Enabling TLS 1.3 through Fastly

      Last updated June 29, 2020

    This guide describes how to use Fastly TLS to enable TLS 1.3 for a domain using a TLS certificate you provide or one that Fastly provides and manages.

    About TLS 1.3

    To serve secure, encrypted traffic from Fastly using the Hypertext Transfer Protocol Secure (HTTPS) protocol, a website or application must provide a valid TLS certificate that is digitally signed by a trusted certification authority. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are the protocols that allow clients to form secure communication connections between web browsers or applications and the servers they request information from.

    TLS 1.3, the newest version of the TLS protocol, was designed to improve the performance and security of traffic for HTTPS domains. Specifically, this version of the protocol was designed to help speed up encrypted connections to servers by eliminating an entire round trip from its connection establishment handshake. The Zero Round Trip Time (0-RTT) feature can reduce the latency of resumed connections by encrypting requests in the initial ClientHello, a step in the client handshake process that specifies the maximum protocol version the client wishes to support.

    In addition, TLS 1.3 allows only cipher suites that offer Perfect Forward Secrecy (PFS) for securing and encrypting traffic. TLS 1.3 also specifically prohibits TLS renegotiation, a process that allows changing the details of a TLS handshake after a connection has already been established with the server. Both restrictions make TLS 1.3 more secure than previous versions of the protocol.

    When to use the web interface and when to contact Support

    You can only enable TLS 1.3 via the web interface if you have purchased or are using:

    and your domains have not been configured on Dedicated IP addresses that Fastly maintains and manages for you.

    If you have purchased or are using:

    you must contact support@fastly.com and have them enable TLS 1.3 for you.

    Limitations and key behaviors

    Before enabling or requesting this functionality, keep the following in mind:

    Setting up TLS 1.3 for a new domain

    To set up TLS 1.3 for a new HTTPS domain that hasn't yet been added to the Fastly web interface, follow these steps.

    1. Log in to the Fastly web interface and click the Configure link.
    2. Click the HTTPS and network tab. The TLS domains page appears, displaying any domains for which you have TLS either enabled or for which TLS can be enabled. If you've not yet started setting up TLS on any of your domains, this page appears empty.
    3. Click the Secure another domain button. The Enter domain window appears.
    4. Decide what to do next:
      • If you have your own TLS certificates and private keys, click the I want to bring my own certificate and private key link and then follow the instructions in the guide to uploading and deploying your own certificates instead of this one.
      • If you want Fastly to procure and manage your TLS certificates and keys, continue with the remaining steps that follow.
    5. In the Domain name field, enter an apex domain (e.g., example.com), a subdomain (e.g., www.example.com or api.example.com), or a wildcard domain (e.g., *.example.com).
    6. From the Select a TLS configuration menu, select the TLS 1.3 configuration to apply. Your selection will specify both the IP addresses that the certificate will be deployed to and the associated TLS settings that will be applied to them.
      • Select TLS v1.3+0RTT to apply the latest version of the protocol with 0-RTT.
      • Select TLS v1.3 to apply the latest version of the protocol, but without 0-RTT.
    7. Click the Continue button. The TLS domains page appears with a series of cards displayed, each listing a single domain, including the domain you just added along with any other domains and their current TLS and certificate statuses.
    8. Review the DNS details information for your domain and use it to verify your domain ownership by following the steps detailed in our guide to serving HTTPS traffic using Fastly-managed certificates. Those instructions describe two different ways you can verify you control any domain you've added to the Fastly web interface. The instructions also describe each of the TLS statuses that will appear in the web interface as your domain goes through the verification process.
    9. Review the DNS details information for your domain and use it to update your DNS records with your DNS provider.

    Applying TLS 1.3 to an existing domain

    To override the default TLS configuration applied to an existing domain or to migrate an existing domain to a new TLS configuration, follow these steps.

    1. Log in to the Fastly web interface and click the Configure link.
    2. Click the HTTPS and network tab. The TLS domains page appears, displaying any domains for which you have TLS either enabled or for which TLS can be enabled.
    3. Find the card for the appropriate domain.
    4. Click the More details link on the card. The DNS details for that domain appear.
    5. Click the Add TLS configuration menu at the bottom of the DNS details area.
    6. From the options that appear, select the TLS 1.3 configuration to apply. Your selection will specify both the IP addresses that the certificate will be deployed to and the associated TLS settings that will be applied to them.
      • Select TLS v1.3+0RTT to apply the latest version of the protocol with 0-RTT.
      • Select TLS v1.3 to apply the latest version of the protocol, but without 0-RTT.
    7. Watch the TLS Status area of the domain's card. Once the configuration is selected, the status for the domain will change from Enabled to Enabled-Certificate issued deploying across Fastly's Global Network. After few minutes, the status will then change back to Enabled. When the TLS Status field changes back to Enabled, the TLS configuration selected will have been applied to the domain.
    8. Review the DNS details information for your domain and use it to update your DNS records with your DNS provider.
    9. Confirm the new DNS records have propagated across the internet (this can take up to 48 hours), then delete the old TLS configuration by clicking the trash can icon.
    Back to Top