This article is an update to a previous article that mentioned the upcoming support of TLS 1.3 on App Service. This article will contain:
- Information on the upcoming TLS 1.3 support
- How the TLS 1.3 roll-out may affect your Web Apps, Functions, and Logic Apps
- Callouts regarding TLS 1.3 roll-out that you should be aware of
- Update for Minimum TLS Cipher Suite feature
When will TLS 1.3 (preview) support begin and fully roll-out?
TLS 1.3 upcoming support is still planned for the end of 2023 and will continue into 2024. The initial preview support of TLS 1.3 for resources hosted on App Service, namely web apps, functions, and logic apps, began rolling out October 23rd. Users in US regions can expect TLS 1.3 support by January 2024. We will continue to roll-out TLS 1.3 support worldwide and expect to be done sometime early 2024. We will provide another update when TLS 1.3 has been fully rolled out in all regions.
Note: TLS 1.3 will not be supported on App Service Environment (ASE) V1 and V2.
What to expect with the initial TLS 1.3 (preview) support?
Beginning October 23rd, some users may begin to intermittently see incoming client requests using TLS 1.3 handshakes if the clients also support TLS 1.3. You can expect these intermittent TLS 1.3 handshakes to stabilize starting January 2024. We do not recommend setting the minimum incoming TLS version of your web app to TLS 1.3 before January 2024 because this setting may cause issues to your web app.
When TLS 1.3 may cause issues to the web app
Setting TLS 1.3 as the minimum TLS version before January 2024
During the initial release of TLS 1.3, you may notice that TLS 1.3 may intermittently be disabled should there be potential issues in the process of rolling it out. If you set the minimum TLS version of your web app to TLS 1.3 during this time, there’s a risk for this setting to cause connection failures, or for incoming requests to be denied if TLS 1.3 was intermittently disabled for your web app.
Using client certificates with TLS 1.3
Client certificates and TLS 1.3 generally would work together, however, there are specific scenarios where TLS 1.3 cannot be used together with client certificates:
- When using exclusion paths with client certificates
- When using “OptionalInteractive” (on API) or “Optional” mode (on Portal) for Client Certificate Mode setting
These scenarios mentioned are not supported with TLS 1.3 because they require renegotiation, which is not allowed with TLS 1.3. These scenarios above would have TLS 1.2 supported as the maximum TLS version.
Manually configuring TLS handshakes for clients calling into App Service OR using Internet of Things (IOT) clients/devices connected to App Service
We do not expect TLS 1.3 support to negatively impact customers. However, you may be impacted if you have manually configured the TLS handshakes of the clients connected to App Service. As an example, if you are using a client library, such as using a browser or .NET HTTP client, the upcoming TLS 1.3 support should not negatively impact you nor the clients talking to App Service. However, if for an example, you are manually configuring the TLS handshakes of your clients, such as IOT devices, that are connected to App Service, you may want to review your TLS handshakes to ensure compatibility with TLS 1.3.
TLS 1.3 and minimum TLS cipher suite feature
The upcoming TLS 1.3 support will provide additional TLS cipher suites that would be supported on App Service. This means that there’ll be a newer set of TLS cipher suites added to the minimum TLS cipher suite feature. Like minimum TLS version, we do not recommend setting minimum TLS cipher suites to a TLS 1.3 cipher suite for your incoming requests before January 2024. There’s a risk that this configuration can cause connection failures to your web app, or for incoming requests to be denied if TLS 1.3 was intermittently disabled for your web app.