Rajiv Aaron Manglani

Get ready for TLS 1.3

Blog Post created by Rajiv Aaron Manglani Employee on Oct 25, 2017

In January 2017 Akamai announced that we funded the OpenSSL Software Foundation to accelerate their plans to support TLS 1.3 in the OpenSSL cryptographic library. This code library is one of the leading libraries used by servers and clients (including Akamai’s networks) to secure SSL/TLS connections on the internet. TLS 1.3 is a significant overhaul of the protocol that secures HTTPS communications, aiming to improve performance (and end-user experience) and close architectural vulnerabilities in previous versions.

 

Today, we are announcing our plans for support for TLS 1.3 on the Akamai Secure CDN.

 

TLS 1.3 Beta

Later this year, we will start a beta program for TLS 1.3 for customers with custom certificates (those on the Secure CDN). If your web property is secured by a custom certificate, you will be able to enable TLS 1.3 during the beta period. No additional beta paperwork or agreements are necessary to participate.

 

There are now controls in our Certificate Provisioning System (CPS) to configure your custom certificate for the upcoming TLS 1.3 beta. Your certificates will need to be configured with two specific settings. In either the existing Certificate Provisioning System (CPS) interface in our Luna portal, or the new beta interface of CPS, edit the certificate and perform both of these steps:

 

On the “Deployment and TLS Metadata” tab (or “View and Edit Deployment Settings” screen in the CPS beta interface):

  1. Select Enable all TLS versions
  2. Select the ak-akamai-default-2017q3 cipher profile.

 

The new ak-akamai-default-2017q3 cipher profile is the same as the previous-default ak-akamai-default-2016q3 cipher profile, with the addition of TLS 1.3 ciphers. This new profile continues to support all previous TLS versions and can be used to support non-TLS 1.3 clients. See SSL/TLS Cipher Profiles for documentation on the currently available and recommended cipher profiles.

 

Once the TLS 1.3 beta is turned on network-wide by our operations team, your secure properties configured as described above will be enabled with TLS 1.3. This new TLS version is still working its way through the IETF standardization process, and as such different crypto libraries, web servers, and browsers have implemented different, non-interoperable draft versions. Akamai and OpenSSL have implemented Draft 21 of the TLS 1.3 specification. We will be moving to the final version after it is ratified as an RFC. Clients will need to have implemented the same version in order to connect with TLS 1.3. The IETF TLS Working Group maintains a list of TLS 1.3 clients and their implemented versions.

 

For certificates enabled in this beta, some standard Secure CDN features will be unavailable. If your secure properties depend on these, those certificates should not be enabled for the beta:

  • Client certificates (mutual authentication) for clients connecting to the Akamai edge (client certificates for origin connections will continue to function)
  • The ability to select TLS 1.2 and 1.3, but deselect TLS 1.0 and 1.1 (necessary for PCI DSS 3.2 compliance), for a specific certificate
  • TLS 1.3 enabled in conjunction with ciphers necessary to support Windows XP
  • TLS interception devices (“middleboxes”) which have not been upgraded to recognize TLS 1.3 connections

 

TLS 1.3 General Availability

After the TLS 1.3 specification is approved by the IETF, we plan to make TLS 1.3 generally available (GA) for all web properties on the Akamai Secure CDN. TLS 1.3 will be available as a platform feature, for all customers and delivery products. At that time, you will be able to continue to select “Use Akamai Defaults” and select the “ak-akamai-default-2017q3” cipher profile. After GA, the Akamai default list of TLS protocol versions will include TLS 1.3.

 

Future functionality

We will be enabling TLS 1.3 with the Akamai shared certificate in 2018. We are also investigating support for additional TLS 1.3 features such as origin connections and 0-RTT early data.

 

Timeline

Available now: controls in CPS to enable the TLS 1.3 beta.

Late 2017: TLS 1.3 beta turned on network-wide.

Early 2018: TLS 1.3 will be generally available (GA). All newly-configured certificates will have TLS 1.3 turned on by default. To enable TLS 1.3 for existing certificates, simply update the cipher profile to “ak-akamai-default-2017q3”.

 

If you have feedback on this new beta capability, or have issues, please reach out to Akamai Technical Support through your normal support channels. You can also follow this blog post to be notified when new Beta features are available.

Outcomes