Skip to content

Commit 31ac59b

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #269187 from duongau/patch-7
Front Door - End to End TLS (add note about tls negotiation)
2 parents 1c8b02a + c41a669 commit 31ac59b

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

articles/frontdoor/end-to-end-tls.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ services: frontdoor
55
author: duongau
66
ms.service: frontdoor
77
ms.topic: conceptual
8-
ms.date: 02/15/2024
8+
ms.date: 03/15/2024
99
ms.author: duau
1010
zone_pivot_groups: front-door-tiers
1111
---
@@ -36,6 +36,10 @@ Although Azure Front Door supports TLS 1.2, which introduced client/mutual authe
3636

3737
You can configure the minimum TLS version in Azure Front Door in the custom domain HTTPS settings using the Azure portal or the [Azure REST API](/rest/api/frontdoorservice/frontdoor/frontdoors/createorupdate#minimumtlsversion). Currently, you can choose between 1.0 and 1.2. As such, specifying TLS 1.2 as the minimum version controls the minimum acceptable TLS version Azure Front Door will accept from a client. For minimum TLS version 1.2 the negotiation will attempt to establish TLS 1.3 and then TLS 1.2, while for minimum TLS version 1.0 all four versions will be attempted. When Azure Front Door initiates TLS traffic to the origin, it will attempt to negotiate the best TLS version that the origin can reliably and consistently accept. Supported TLS versions for origin connections are TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3.
3838

39+
> [!NOTE]
40+
> * Clients with TLS 1.3 enabled are required to support one of the Microsoft SDL compliant EC Curves, including Secp384r1, Secp256r1, and Secp521, in order to successfully make requests with Azure Front Door using TLS 1.3.
41+
> * It is recommended that clients use one of these curves as their preferred curve during requests to avoid increased TLS handshake latency, which may result from multiple round trips to negotiate the supported EC curve.
42+
3943
## Supported certificates
4044

4145
When you create your TLS/SSL certificate, you must create a complete certificate chain with an allowed Certificate Authority (CA) that is part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT). If you use a non-allowed CA, your request will be rejected.

0 commit comments

Comments
 (0)