remove tls 1.0 and 1.1

halkazwini · halkazwini · commit 7bf1bfa6899d · 2025-03-17T07:38:02.000-05:00
diff --git a/articles/frontdoor/standard-premium/tls-policy-configure.md b/articles/frontdoor/standard-premium/tls-policy-configure.md
@@ -1,11 +1,11 @@
 ---
-title: Configure Azure Front Door TLS Policy
+title: Configure Azure Front Door TLS Policy (preview)
 description: This article shows you how you can configure TLS policy to meet security requirements for your Front Door custom domains.
 author: halkazwini
 ms.author: halkazwini
 ms.service: azure-frontdoor
 ms.topic: how-to
-ms.date: 03/16/2025
+ms.date: 03/18/2025
 ---
 
 # How to configure TLS policy on a Front Door custom domain onboarded on Front Door
@@ -44,5 +44,6 @@ If you're using Azure to host your [DNS domains](/azure/dns/dns-overview), you m
 
 ## Related content
 
-Learn how to [Add a custom domain on Azure Front Door](how-to-add-custom-domain.md)
-Learn how to [Configure HTTPS for your custom domain on Azure Front Door](how-to-configure-https-custom-domain.md)
+- [Azure Front Door TLS Policy (preview)](tls-policy.md)
+- [Add a custom domain on Azure Front Door](how-to-add-custom-domain.md)
+- [Configure HTTPS for your custom domain on Azure Front Door](how-to-configure-https-custom-domain.md)
diff --git a/articles/frontdoor/standard-premium/tls-policy.md b/articles/frontdoor/standard-premium/tls-policy.md
@@ -1,31 +1,30 @@
 ---
-title: Azure Front Door TLS Policy
+title: Azure Front Door TLS Policy (preview)
 description: Learn how custom TLS policies help you meet security requirements for your Azure Front Door custom domains.
 author: halkazwini
 ms.author: halkazwini
 ms.service: azure-frontdoor
 ms.topic: concept-article
-ms.date: 03/16/2025
+ms.date: 03/18/2025
 ---
 
 # Azure Front Door TLS policy 
 
 Azure Front Door supports [end-to-end TLS encryption](../end-to-end-tls.md). When you add a custom domain to Azure Front Door, HTTPS is required, and you need to define a TLS policy which includes control of the TLS protocol version as well as the cipher suites and the order in which ciphers are used during a TLS handshake. 
 
-Azure Front Door supports four versions of the TLS protocol: TLS versions 1.0, 1.1, 1.2 and 1.3. Although TLS 1.2 introduced client/mutual authentication in RFC 5246, Azure Front Door currently doesn't support client/mutual authentication (mTLS).
+Azure Front Door supports two versions of the TLS protocol: TLS versions 1.2 and 1.3. Although TLS 1.2 introduced client/mutual authentication in RFC 5246, Azure Front Door currently doesn't support client/mutual authentication (mTLS).
 
 Azure Front Door offers two mechanisms for controlling TLS policy. You can use either a predefined policy or a custom policy per your own needs.
 
 - Azure Front Door offers several predefined TLS policies. You can configure your AFD with any of these policies to get the appropriate level of security. These predefined policies are configured keeping in mind the best practices and recommendations from the Microsoft Security team. We recommend that you use the newest TLS policies to ensure the best TLS security.
 - If a TLS policy needs to be configured for your own business and security requirements, you can use a Custom TLS policy. With a custom TLS policy, you have complete control over the minimum TLS protocol version to support, and the supported cipher suites.
 
-For minimum TLS version 1.2, the negotiation will attempt to establish TLS 1.3 and then TLS 1.2, while for minimum TLS version 1.0 all four versions will be attempted. The client must support at least one of the supported ciphers to establish an HTTPS connection with Azure Front Door. Azure Front Door chooses a cipher in the listed order from the client-supported ciphers.
+For minimum TLS version 1.2, the negotiation will attempt to establish TLS 1.3 and then TLS 1.2. The client must support at least one of the supported ciphers to establish an HTTPS connection with Azure Front Door. Azure Front Door chooses a cipher in the listed order from the client-supported ciphers.
 
-When Azure Front Door initiates TLS traffic to the origin, it will attempt to negotiate the best TLS version that the origin can reliably and consistently accept. Supported TLS versions for origin connections are TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. 
+When Azure Front Door initiates TLS traffic to the origin, it will attempt to negotiate the best TLS version that the origin can reliably and consistently accept. Supported TLS versions for origin connections are TLS 1.2, and TLS 1.3. 
 
 > [!NOTE]
-> - TLS 1.0/1.1 will be deprecated by March 1, 2025. From now on to March 1, 2025, you can't change TLS versions to use TLS 1.0/1.1. Switch to TLS 1.2 before March 1, 2025.
-> - Clients with TLS 1.3 enabled are required to support one of the Microsoft SDL compliant EC Curves, including Secp384r1, Secp256r1, and Secp521, in order to successfully make requests with Azure Front Door using TLS 1.3. It's recommended that clients use one of these curves as their preferred curve during requests to avoid increased TLS handshake latency, which may result from multiple round trips to negotiate the supported EC curve.
+> Clients with TLS 1.3 enabled are required to support one of the Microsoft SDL compliant EC Curves, including Secp384r1, Secp256r1, and Secp521, in order to successfully make requests with Azure Front Door using TLS 1.3. It's recommended that clients use one of these curves as their preferred curve during requests to avoid increased TLS handshake latency, which may result from multiple round trips to negotiate the supported EC curve.
 
