Enabling TLS 1.3 through Fastly

IMPORTANT

TLS 1.3 is now the default TLS version. You only need to follow the instructions in this guide if you created your account on or before June 29, 2020.

This guide describes how to use Fastly TLS to enable TLS 1.3 for a domain using a TLS certificate you provide or one that Fastly provides and manages.

About TLS 1.3

To serve secure, encrypted traffic from Fastly using the Hypertext Transfer Protocol Secure (HTTPS) protocol, a website or application must provide a valid TLS certificate that is digitally signed by a trusted certification authority. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are the protocols that allow clients to form secure communication connections between web browsers or applications and the servers they request information from.

TLS 1.3, the newest version of the TLS protocol, was designed to improve the performance and security of traffic for HTTPS domains. Specifically, this version of the protocol was designed to help speed up encrypted connections to servers by eliminating an entire round trip from its connection establishment handshake. The Zero Round Trip Time (0-RTT) feature can reduce the latency of resumed connections by encrypting requests in the initial ClientHello, a step in the client handshake process that specifies the maximum protocol version the client wishes to support.

In addition, TLS 1.3 allows only cipher suites that offer Perfect Forward Secrecy (PFS) for securing and encrypting traffic. TLS 1.3 also specifically prohibits TLS renegotiation, a process that allows changing the details of a TLS handshake after a connection has already been established with the server. Both restrictions make TLS 1.3 more secure than previous versions of the protocol.

When to use the web interface and when to contact Support

You can only enable TLS 1.3 via the web interface if you have purchased or are using:

and your domains have not been configured on Dedicated IP addresses that Fastly maintains and manages for you.

If you have purchased or are using Platform TLS or Dedicated IP addresses, or you have custom domain mapping in place, you must contact support and have them enable TLS 1.3 for you.

Limitations and key behaviors

Before enabling or requesting this functionality, keep the following in mind:

  • Negotiation of the TLS protocol will only happen if the requesting client also supports TLS 1.3. If a request comes from an older client, Fastly’s default behavior is to downgrade to TLS 1.2.
  • Fastly currently only supports 0-RTT between Fastly and requesting clients. We do not support 0-RTT between Fastly and your origin servers.
  • By default, Fastly only answers idempotent requests (GET and HEAD requests without query parameters) over 0-RTT. This helps protect customer applications from replay attacks.
  • Requests issued with 0-RTT will include an Early-Data:1 header per RFC 8470. This attribute can be queried and logged via VCL using req.http.early-data.

Setting up TLS 1.3 for a new domain

Setting up TLS for a domain requires you to secure the domain by registering it with a certification authority. To start this process through Fastly’s web interface (instead of programmatically) follow these steps.

  1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
  2. Click Manage certificates. If you've not yet started setting up TLS on any of your domains, this page appears empty.
  3. Click Secure another domain.

  4. Decide what to do next:

    • If you have your own TLS certificates and private keys, click Use certificates you've provided and then follow the instructions in the guide to uploading and deploying your own certificates instead of this one.
    • If you want Fastly to procure and manage your TLS certificates and keys, continue with the remaining steps that follow.
  5. From the selection menu that appears, select Use certificates Fastly obtains for you.

  6. In the Domain field, enter one or more apex domains (e.g., example.com), subdomains (e.g., www.example.com or api.example.com), or a wildcard domain (e.g., *.example.com) and click Add. Domains you add appear in the Common name area of the page.

    the Enter subscription details that appears by default when you attempt to secure multiple other domains

    If you only have one domain, the common name will be the same as the domain name. If you add more than one domain, they will appear in a menu. By default, the first domain you add will be selected for you. Select another domain from the Common name menu if that's not the one you want.

  7. From the Select a certification authority controls, choose one of the certification authorities to secure your certificate. Prices vary between certification authorities, sometimes significantly. Be sure to review the details about these differences on our pricing page.

  8. If you previously enabled TLS in your Fastly account, use the Select a TLS configuration menu to select a TLS 1.3 configuration to apply. Your selection will specify both the IP addresses that the certificate will be deployed to and the associated TLS settings that will be applied to them.

    • Select HTTP/3 & TLS v1.3 to apply the latest version of the protocol, but without 0-RTT.
    • Select HTTP/3 & TLS v1.3 + 0RTT to apply the latest version of the protocol with 0-RTT.

    However, if you are enabling TLS in your Fastly account for the first time on or after March 29, 2022, this menu will not appear. Your TLS configuration will use HTTP/3 & TLS v1.3 + 0RTT by default.

  9. Click Submit. The Subscription details page appears displaying your domains along with detailed steps on how to verify you own them.

  10. Click View details to view information for your domain and use it to update your DNS records with your DNS provider.

Applying TLS 1.3 to an existing domain

To migrate an existing domain to a new TLS 1.3 configuration, follow these steps:

  1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
  2. Click Manage certificates.
  3. Find the card for the appropriate domain.
  4. Click View/Edit Activation next to the appropriate certificate.
  5. From the list of configurations that appear, click Activate next to the TLS 1.3 configuration you want to apply. Your selection will specify both the IP addresses that the certificate will be deployed to and the associated TLS settings that will be applied to them.
    • Activate HTTP/3 & TLS v1.3 to apply the latest version of the protocol, but without 0-RTT
    • Activate HTTP/3 & TLS v1.3 + 0RTT to apply the latest version of the protocol with 0-RTT.
  6. Click Done.
  7. Watch the TLS status area for the certificate. Once the configuration is selected, the status for the domain will change to Deploying. When the TLS status area changes back to Activated, the TLS configuration selected will have been applied to the domain.
  8. Click View details to view information for your domain and use it to update your DNS records with your DNS provider.
  9. Confirm the new DNS records have propagated across the internet (this can take up to 48 hours), then delete the old TLS configuration by clicking the trash icon.
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.