You are here

akamai tls 1.3

Submitted by Asif Nowaj, Last Modified on 2019-12-08

Get ready for akamai tls 1.3 support.

Akamai Announcement:

In January 2017 Akamai announced on akamai tls 1.3 that they have funded the OpenSSL Software Foundation to accelerate their plans to support TLS 1.3 in the OpenSSL cryptographic library. This code library is one of the leading libraries used by servers and clients (including Akamai’s networks) to secure SSL/TLS connections on the internet. TLS 1.3 is a significant overhaul of the protocol that secures HTTPS communications, aiming to improve performance (and end-user experience) and close architectural vulnerabilities in previous versions.

akamai tls 1.3
TLS 1.3 Beta

Later in 2017, a beta program for TLS 1.3 had been started for customers with custom certificates (those on the Secure CDN). If web property is secured by a custom certificate, TLS 1.3 needed to be enabled during the beta period. No additional beta paperwork or agreements are necessary to participate.

Controls are there in our Certificate Provisioning System (CPS) to configure the custom certificate for TLS 1.3 beta. Certificates will need to be configured with two specific settings. In the Certificate Provisioning System (CPS) interface in Akamai’s Luna portal, edit the certificate and perform both of these steps:

On the “View and Edit Deployment Settings” screen:

  • Select Enable all TLS versions
  • Select the ak-akamai-default-2017q3 cipher profile, or a newer one.

The new ak-akamai-default-2017q3 cipher profile is the same as the previous-default ak-akamai-default-2016q3 cipher profile, with the addition of TLS 1.3 ciphers. This new profile continues to support all previous TLS versions and can be used to support non-TLS 1.3 clients. See SSL/TLS Cipher Profiles for documentation on the currently available and recommended cipher profiles.

Once the TLS 1.3 beta is turned on network-wide by Akamai’s operations team, secure properties configured as described above will be enabled with TLS 1.3. This new TLS version is still working its way through the IETF standardization process, and as such different crypto libraries, web servers, and browsers have implemented different, non-interoperable draft versions. Akamai and OpenSSL have implemented Draft 21 of the TLS 1.3 specification. Once it is ratified as an RFC, final version will be released. Clients will need to have implemented the same version in order to connect with TLS 1.3. The IETF TLS Working Group maintains a list of TLS 1.3 clients and their implemented versions.

For certificates enabled in this beta, some standard Secure CDN features will be unavailable. If secure properties depend on these, those certificates should not be enabled for the beta:

Client certificates (mutual authentication) for clients connecting to the Akamai edge (client certificates for origin connections will continue to function)
The ability to select TLS 1.2 and 1.3, but deselect TLS 1.0 and 1.1 (necessary for PCI DSS 3.2 compliance), for a specific certificate TLS 1.3 enabled in conjunction with ciphers necessary to support Windows XP TLS interception devices (“middleboxes”) which have not been upgraded to recognize TLS 1.3 connections.

TLS 1.3 General Availability

After the TLS 1.3 specification is approved by the IETF, Akamai plans to make TLS 1.3 generally available (GA) for all web properties on the Akamai Secure CDN. TLS 1.3 will be available as a platform feature, for all customers and delivery products. At that time, you will be able to continue to select “Use Akamai Defaults” and select the “ak-akamai-default-2017q3” cipher profile. After GA, the Akamai default list of TLS protocol versions will include TLS 1.3.

Future functionality

TLS 1.3 will be enabled with the Akamai shared certificate in 2019. Investigation on support for additional TLS 1.3 features such as origin connections and 0-RTT early data are going on.

Important Timeline:
Available Oct 2017: controls in CPS to enable the TLS 1.3 beta.
Late 2017: TLS 1.3 draft-21 beta turned on network-wide.
April 2018: TLS 1.3 draft-23 beta turned on network-wide.
February 2019: TLS 1.3 (RFC 8446) version turned on network-wide.

Future: TLS 1.3 will be generally available (GA). All newly-configured certificates will have TLS 1.3 turned on by default. To enable TLS 1.3 for existing certificates, update the cipher profile to “ak-akamai-default-2017q3” or “ak-akamai-2018q3”.

Discussion or Comment

If you have anything in mind to share, please bring it in the discussion forum here.