+Shift+I)
- Select the Security tab.
- Navigate to the WebAdmin or Cloud Client portal.
- Under Security, check the results for the section Connection to check which TLS protocol is used.
TLS V1. 3 no longer supports DSA or DH certificates. If the certificates currently being used in your environment do not adhere to these TLS V1. 3 requirements, new RSA or ECC certificates must be obtained from the certificate authority (CA) and installed in the certificate repository to allow for successful TLS V1.
Is TLS 1.3 still experimental? ›
IT'S OFFICIAL: THE TLS UPGRADE IS HERE
TLS 1.3 has been approved by the Internet Engineering Task Force (IETF).
Under TLS Versions, you will see the TLS protocol version(s) currently selected. To update the protocol, simply click edit. Next, choose your desired protocol based on your requirements and hit Save Changes. Please note that you can not disable TLS v1.
How does TLS 1.3 affect network based security? ›
TLS 1.3 has fewer handshake messages to initiate the connection between devices, which are also encrypted. This accelerates the setup process but also limits the information visible to security devices that do not carry out decryption.
How do I change TLS settings in Azure? ›
Navigate to your storage account in the Azure portal. Under Settings, select Configuration. Under Minimum TLS version, use the drop-down to select the minimum version of TLS required to access data in this storage account.
How do you check if TLS 1.3 is enabled on website? ›
Under "Protocol Support," you'll see a list of all TLS versions, from TLS 1.0 to TLS 1.3. Your browser's supported versions are labeled "Enabled" with a green checkmark. If you're using a privacy-focused browsing extension or add-on like Privacy Badger, disable it and reload the page.
How to check TLS version in Azure database? ›
The client_tls_version_n Field in Azure SQL Auditing
This field records the version of the TLS protocol used by the client when establishing a connection to the Azure SQL Database.
Is TLS 1.3 supported in AWS? ›
TLS 1.3 is available on API Gateway in all AWS Regions, including the AWS GovCloud (US) Regions. Please visit the API Gateway documentation to learn more.
How do I enable TLS 1.2 in Azure? ›
Follow these steps:
- In the Azure portal, search for and select Microsoft Entra ID.
- In the Overview page menu, select Sign-in logs.
- Select a sign-in log entry for a user.
- Select the Additional details tab. ...
- Check for a Legacy TLS (TLS 1.0, 1.1, or 3DES) value that's set to True.
TLS has gone through many iterations, with version 1.2 being defined in RFC 5246. Microsoft Entra Connect version 1.2.65.0 and later now fully support using only TLS 1.2 for communications with Azure. This article provides information about how to force your Microsoft Entra Connect server to use only TLS 1.2.
What versions of TLS are available? ›
History and development
| Protocol | Published | Status |
|---|
| TLS 1.0 | 1999 | Deprecated in 2021 ( RFC 8996) |
| TLS 1.1 | 2006 | Deprecated in 2021 ( RFC 8996) |
| TLS 1.2 | 2008 | In use since 2008 |
| TLS 1.3 | 2018 | In use since 2018 |
3 more rows