Phase two of our TLS 1.0 and 1.1 deprecation plan
Note: this blog post was updated on July 6, 2017 to reflect our updated timeline.
In February of last year we updated you on our plans to deprecate TLS 1.0 and 1.1 due to a mandate by the PCI Security Standards Council as well as our continued commitment to maintaining a trusted platform. Since then, we’ve observed a significant reduction in legacy TLS traffic on our network — overall global traffic for TLS 1.0 has dropped to less than 4% and TLS 1.1 to less than 0.15%.
However, there are remaining legacy applications that still require TLS 1.0 and 1.1, so we’re revising our previous plan in order to provide more time for those working with legacy systems as we phase out support for these protocols.
Here is our revised schedule for deprecating TLS 1.0 and 1.1:
As of January 9, 2017: per last year’s update, we’ll start provisioning all new customer endpoints (shared or dedicated) to support only TLS 1.2 and drop the 3DES cipher suite which is not required for TLS 1.2. Please contact our team if you’d like to support only TLS 1.2 and drop 3DES from cipher suite support on existing endpoints. Customers who have not yet migrated their systems off of TLS 1.0 and 1.1, please note we will be proactively disabling support on all shared endpoints by April 30, 2017. Also, as of September 17, 2017, the Fastly control panel and API will only support TLS 1.2.
Customers with dedicated endpoints (hosted offsets) can elect at any time to require TLS 1.2 by contacting support. We strongly encourage all customers with dedicated offsets to ask to switch to TLS-1.2 before the hard deadline of June 30, 2018. Customers with dedicated endpoints will not be affected by changes made on January 9 or April 30, 2017.
On April 30, 2017, we’ll convert all shared offsets to TLS-1.2 and drop 3DES cipher support. Note: if you have legacy TLS support requirements for a service on a Fastly shared endpoint, contact support to migrate to Fastly’s designated shared endpoint for legacy protocol support or to your own dedicated endpoint with TLS 1.0 and 1.1 supported. No changes to dedicated endpoints (hosted offsets) will be made at this time.
After September 17, 2017, we will no longer support TLS 1.0 and 1.1 for browsers accessing the Fastly control panel (manage.fastly.com), main website (www.fastly.com), and API clients accessing api.fastly.com.
By June 30, 2018, all customers, including those on dedicated endpoints, must have converted to TLS-1.2. Due to the PCI Security Standards Council mandate, older TLS implementations will no longer be supported on Fastly infrastructure on shared or dedicated endpoints. There will be no exceptions made after this date.
As always, we will continue to monitor TLS 1.0 and 1.1 vulnerabilities and will adapt our timeline as required to mitigate protocol-level issues if they arise.
If you have any questions or would like to use TLS protocol options other than our defaults, please contact our team.