You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/api-management/api-management-howto-manage-protocols-ciphers.md
+8-10Lines changed: 8 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,9 +49,9 @@ Depending on the service tier, API Management supports TLS versions up to 1.2 or
49
49
> [!NOTE]
50
50
> Some protocols or cipher suites (such as backend-side TLS 1.2) can't be enabled or disabled from the Azure portal. Instead, you'll need to apply the REST API call. Use the `properties.customProperties` structure in the [Create/Update API Management Service](/rest/api/apimanagement/current-ga/api-management-service/create-or-update) REST API.
51
51
52
-
## TLS 1.3 support in Consumption and classic tiers
52
+
## TLS 1.3 support in classic tiers
53
53
54
-
TLS 1.3 support is available in the API Management classic service tiers (**Consumption**, **Developer**, **Basic**, **Standard**, and **Premium**). In most instances created in those service tiers, TLS 1.3 is enabled by default for client-side connections. Enabling backend-side TLS 1.3 is optional. TLS 1.2 is also enabled by default on both client and backend sides.
54
+
TLS 1.3 support is available in the API Management classic service tiers (**Consumption**, **Developer**, **Basic**, **Standard**, and **Premium**). In most instances created in those service tiers, TLS 1.3 is permanently enabled by default for client-side connections. Enabling backend-side TLS 1.3 is optional. TLS 1.2 is also enabled by default on both client and backend sides.
55
55
56
56
TLS 1.3 is a major revision of the TLS protocol that provides improved security and performance. It includes features such as reduced handshake latency and improved security against certain types of attacks.
57
57
@@ -60,9 +60,9 @@ TLS 1.3 is a major revision of the TLS protocol that provides improved security
60
60
61
61
### Optionally enable TLS 1.3 when clients require certificate renegotiation
62
62
63
-
Client-side TLS 1.3 is disabled by default in classic tier instances that recently received TLS connections that used certificate renegotiation. Certificate renegotiation in TLS allows client and server to renegotiate connection parameters mid-session for authentication without terminating the connection. TLS-compliant clients that rely on certificate renegotiation are not compatible with TLS 1.3.
63
+
Client-side TLS 1.3 is disabled by default in certain classic tier instances that recently received API requests over TLS connections that used certificate renegotiation. Certificate renegotiation in TLS allows client and server to renegotiate connection parameters mid-session for authentication without terminating the connection. TLS-compliant clients that rely on certificate renegotiation are not compatible with TLS 1.3.
64
64
65
-
After reviewing recent client connections that used certificate renegotiation, you can choose whether to enable TLS 1.3 for client-side connections:
65
+
In these instances, you can review recent API requests that used certificate renegotiation and choose whether to enable TLS 1.3 for client-side connections:
66
66
67
67
1. On the **Protocols + ciphers** page, in the **Client protocol** section, next to **TLS 1.3**, select **View and manage configuration**.
68
68
1. Review the list of **Recent client certificate renegotiations**. The list shows API operations where clients recently used client certificate renegotiation.
@@ -71,17 +71,15 @@ After reviewing recent client connections that used certificate renegotiation, y
71
71
72
72
After enabling TLS 1.3, review gateway request metrics or TLS-related exceptions in Application Insights that indicate TLS connection failures. If necessary, disable TLS 1.3 for client-side connections and downgrade to TLS 1.2.
73
73
74
-
> [!WARNING]
75
-
> If your APIs are accessed by TLS-compliant clients that rely on certificate renegotiation, enabling TLS 1.3 for client-side connections will cause those clients to fail to connect.
76
-
77
-
### Optionally disable TLS 1.3
78
-
79
-
If you need to disable TLS 1.3 for client-side connections, you can do so from the **Protocols + ciphers** page:
74
+
If you need to disable TLS 1.3 for client-side connections in these instances, configure settings on the **Protocols + ciphers** page:
80
75
81
76
1. On the **Protocols + ciphers** page, in the **Client protocol** section, next to **TLS 1.3**, select **View and manage configuration**.
82
77
1. Select **Disable**.
83
78
1. Select **Close**.
84
79
80
+
> [!WARNING]
81
+
> If your APIs are accessed by TLS-compliant clients that rely on certificate renegotiation, enabling TLS 1.3 for client-side connections will cause those clients to fail to connect.
82
+
85
83
### Backend-side TLS 1.3
86
84
87
85
Enabling backend-side TLS 1.3 is optional. If you enable it, API Management uses TLS 1.3 for connections to your backend services.
0 commit comments