TLS Configuration
WARNING: This information is part of a limited availability release. Portions of this API may be subject to changes and improvements over time. Fields marked deprecated may be removed in the future and their use is discouraged. For more information, see our product and feature lifecycle descriptions.
TLS Configurations are the representation of your access to a set of IP pools. Customers with access to multiple sets of IP pools are able to apply different configuration options to their TLS enabled domains.
You may also view your TLS configurations in the UI.
Notes and Limitations
- IPv4 only and Dual-stack controls only work if IPv6 prefixes are present.
- Cipher suites on TLS 1.3 are not configurable, by design.
- Support for multiple accounts accessing BYOIP configuration:
- Fastly has configured access to the new functionality for a primary customer account. If access is needed for other customer owned accounts, advise Fastly Support of the appropriate customerID and we will enable access to the API.
- Once other customerIDs are added, IP configurations can be created in the BYOIP space by any of the customers in the set of customerIDs associated with the BYOIP address space or vipspace. When a customerID creates a configuration, they take ownership of the object and only that customerID can further edit the configuration.
- Responses currently include an attribute titled ‘bulk’. This refers to our bulk TLS API and can be ignored for SPP purposes.
Advanced Configuration: Setting Default Certificates
IMPORTANT: Managing default certificates is an advanced option of the SPP product. Contact Fastly Support to have this option enabled.
Fastly serves a default certificate any time a TLS client does not provide Server Name Indication (SNI) information in the TLS handshake. Fastly also serves the default certificate any time SNI information is present, but no match is found for the domain provided in the TLS client hello extension information we receive.
Using self-managed certificates only, you can indicate a default ECDSA and RSA certificate. When no SNI match is found, Fastly will first check if the client supports ECDSA. If it does, we will send the fallback ECDSA certificate. If there is no SNI match and the client does not support ECDSA, we send the RSA fallback certificate.
Advanced Configuration: Specifying an IP Address To Be Assigned
IMPORTANT: Specifying an IP address to be assigned is an advanced option of the SPP product. Contact Fastly Support to have this option enabled.
This feature allows customers to specify the IP address to be assigned to a Fastly TLS configuration when being created.
When creating a new TLS configuration, customers can request assignment of a valid IPv4 address from their prefix ranges, a feature useful for existing address assignment plans. If present, IPv6 addresses will continue to be derived automatically.
A new attribute listed below is the configurable DNS records relationship. All other listed attributes are already available in the SPP API product. When making POST requests, submit the DNS records relationship as an array of one IPv4 address. DNS records may also be retrieved on TLS configurations using GET and including DNS records, which may then contain an array of more than one IPv4 address.
Advanced Configuration: Cipher Suites
IMPORTANT: Managing cipher suites is an advanced option of the SPP product. Contact Fastly Support to have this option enabled.
Fastly’s cipher suite support enables customers to identify the preferred set of encryption and key-exchange algorithms to be applied in a specific order on the Fastly servers, when a client makes a request for content. Fastly defines cipher suites for the TLS protocols outlined below.
Negotiation and Selection: Server Preference
Fastly's TLS terminator (and QUIC terminator) use an implementation described as "server preference" when selecting a cipher suite during connection setup. Every client presents a list of cipher suites it supports and the server prefers the first cipher suite in its own list that is also anywhere in the client's list. For the one exception, check out the discussion of ChaCha Poly1305 in the section on Valid Cipher Suites, TLS-1.2 below.
Valid Cipher Suites, TLS-1.3
Any TLS configuration with TLS protocol 1.3 or 1.3+0RTT will come with the following cipher suites, in this exact order:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
Notes:
- The attribute is named tls_1_3_cipher_suite_profile and will not be configurable initially.
- Cipher suites for TLS 1.3 or 1.3+0RTT are not editable as of October 2021 and any values received will be ignored.
- (When editable,) the order in which the cipher suites are specified is important and indicates the server’s preference. (see above and note that we do not make the ChaCha Poly1305 exception in TLS-1.3).
- The cipher suites are known by their IANA standard names.
- Future changes to the technically valid and Fastly-supported cipher suites are possible.
- The same cipher suites are used today for QUIC termination.
Valid Cipher Suites, TLS-1.2 (and older)
Any TLS configuration that includes TLS 1.2 is eligible for the following cipher suites:
ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-CHACHA20-POLY1305ECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-SHA384ECDHE-RSA-AES128-SHAECDHE-RSA-AES256-SHAAES256-GCM-SHA384AES128-GCM-SHA256AES256-SHA256AES128-SHA256AES256-SHAAES128-SHA
Any legacy TLS configuration (using a base protocol of 1.0) can also use the DES-CBC3-SHA cipher suite.
When no value is provided for tls_1_2_cipher_suite_profile, this value will default to one of two options, based on the given tls_protocols:
- When the lowest TLS protocol is “1.0”,
tls_1_2_cipher_suite_profilewill consist of:ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-SHA384ECDHE-RSA-AES128-SHAECDHE-RSA-AES256-SHAAES128-GCM-SHA256AES128-SHAAES256-SHA
- When the lowest TLS protocol is “1.2”,
tls_1_2_cipher_suite_profilewill consist of:ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-CHACHA20-POLY1305
Notes:
- The attribute is named
tls_1_2_cipher_suite_profile. - Not only does this cover the cipher suites for TLS-1.2, but also TLS-1.0 and TLS-1.1. All are configured with this single attribute.
- The order in which cipher suites are configured is important and indicates the server's preference.
- Here is the exception to the "server preference": If
ECDHE-RSA-CHACHA20-POLY1305is included anywhere, the terminator behavior changes. The server will allow this cipher suite to any client which presents it as the first option. - The cipher suites are known by their OpenSSL names.
