You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/api-management/api-management-howto-manage-protocols-ciphers.md
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -60,26 +60,28 @@ TLS 1.3 is a major revision of the TLS protocol that provides improved security
60
60
61
61
### Optionally enable TLS 1.3 when clients require certificate renegotiation
62
62
63
-
Client-side TLS 1.3 is disabled by default in certain classic tier instances that recently received API requests over TLS connections that used certificate renegotiation. Certificate renegotiation in TLS allows client and server to renegotiate connection parameters mid-session for authentication without terminating the connection. TLS-compliant clients that rely on certificate renegotiation are not compatible with TLS 1.3.
63
+
TLS 1.3 doesn't support certificate renegotiation. Because of this, client-side TLS 1.3 is disabled by default on classic tier instances that recently handled requests with certificate renegotiation. Certificate renegotiation in TLS allows client and server to renegotiate connection parameters mid-session for authentication without terminating the connection.
64
64
65
-
In these instances, you can review recent API requests that used certificate renegotiation and choose whether to enable TLS 1.3 for client-side connections:
65
+
In these instances, you can review recent API requests that used certificate renegotiation and choose whether to enable TLS 1.3 for client-side connections.
66
+
67
+
> [!WARNING]
68
+
> If your APIs are accessed by TLS-compliant clients that rely on certificate renegotiation, enabling TLS 1.3 for client-side connections will cause those clients to fail to connect.
69
+
70
+
To enable TLS 1.3 for client-side connections in these instances, configure settings on the **Protocols + ciphers** page:
66
71
67
72
1. On the **Protocols + ciphers** page, in the **Client protocol** section, next to **TLS 1.3**, select **View and manage configuration**.
68
73
1. Review the list of **Recent client certificate renegotiations**. The list shows API operations where clients recently used client certificate renegotiation.
69
74
1. If you choose to enable TLS 1.3 for client-side connections, select **Enable**.
70
75
1. Select **Close**.
71
76
72
-
After enabling TLS 1.3, review gateway request metrics or TLS-related exceptions in Application Insights that indicate TLS connection failures. If necessary, disable TLS 1.3 for client-side connections and downgrade to TLS 1.2.
77
+
After enabling TLS 1.3, review gateway request metrics or TLS-related exceptions in logs that indicate TLS connection failures. If necessary, disable TLS 1.3 for client-side connections and downgrade to TLS 1.2.
73
78
74
79
If you need to disable TLS 1.3 for client-side connections in these instances, configure settings on the **Protocols + ciphers** page:
75
80
76
81
1. On the **Protocols + ciphers** page, in the **Client protocol** section, next to **TLS 1.3**, select **View and manage configuration**.
77
82
1. Select **Disable**.
78
83
1. Select **Close**.
79
84
80
-
> [!WARNING]
81
-
> If your APIs are accessed by TLS-compliant clients that rely on certificate renegotiation, enabling TLS 1.3 for client-side connections will cause those clients to fail to connect.
82
-
83
85
### Backend-side TLS 1.3
84
86
85
87
Enabling backend-side TLS 1.3 is optional. If you enable it, API Management uses TLS 1.3 for connections to your backend services.
0 commit comments