This guide describes how to use Fastly TLS to enable TLS 1.3 for a domain using a TLS certificate you provide or one that Fastly provides and manages.
About TLS 1.3
To serve secure, encrypted traffic from Fastly using the Hypertext Transfer Protocol Secure (HTTPS) protocol, a website or application must provide a valid TLS certificate that is digitally signed by a trusted certification authority. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are the protocols that allow clients to form secure communication connections between web browsers or applications and the servers they request information from.
TLS 1.3, the newest version of the TLS protocol, was designed to improve the performance and security of traffic for HTTPS domains. Specifically, this version of the protocol was designed to help speed up encrypted connections to servers by eliminating an entire round trip from its connection establishment handshake. The Zero Round Trip Time (0-RTT) feature can reduce the latency of resumed connections by encrypting requests in the initial ClientHello, a step in the client handshake process that specifies the maximum protocol version the client wishes to support.
In addition, TLS 1.3 allows only cipher suites that offer Perfect Forward Secrecy (PFS) for securing and encrypting traffic. TLS 1.3 also specifically prohibits TLS renegotiation, a process that allows changing the details of a TLS handshake after a connection has already been established with the server. Both restrictions make TLS 1.3 more secure than previous versions of the protocol.
When to use the web interface and when to contact Support
You can only enable TLS 1.3 via the web interface if you have purchased or are using:
and your domains have not been configured on Dedicated IP addresses that Fastly maintains and manages for you.
Limitations and key behaviors
Before enabling or requesting this functionality, keep the following in mind:
- Negotiation of the TLS protocol will only happen if the requesting client also supports TLS 1.3. If a request comes from an older client, Fastly’s default behavior is to downgrade to TLS 1.2.
- Fastly currently only supports 0-RTT between Fastly and requesting clients. We do not support 0-RTT between Fastly and your origin servers.
- By default, Fastly only answers idempotent requests (GET and HEAD requests without query parameters) over 0-RTT. This helps protect customer applications from replay attacks.
- Requests issued with 0-RTT will include an
Early-Data:1header per RFC 8470. This attribute can be queried and logged via VCL using
Setting up TLS 1.3 for a new domain
Setting up TLS for a domain requires you to "secure" the domain by registering it with a certification authority. To start this process through Fastly’s web interface (instead of programmatically) follow these steps.
- Log in to the Fastly web interface and click the Secure link. The TLS domains page appears, displaying any domains for which you have TLS either enabled or for which TLS can be enabled. If you've not yet started setting up TLS on any of your domains, this page appears empty.
- Click the Secure another domain button.
- Decide what to do next:
- If you have your own TLS certificates and private keys, click the Use certificates you've provided link and then follow the instructions in the guide to uploading and deploying your own certificates instead of this one.
- If you want Fastly to procure and manage your TLS certificates and keys, continue with the remaining steps that follow.
From the selection menu that appears, select Use certificates Fastly obtains for you. The Enter subscription details page appears.
In the Domain field, enter one or more apex domains (e.g.,
example.com), subdomains (e.g.,
api.example.com), or a wildcard domain (e.g.,
*.example.com) and click the Add button. Domains you add appear in the Common name area of the page.
If you only have one domain, the common name will be the same as the domain name. If you add more than one domain, they will appear in a menu. By default, the first domain you add will be selected for you. Select another domain from the Common name menu if that's not the one you want.
From the Select a certification authority controls, choose one of the certification authorities to secure your certificate. Prices vary between certification authorities, sometimes significantly. Be sure to review the details about these differences on our pricing page.
- From the Enable on menu in the Select a TLS configuration area, select the TLS 1.3 configuration to apply. Your selection will specify both the IP addresses that the certificate will be deployed to and the associated TLS settings that will be applied to them.
- Select TLS v1.3+0RTT to apply the latest version of the protocol with 0-RTT.
- Select TLS v1.3 to apply the latest version of the protocol, but without 0-RTT.
- Click Submit. The Subscription details page appears displaying your domains along with detailed steps on how to verify you own them.
Applying TLS 1.3 to an existing domain
To migrate an existing domain to a new TLS 1.3 configuration, follow these steps:
- Log in to the Fastly web interface and click the Secure link. The TLS domains page appears, displaying any domains for which you have TLS either activated or for which TLS can be activated.
- Find the card for the appropriate domain.
- Click the View/Edit Activation button next to the appropriate certificate.
- From the list of configurations that appear, click Activate next to the TLS 1.3 configuration you want to apply. Your selection will specify both the IP addresses that the certificate will be deployed to and the associated TLS settings that will be applied to them.
- Activate TLS v1.3+0RTT to apply the latest version of the protocol with 0-RTT.
- Activate TLS v1.3 to apply the latest version of the protocol, but without 0-RTT.
- Click Done.
- Watch the TLS status area for the certificate. Once the configuration is selected, the status for the domain will change to
Deploying. When the TLS status area changes back to
Activated, the TLS configuration selected will have been applied to the domain.
- Click the See DNS details button to view information for your domain and use it to update your DNS records with your DNS provider.
- Confirm the new DNS records have propagated across the internet (this can take up to 48 hours), then delete the old TLS configuration by clicking the trash can icon.