Blog Post

Azure Storage Blog
3 MIN READ

TLS 1.3 requests are supported for Azure Storage (ability to set min TLS version as 1.3 is upcoming)

SrikumarV's avatar
SrikumarV
Icon for Microsoft rankMicrosoft
Jan 18, 2024

TLS 1.3 requests are supported for Azure Storage in all regions. This blog provides additional guidance on how to prepare for TLS 1.3 support for Azure Storage and upcoming support to set minimum TLS version as TLS 1.3. 

 

TLS 1.3 introduces substantial enhancements compared to its predecessors. TLS 1.3 improvements focus on both performance and security, featuring faster handshakes and a streamlined set of more secure cipher suites, namely TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256. Notably, TLS 1.3 prioritizes Perfect Forward Secrecy (PFS) by eliminating key exchange algorithms that don't support it. Azure Storage currently supports TLS 1.3, TLS 1.2, TLS 1.1 and TLS 1.0 on public HTTPS endpoints. ( TLS 1.0 and 1.1 support will be removed starting Nov 2025)

 

Clients that utilize the latest available TLS version will automatically pick TLS 1.3 when it is available. If you need more time to upgrade to TLS 1.3, you can choose to continue to use TLS 1.2 by controlling the TLS negotiations through client configuration (see recommendations section below). 

 

Support to set minimum TLS version as 1.3 for Azure Storage is upcoming. Until this support is available, the recommended setting for minimum TLS version for Azure Storage is TLS 1.2.

 

We have outlined below some of the known issues with TLS 1.3 enablement, potential impact and mitigation. 

 

Known Issues, impact and mitigation  

 

JDK Related Issues:

Certain Java clients can experience high latencies, timeouts, and connections that hang for extended periods due to a bug in the Java Http stack. The issue manifests primarily for applications with high request concurrency. The bugs are [JDK-8293562] and [JDK-8208526] . The major JDK versions with the bug fixes are: 

  1. JDK 11 (> 11.0.17) 
  2. JDK 17 (> 17.0.6) 
  3. JDK 21  

The following categories of clients could be affected while using TLS 1.3: 

  1. Clients that run on JDK versions other than JDK versions mentioned above. 
  2. Client tools like WASB and Azure Storage SDK for Java < v12 running the JDK version without the fix. (Note: ABFS, Azure Storage Java SDK > V12 are not impacted). 

Mitigation options for JDK issues: 

Option 1: (Recommended) Upgrade your application to the latest supported JDK versions mentioned above or latest Azure Storage SDK for Java. You can refer to the following link to get the latest recommended SDK versions. 

Option 2: (Short-term workaround) We understand it might not always be possible to upgrade to the latest SDK version. While you move your application to the latest SDK version, this can be mitigated by setting the maximum TLS version for client versions to TLS 1.2.

 

There are two ways to accomplish this: 

  1. Setting system properties when invoking the Java application:  
    java -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2 -jar ... 
     
  2. Setting system properties in code:  
    System.setProperty("Djdk.tls.client.protocols”, "TLSv1.2"); 
    System.setProperty("Dhttps.protocols”, "TLSv1.2"); 

When your applications are ready to work with TLS 1.3, remember to reset these settings.

 

Portal/Client tools Support for Storage Accounts with minimumTLSversion set to 1.3

The experience of setting minimumTLSVersion to 1.3 in Portal and other client tools is in the process of being enabled for storage. While the rollout is in progress, there is a known issue which is being addressed. The Portal and client tool experiences for storage may be degraded when setting minimum TLS version to 1.3. To resolve this issue - Set the minimumTLSVersion of storage accounts to TLS 1.2, until TLS 1.3 min version setting experience is fully supported. This will ensure optimal portal and client tools experience, while allowing both TLS 1.2 and TLS 1.3 requests to storage. 

 

Help and Support 

If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request 

For Issue type, select Technical 

For Subscription, select your subscription.  

For Service, select My services 

For Service type, select Blob Storage 

For Resource, select the Azure resource you are creating a support request for.  

For Summary, type a description of your issue.  

For Problem type, select Connectivity.  

For Problem subtype, select Issues using TLS. 

 

Updated Sep 30, 2024
Version 7.0
  • albertozgz's avatar
    albertozgz
    Copper Contributor
    Jul 24, 2024

    SrikumarV  We found that only 3 components keep using v1.2

     

    1. ADF                       (On-site)            AzureDataFactoryCopy FxVersion/4.8

    2. PBI Data Gateway (On-site)            Microsoft.Data.Mashup

    3. SRP/1.0

     

    The case 1 & 2 can be related with VM Windows config

    But why Storage Resource Provider (SRP) Rest API uses by default the old 1.2?

  • Will_Summers's avatar
    Will_Summers
    Copper Contributor
    Jul 01, 2024

    How long until we can enabled TLS 1.3 as the minimum TLS version on Storage Accounts?