 ## Predefined TLS policy
 
@@ -35,29 +34,29 @@ The following table shows the list of cipher suites and minimum protocol version
 
 By default, TLSv1.2_2023 will be selected. TLSv1.2_2022 maps to the minimum TLS 1.2 version in previous design, while TLSv1.1/1.0_2019 maps to minimum TLS 1.0/1.1 in previous design.
 
-| **OpenSSL** | **Cipher** **Suite** | **TLSv1.2_2023** | **TLSv1.2_2022** | **TLSv1.1/1.0_2019 (To deprecate)** |
-|---|---|---|---|---|
-| **Min. Protocol version** | | **1.2** | **1.2** | **1.1/1.0** |
-| **Supported Protocols** | | **1.3/1.2** | **1.3./1.2** | **1.3/1.2/1.1/1.0** |
-| **min TLS1.3** | | | | |
-| **TLS_AES_256_GCM_SHA384** | TLS_AES_256_GCM_SHA384 | Yes | Yes | Yes |
-| **TLS_AES_128_GCM_SHA256** | TLS_AES_128_GCM_SHA256 | Yes | Yes | Yes |
-| **min TLS1.2** | | | | |
-| **ECDHE-RSA-AES256-GCM-SHA384** | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | Yes | Yes | Yes |
-| **ECDHE-RSA-AES128-GCM-SHA256** | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | Yes | Yes | Yes |
-| **AES256-GCM-SHA384** | TLS_RSA_WITH_AES_256_GCM_SHA384 | | Yes | Yes |
-| **AES128-GCM-SHA256** | TLS_RSA_WITH_AES_128_GCM_SHA256 | | Yes | Yes |
-| **AES256-SHA256** | TLS_RSA_WITH_AES_256_CBC_SHA256 | | Yes | Yes |
-| **AES128-SHA256** | TLS_RSA_WITH_AES_128_CBC_SHA256 | | Yes | Yes |
-| **DHE-RSA-AES256-GCM-SHA384** | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | | Yes | Yes |
-| **DHE-RSA-AES128-GCM-SHA256** | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | | Yes | Yes |
-| **ECDHE-RSA-AES256-SHA384** | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | | Yes | Yes |
-| **ECDHE-RSA-AES128-SHA256** | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | | Yes | Yes |
-| **min TLSv1.1/1.0** | | | | |
-| **ECDHE-RSA-AES256-SHA** | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | | | yes |
-| **ECDHE-RSA-AES128-SHA** | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | | | yes |
-| **AES256-SHA** | TLS_RSA_WITH_AES_256_CBC_SHA | | | yes |
-| **AES128-SHA** | TLS_RSA_WITH_AES_128_CBC_SHA | | | yes |
+| **OpenSSL** | **Cipher** **Suite** | **TLSv1.2_2023** | **TLSv1.2_2022** |
+|---|---|---|---|
+| **Min. Protocol version** | | **1.2** | **1.2** |
+| **Supported Protocols** | | **1.3/1.2** | **1.3./1.2** |
+| **min TLS1.3** | | | |
+| **TLS_AES_256_GCM_SHA384** | TLS_AES_256_GCM_SHA384 | Yes | Yes |
+| **TLS_AES_128_GCM_SHA256** | TLS_AES_128_GCM_SHA256 | Yes | Yes |
+| **min TLS1.2** | | | |
+| **ECDHE-RSA-AES256-GCM-SHA384** | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | Yes | Yes |
+| **ECDHE-RSA-AES128-GCM-SHA256** | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | Yes | Yes | 
+| **AES256-GCM-SHA384** | TLS_RSA_WITH_AES_256_GCM_SHA384 | | Yes | 
+| **AES128-GCM-SHA256** | TLS_RSA_WITH_AES_128_GCM_SHA256 | | Yes | 
+| **AES256-SHA256** | TLS_RSA_WITH_AES_256_CBC_SHA256 | | Yes | 
+| **AES128-SHA256** | TLS_RSA_WITH_AES_128_CBC_SHA256 | | Yes | 
+| **DHE-RSA-AES256-GCM-SHA384** | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | | Yes | 
+| **DHE-RSA-AES128-GCM-SHA256** | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | | Yes | 
+| **ECDHE-RSA-AES256-SHA384** | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | | Yes | 
+| **ECDHE-RSA-AES128-SHA256** | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | | Yes | 
+| **min TLSv1.1/1.0** | | | | 
+| **ECDHE-RSA-AES256-SHA** | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | | | 
+| **ECDHE-RSA-AES128-SHA** | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | | | 
+| **AES256-SHA** | TLS_RSA_WITH_AES_256_CBC_SHA | | | 
+| **AES128-SHA** | TLS_RSA_WITH_AES_128_CBC_SHA | | | 
 
 ## Custom TLS policy
 
@@ -94,6 +93,3 @@ Azure Front Door supports the following cipher suites from which you can choose
 
 > [!div class="nextstepaction"]
 > [Configure TLS policy on Front Door](tls-policy-configure.md).
-
-
-
