Subscribe to our newsletter
Get the latest news and industry insights in your inbox.
Subscribe to our newsletter
Thanks for subscribing.
As part of our vision for defending the modern web, the Fastly engineering teams are focused on providing you with a robust and secure platform that empowers you to protect your customers. Because we’re committed to providing secure experiences, we’re complying with the PCI Security Standards Council mandate that requires the deprecation of TLS versions 1.0 and recommends the deprecation of TLS 1.1. Although neither TLS 1.0 nor 1.1 is known to have been compromised, we’re requiring clients that connect to our infrastructure to support TLS 1.2 as part of our goal to provide a trusted and secure platform for our customers. This deprecation will affect you if you access the Fastly control panel (manage.fastly.com), management API (api.fastly.com), and main website (fastly.com) over TLS 1.0 or 1.1. Read on to learn about our deprecation plan, plus how to check which TLS version you’re using.
After May 8, 2018 we will no longer support TLS 1.0 and 1.1 for browsers accessing the Fastly control panel (manage.fastly.com), the Fastly API (api.fastly.com), and the main Fastly website (www.fastly.com). Please take a look at this blog post for the legacy TLS deprecation schedule affecting end-users at our cache nodes.
The vast majority of our customers will not be affected by this change. We’ve been monitoring client TLS versions on requests to our API and configuration interfaces for the last few months, and are pleased that almost all customers are already using modern browsers and API clients. However, there are a small number of requests that we’re seeing to our API from older clients, and we’re proactively reaching out to these customers to support their updates. These older clients will start to receive a protocol error after May 8, 2018.
In order to check your API clients, please consult your programming language and operating system documentation to determine whether there’s support for TLS 1.2. Below is a list of some common languages, versions, and libraries that will be affected:
brew install openssl(possibly followed by installing cURL with Homebrew, which will link against the more recent version of openSSL that was just installed).
One way to check that your API client will continue to work after May 8 is to add an entry to the
/etc/hosts file on a machine that contains your application. Be sure not to do this on a production machine, or remove the entry immediately after testing. We’ve installed a certificate for api.fastly.com on an IP address that requires TLS 1.2; adding the following entry to your
/etc/hosts file will force all Fastly API requests to use this test IP address:
If you’re using cURL, you can also verify TLS version support by forcing the use of the test IP address using the
--resolve option, which tells cURL to use 220.127.116.11 instead of performing a real DNS lookup.
$ curl --resolve api.fastly.com:443:18.104.22.168 https://api.fastly.com/public-ip-list
Older clients that don’t support TLS 1.2 will receive a protocol error, like the one in the example below:
curl: (35) Unknown SSL protocol error in connection to api.fastly.com:-9836
If your client supports TLS 1.2, this example request will return a list of IP addresses:
Another way to test your client is to observe the behavior when you try to explicitly force TLS 1.2 by adding the
--tlsv1.2 option to the command.
$ curl --tlsv1.2 https://api.fastly.com/public-ip-list
If your client works today with this option, it will continue to work when Fastly requires TLS 1.2 in May.
We hope this post has helped you determine which TLS version you’re using and given you a sense of why we’re making the move to TLS 1.2. As always, let us know if you have any concerns or questions, and we’ll work with you to ensure a smooth transition.