Requiring TLS 1.2 for the Fastly API & control panel
As part of our vision for defending the modern web, the Fastly engineering teams are focused on providing you with a robust and secure platform that empowers you to protect your customers. Because we’re committed to providing secure experiences, we’re complying with the PCI Security Standards Council mandate that requires the deprecation of TLS versions 1.0 and recommends the deprecation of TLS 1.1. Although neither TLS 1.0 nor 1.1 is known to have been compromised, we’re requiring clients that connect to our infrastructure to support TLS 1.2 as part of our goal to provide a trusted and secure platform for our customers. This deprecation will affect you if you access the Fastly control panel (manage.fastly.com), management API (api.fastly.com), and main website (fastly.com) over TLS 1.0 or 1.1. Read on to learn about our deprecation plan, plus how to check which TLS version you’re using.
Save the date: TLS 1.2 required after June 19, 2018
Note: this blog post was updated on May 3rd, 2018 to reflect our updated timeline.
Update: In February of this year we updated you on our plans to deprecate TLS 1.0 and 1.1 on the Fastly API and control panel. In order to provide a smooth transition we have extended the deadline to fully deprecate TLS 1.0 and 1.1 on our API and control panel to June 19th, 2018. If you have any questions please feel free to contact us at support@fastly.com.
After May 8 June 19, 2018 we will no longer support TLS 1.0 and 1.1 for browsers accessing the Fastly control panel (manage.fastly.com), the Fastly API (api.fastly.com), and the main Fastly website (www.fastly.com). Please take a look at this blog post for the legacy TLS deprecation schedule affecting end-users at our cache nodes.
The vast majority of our customers will not be affected by this change. We’ve been monitoring client TLS versions on requests to our API and configuration interfaces for the last few months, and are pleased that almost all customers are already using modern browsers and API clients. However, there are a small number of requests that we’re seeing to our API from older clients, and we’re proactively reaching out to these customers to support their updates. These older clients will start to receive a protocol error after May 8 June 19, 2018.
Which TLS version am I using?
It’s very unlikely that you’re using a browser that doesn’t support TLS 1.2, but you can verify protocol support using the SSL Test tool from SSL Labs, or check their User Agent Capabilities list.
In order to check your API clients, please consult your programming language and operating system documentation to determine whether there’s support for TLS 1.2. Below is a list of some common languages, versions, and libraries that will be affected:
Python 2.7.8 and earlier
Java 7, which doesn't support TLS 1.2 by default
Some versions of Mac OS ship with an older version of openSSL (0.9.8y, for example) which only supports TLS 1.0 and requires support for 3DES ciphers, which we will no longer support. If you’re using these command-line tools on a Mac, you can update to the latest version of openSSL with Homebrew, using
brew install openssl
(possibly followed by installing cURL with Homebrew, which will link against the more recent version of openSSL that was just installed).
One way to check that your API client will continue to work after May 8June 19 is to add an entry to the /etc/hosts
file on a machine that contains your application. Be sure not to do this on a production machine, or remove the entry immediately after testing. We’ve installed a certificate for api.fastly.com on an IP address that requires TLS 1.2; adding the following entry to your /etc/hosts
file will force all Fastly API requests to use this test IP address:
151.101.1.133 api.fastly.com
If you’re using cURL, you can also verify TLS version support by forcing the use of the test IP address using the `--resolve` option, which tells cURL to use 151.101.1.133 instead of performing a real DNS lookup.
$ curl --resolve api.fastly.com:443:151.101.1.133 https://api.fastly.com/public-ip-list
Older clients that don’t support TLS 1.2 will receive a protocol error, like the one in the example below:
curl: (35) Unknown SSL protocol error in connection to api.fastly.com:-9836
If your client supports TLS 1.2, this example request will return a list of IP addresses:
{"addresses":["23.235.32.0/20","43.249.72.0/22","103.244.50.0/24","103.245.222.0/23","103.245.224.0/24","104.156.80.0/20","151.101.0.0/16","157.52.64.0/18","172.111.64.0/18","185.31.16.0/22","199.27.72.0/21","199.232.0.0/16","202.2 1.128.11/32","202.21.128.12/32","203.57.145.11/32","203.57.145.12/32"]}
Another way to test your client is to observe the behavior when you try to explicitly force TLS 1.2 by adding the `--tlsv1.2` option to the command.
$ curl --tlsv1.2 https://api.fastly.com/public-ip-list
If your client works today with this option, it will continue to work when Fastly requires TLS 1.2 in June.
We hope this post has helped you determine which TLS version you’re using and given you a sense of why we’re making the move to TLS 1.2. As always, let us know if you have any concerns or questions, and we’ll work with you to ensure a smooth transition.