Azure API Management introduced TLS 1.3 support in the V1 and V2 tiers during the initial week of February 2024. As reported, the rollout will occur progressively across regions. Inbound traffic for both V1 and V2 tiers will inherently support TLS 1.3 for incoming requests from API clients.
As reported, for outbound traffic in V1 tiers, manual activation of TLS 1.3 will be required, while V2 tiers will receive support for outbound traffic with TLS 1.3 in a subsequent update. Additionally, an update will be released in the coming weeks for the enabling or disabling of ciphers of outbound traffic through various channels such as the Azure Portal, ARM API, CLIs, and SDKs.
TLS 1.3 represents the latest iteration of the widely used security protocol on the internet. It secures communication channels between endpoints by encrypting data, thus superseding outdated cryptographic algorithms, bolstering security compared to older versions, and prioritizing encryption throughout the handshake process.
Unlike previous versions, TLS 1.3 ensures confidentiality in client authentication without the need for additional round trips or CPU costs. At the same time, it enhances security measures significantly.
According to Microsoft, integrating API clients or services with TLS 1.3 protocol should not pose any issues for those employing client libraries like browsers or .NET HTTP clients. However, the manual configuration of TLS handshakes for clients connected to Azure API Management warrants review to ensure compatibility with TLS 1.3.
Developers are strongly encouraged to test TLS 1.3 in their applications and services. The simplified list of supported cipher suites reduces complexity and guarantees specific security features such as forward secrecy (FS).
Regarding the impact of TLS 1.3 Impact on API Clients, Fernando Mejia from Microsoft stated the following:
We do not expect TLS 1.3 support to negatively impact customers. TLS 1.2 clients will continue to work as expected. However, client certificate renegotiation is not allowed with TLS 1.3; if your Azure API Management instance relies on client certificate renegotiation for receiving and validating client certificates, your instance of API Management will not be updated to enable TLS 1.3 by default and will default to TLS 1.2 to avoid any impact on your API clients.
The protocol enables encryption earlier in the handshake, providing better confidentiality and preventing interference from poorly designed middle boxes. TLS 1.3 encrypts the client certificate, so client identity remains private, and renegotiation is not required for secure client authentication.
In addition to the announcement, the original blog post includes an informative FAQ section addressing common questions from the community regarding the addition of TLS 1.3 support. One such question is, What to expect with the initial TLS 1.3 (preview) support?
Beginning February 5th, some customers may begin to see incoming client requests using TLS 1.3 handshakes if the clients also support TLS 1.3. Customers using Azure API Management will not have control over when the update arrives; it will be part of a general release. You can expect these TLS 1.3 handshakes to stabilize by the end of March 2024.
Lastly, Microsoft encourages users to provide feedback on the TLS 1.3 preview in Azure API Management. For questions, users can seek answers from community experts on Microsoft Q&A. Also, users with support plans requiring technical assistance can create a support request using Azure Portal.