Announcing the availability of TLS 1.3 in Azure API Management in Preview

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

TLS 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible. 

 

In previous TLS versions, client authentication exposed client identity on the network unless it was accomplished via renegotiation, which entailed extra round trips and CPU costs. In TLS 1.3, client authentication is always confidential. 

 

TLS 1.3 in Azure API Management v1 and v2 tiers 

 

TLS 1.3 support in Azure API Management is planned to rollout during the first week of February 2024. The rollout will happen in stages, this means some regions will get it first as we roll out globally. Azure API Management V1 and V2 tiers will support TLS 1.3 by default for inbound traffic (incoming requests from API clients) by default.  

 

For outbound traffic (outgoing requests from API gateway to API backends), in V1 tiers you will need to enable it manually, for V2 tiers outbound traffic with TLS 1.3 will come in a later update. We will also release an update in the upcoming weeks to enable/disable ciphers for outbound traffic through the Azure Portal/ARM API/CLIs and SDKs.  

 

TLS 1.3 Impact on API Clients 

 

We do not expect TLS 1.3 support to negatively impact customers. TLS 1.2 clients will continue to work as expected. However, client certificate renegotiation is not allowed with TLS 1.3, if your Azure API Management instance relies on client certificate renegotiation for receiving and validating client certificates, your instance of API Management will not be updated to enable TLS 1.3 by default and will default to TLS 1.2 to avoid any impact on your API clients.  

 

The protocol enables encryption earlier in the handshake, providing better confidentiality and preventing interference from poorly designed middle boxes. TLS 1.3 encrypts the client certificate, so client identity remains private, and renegotiation is not required for secure client authentication. 

 

Integrating your API clients or services with TLS 1.3 protocol 

 

If you are using a client library, such as using a browser or .NET HTTP client, the upcoming TLS 1.3 support should not negatively impact you nor the clients talking to Azure API Management. However, if for an example, you are manually configuring the TLS handshakes of your clients, that are connected to Azure API Management, you may want to review your TLS handshakes to ensure compatibility with TLS 1.3. 

 

We highly recommend developers to start testing TLS 1.3 in their applications and services. The streamlined list of supported cipher suites reduces complexity and guarantees certain security properties, such as forward secrecy (FS).  For more information about TLS 1.3, refer to this Microsoft TLS 1.3 blog post. 

 

Help and support 

 

If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request. 

 

  • Click on “Create a support request” 
  • For Summary, type a description of your issue, for example, "TLS 1.3…". 
  • Under Issue type, select Technical. 
  • Under Subscription, select your subscription. 
  • Under Service, select My services, then select API Management Service. 
  • Under Resource, select the Azure resource that you are creating a support request for. 
  • For Problem type, select "Authentication and Security.” 
  • For Problem subtype, select “SSL/TLS Configurations.” 

 feranto_4-1706920211996.png

 

 

Frequently Asked Questions 

 

When will TLS 1.3 (preview) support begin and fully roll-out?  

TLS 1.3 upcoming support is still planned for the beginning of February 2024 and will continue into March 2024. The initial preview support of TLS 1.3 for APIs hosted on Azure API Management began rolling out February 5th. Customers in all regions can expect TLS 1.3 support by March 2024.  

   

What to expect with the initial TLS 1.3 (preview) support?  

Beginning February 5th, some customers may begin to see incoming client requests using TLS 1.3 handshakes if the clients also support TLS 1.3. Customers using Azure API Management will not have control over when the update arrives, it will be part of a general release. You can expect these TLS 1.3 handshakes to stabilize by the end of March 2024.   

 

Can I use client certificates with TLS 1.3? 

Client certificates and TLS 1.3 would work together, however, there are specific scenarios where TLS 1.3 cannot be used together with client certificates:  

 

  • When using “Negotiate client certificate” on Azure Portal for “Custom Domains” blade. 

 

feranto_5-1706920211997.png

 

 

 

This scenario mentioned is not supported with TLS 1.3 because it requires renegotiation, which is not allowed with TLS 1.3. If your API Management service uses the scenario above, we will not update you to TLS 1.3 by default, you will have TLS 1.2 supported as the maximum TLS version by default.  

  

What if I am manually configuring TLS handshakes for clients calling into Azure API Management? 

We do not expect TLS 1.3 support to negatively impact customers. However, you may be impacted if you have manually configured the TLS handshakes of the clients connected to Azure API Management. As an example, if you are using a client library, such as using a browser or .NET HTTP client, the upcoming TLS 1.3 support should not negatively impact you nor the clients talking to Azure API Management. However, if for an example, you are manually configuring the TLS handshakes of your clients, that are connected to Azure API Management, you may want to review your TLS handshakes to ensure compatibility with TLS 1.3. You can also contact support to help mitigate the issue with the instructions above. 

  

Will there be new cipher suites available? 

The upcoming TLS 1.3 support will provide additional TLS cipher suites supported on Azure API Management. This means there will be a newer set of TLS cipher suites added to the minimum TLS cipher suite feature. Like minimum TLS version, we do not recommend setting minimum TLS cipher suites to a TLS 1.3 cipher suite for your incoming requests before January 2024. There is a risk that this configuration can cause connection failures to your web app, or for incoming requests to be denied if TLS 1.3 was intermittently disabled for your web app. 

 

Will there be any difference between V1 tiers and V2 tiers when using TLS1.3? 

Yes, these are the main differences: 

  • V1 tiers (Developer, Standard, Basic, Premium) will receive TLS 1.3 for inbound API clients by default (if you are not using certificate renegotiation) and TLS 1.3 for outbound API backends (which must be activated manually).   
  • V2 tiers (Basicv2 and StandardV2) and Consumption tier will also receive TLS 1.3 for inbound API clients by default. V2 tiers do not support certificate renegotiation. TLS 1.3 for outbound API backends will be released in a future backend. 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.