TLS 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a secure communication channel between two endpoints. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the handshake as possible.
In previous TLS versions, client authentication exposed client identity on the network unless it was accomplished via renegotiation, which entailed extra round trips and CPU costs. In TLS 1.3, client authentication is always confidential.
TLS 1.3 in Azure API Management v1 and v2 tiers
TLS 1.3 support in Azure API Management is planned to rollout during the first week of February 2024. The rollout will happen in stages, this means some regions will get it first as we roll out globally. Azure API Management V1 and V2 tiers will support TLS 1.3 by default for inbound traffic (incoming requests from API clients) by default.
For outbound traffic (outgoing requests from API gateway to API backends), in V1 tiers you will need to enable it manually, for V2 tiers outbound traffic with TLS 1.3 will come in a later update. We will also release an update in the upcoming weeks to enable/disable ciphers for outbound traffic through the Azure Portal/ARM API/CLIs and SDKs.
TLS 1.3 Impact on API Clients
We do not expect TLS 1.3 support to negatively impact customers. TLS 1.2 clients will continue to work as expected. However, client certificate renegotiation is not allowed with TLS 1.3, if your API clients rely on renegotiation, or making new handshakes in the middle of a connection with your Azure API Management instance, your instance of API Management will not be updated to TLS 1.3 by default and will default to TLS 1.2 to avoid any impact on your API clients.
The protocol enables encryption earlier in the handshake, providing better confidentiality and preventing interference from poorly designed middle boxes. TLS 1.3 encrypts the client certificate, so client identity remains private, and renegotiation is not required for secure client authentication.
Integrating your API clients or services with TLS 1.3 protocol
If you are using a client library, such as using a browser or .NET HTTP client, the upcoming TLS 1.3 support should not negatively impact you nor the clients talking to Azure API Management. However, if for an example, you are manually configuring the TLS handshakes of your clients, that are connected to Azure API Management, you may want to review your TLS handshakes to ensure compatibility with TLS 1.3.
We highly recommend developers to start testing TLS 1.3 in their applications and services. The streamlined list of supported cipher suites reduces complexity and guarantees certain security properties, such as forward secrecy (FS). For more information about TLS 1.3, refer to this Microsoft TLS 1.3 blog post.
Help and support
If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request.
- Click on “Create a support request”
- For Summary, type a description of your issue, for example, "TLS 1.3…".
- Under Issue type, select Technical.
- Under Subscription, select your subscription.
- Under Service, select My services, then select API Management Service.
- Under Resource, select the Azure resource that you are creating a support request for.
- For Problem type, select "Authentication and Security.”
- For Problem subtype, select “SSL/TLS Configurations.”
Frequently Asked Questions
When will TLS 1.3 (preview) support begin and fully roll-out?
TLS 1.3 upcoming support is still planned for the beginning of February 2024 and will continue into March 2024. The initial preview support of TLS 1.3 for APIs hosted on Azure API Management began rolling out February 5th. Customers in all regions can expect TLS 1.3 support by March 2024.
What to expect with the initial TLS 1.3 (preview) support?
Beginning February 5th, some customers may begin to see incoming client requests using TLS 1.3 handshakes if the clients also support TLS 1.3. Customers using Azure API Management will not have control over when the update arrives, it will be part of a general release. You can expect these TLS 1.3 handshakes to stabilize by the end of March 2024.
Can I use client certificates with TLS 1.3?
Client certificates and TLS 1.3 would work together, however, if your API clients rely on renegotiation, making new handshakes in the middle of a connection, this flow is not allowed with TLS 1.3. If your API Management service uses this scenario, we will not update you to TLS 1.3 by default, you will have TLS 1.2 supported as the maximum TLS version by default.
To clarify:
- "Client certificate negotiation" is supported in TLS 1.3 with Azure API Management.
- Renegotiation, API clients making new handshakes while in the middle of a connection, is not supported in TLS 1.3 with Azure API Management.
What if I am manually configuring TLS handshakes for clients calling into Azure API Management?
We do not expect TLS 1.3 support to negatively impact customers. However, you may be impacted if you have manually configured the TLS handshakes of the clients connected to Azure API Management. As an example, if you are using a client library, such as using a browser or .NET HTTP client, the upcoming TLS 1.3 support should not negatively impact you nor the clients talking to Azure API Management. However, if for an example, you are manually configuring the TLS handshakes of your clients, that are connected to Azure API Management, you may want to review your TLS handshakes to ensure compatibility with TLS 1.3. You can also contact support to help mitigate the issue with the instructions above.
Will there be new cipher suites available?
The upcoming TLS 1.3 support will provide additional TLS cipher suites supported on Azure API Management. This means there will be a newer set of TLS cipher suites added to the minimum TLS cipher suite feature. Like minimum TLS version, we do not recommend setting minimum TLS cipher suites to a TLS 1.3 cipher suite for your incoming requests before January 2024. There is a risk that this configuration can cause connection failures to your web app, or for incoming requests to be denied if TLS 1.3 was intermittently disabled for your web app.
Will there be any difference between V1 tiers and V2 tiers when using TLS1.3?
Yes, these are the main differences:
- V1 tiers (Developer, Standard, Basic, Premium) will receive TLS 1.3 for inbound API clients by default (if you are not using certificate renegotiation) and TLS 1.3 for outbound API backends (which must be activated manually).
- V2 tiers (Basicv2 and StandardV2) and Consumption tier will also receive TLS 1.3 for inbound API clients by default. V2 tiers do not support certificate renegotiation. TLS 1.3 for outbound API backends will be released in a future backend.