TLS 1.0 Migration Behavior

Document created by Neil Jedrzejewski Employee on Nov 24, 2017Last modified by Neil Jedrzejewski Employee on Nov 24, 2017
Version 2Show Document
  • View in full screen mode

Originally authored by Gary Fesenbek (Apologies! Authorship was changed automatically when your post was converted to a document!)


If you are like me you have been looking at this for the past couple of years after the PCI folks amazingly extended the deadline for the migration off of TLS 1.0 to June 2018.


We have certs with more than 80 properties on them and we wanted a way to track the users that were connecting with TLS 1.0 via our corporate standard session tracking software.


Working with Akamai Support we got an initial version but have finally refined it down to something that is quite useful in our organization and I wanted to share this on the chance it may be able to help others in the community.


In a nutshell, this detects the use of the TLS 1.0 cipher and then creates an outgoing request header that our origin picks up and goes into the session tracking system.


We were finally able to do this with just the following 3 items:


1.  Create a user variable.  In our case we called this PMUSER_PROTOCOL

2.  Add a behavior to populate this variable.  Here's our Set Variable behavior:

Set Variable Behavoir

3.  Create a behavior to trigger (later in the config) on the PMUSER_PROTOCOL:

TLS Behavior

You may want to also trigger on a header that you send in so that you can test your logic with your monitoring system.

It may be prudent to put in a behavior as well that tracks transactions that are not TLS 1.0 so that your origin monitoring system will have the full population or break down by TLS 1.0, 1.1, etc.


This document was generated from the following discussion: TLS 1.0 Migration Behavior