- Future changes to the technically valid and Fastly-supported cipher suites are possible.
Customers with access to multiple sets of IP pools are able to apply different configuration options to their TLS enabled domains.
Data model
http_protocols | array | HTTP protocols available on your configuration. At least one protocol is required:
http/1.1 is always supported and is required in the array.
http/2 is optionally supported in the array.
http/3 is optionally supported in the array. | |
name | string | A custom name for your TLS configuration. Optional, we will assign a value to this if none is provided. | |
tls_1_2_cipher_suite_profile | array | An ordered collection of OpenSSL-formatted cipher suite names used for TLS-1.0, TLS-1.1 and TLS-1.2 protocol versions. Note: Setting this field is an advanced feature that requires enablement by Fastly Support. | |
tls_protocols | array | TLS protocols available on your configuration. The following TLS protocols are supported: [“1.0”, “1.1”, “1.2”] [“1.0”, “1.1”, “1.2”, “1.3”] [“1.0”, “1.1”, “1.2”, “1.3+0RTT”] [“1.2”] [“1.2”, “1.3”] [“1.2”, “1.3+0RTT”]. | |
vipspace | string | A Fastly assigned name representing a set of network prefixes that are available for operations like acquiring TLS configurations.
This field is Required, and must be customer_assigned_vipspace. |
TLS configuration request object (create)
All of the attributes to create a TLS configuration.
http_protocols | array | HTTP protocols available on your configuration. At least one protocol is required:
http/1.1 is always supported and is required in the array.
http/2 is optionally supported in the array.
http/3 is optionally supported in the array. | |
name | string | A custom name for your TLS configuration. Optional, we will assign a value to this if none is provided. | |
relationships.default_certificate.id | string | Alphanumeric string identifying the default TLS certificate. | |
relationships.default_ecdsa_certificate.id | string | Alphanumeric string identifying the default ECDSA TLS certificate. | |
relationships.dns_records.id | string | The IPv4 address that will be used for your TLS configuration. Note: Setting this field is an advanced feature that requires enablement by Fastly Support. | |
tls_1_2_cipher_suite_profile | array | An ordered collection of OpenSSL-formatted cipher suite names used for TLS-1.0, TLS-1.1 and TLS-1.2 protocol versions. Note: Setting this field is an advanced feature that requires enablement by Fastly Support. | |
tls_protocols | array | TLS protocols available on your configuration. The following TLS protocols are supported: [“1.0”, “1.1”, “1.2”] [“1.0”, “1.1”, “1.2”, “1.3”] [“1.0”, “1.1”, “1.2”, “1.3+0RTT”] [“1.2”] [“1.2”, “1.3”] [“1.2”, “1.3+0RTT”]. | |
type | string | Resource type. [Default tls_configuration] | |
vipspace | string | A Fastly assigned name representing a set of network prefixes that are available for operations like acquiring TLS configurations.
This field is Required, and must be customer_assigned_vipspace. |
TLS configuration response object
All of the attributes for retrieving a TLS configuration.
bulk | boolean | Signifies whether the configuration is used for Platform TLS or not. We will always assume for this product that the value for this is “false”, signifying you have full access to the main set of APIs for custom TLS certificates and TLS subscriptions, as well as the TLS management UI. Read-only. | |
created_at | string | Date and time in ISO 8601 format. Read-only. | |
default | boolean | Signifies whether or not Fastly will use this configuration as a default when creating a new TLS activation. Read-only. | |
http_protocols | array | HTTP protocols available on your configuration. At least one protocol is required:
http/1.1 is always supported and is required in the array.
http/2 is optionally supported in the array.
http/3 is optionally supported in the array. | |
id | string | Alphanumeric string identifying a TLS configuration. | |
name | string | A custom name for your TLS configuration. Optional, we will assign a value to this if none is provided. | |
relationships.default_certificate.id | string | Alphanumeric string identifying the default TLS certificate. | |
relationships.default_ecdsa_certificate.id | string | Alphanumeric string identifying the default ECDSA TLS certificate. | |
relationships.dns_records.id | string | The IP address or hostname of the DNS record. | |
relationships.service.id | string | Alphanumeric string identifying the service. | |
tls_1_2_cipher_suite_profile | array | An ordered collection of OpenSSL-formatted cipher suite names used for TLS-1.0, TLS-1.1 and TLS-1.2 protocol versions. Note: Setting this field is an advanced feature that requires enablement by Fastly Support. | |
tls_1_3_cipher_suite_profile | array | An ordered collection of OpenSSL-formatted cipher suite names used for TLS-1.3. If TLS-1.3 is selected, you will get the default list. Read-only. | |
tls_protocols | array | TLS protocols available on your configuration. The following TLS protocols are supported: [“1.0”, “1.1”, “1.2”] [“1.0”, “1.1”, “1.2”, “1.3”] [“1.0”, “1.1”, “1.2”, “1.3+0RTT”] [“1.2”] [“1.2”, “1.3”] [“1.2”, “1.3+0RTT”]. | |
type | string | Resource type. [Default tls_configuration] | |
updated_at | string | Date and time in ISO 8601 format. Read-only. | |
vipspace | string | A Fastly assigned name representing a set of network prefixes that are available for operations like acquiring TLS configurations.
This field is Required, and must be customer_assigned_vipspace. |
TLS configuration request object (update)
All of the attributes to update a TLS configuration.
http_protocols | array | HTTP protocols available on your configuration. At least one protocol is required:
http/1.1 is always supported and is required in the array.
http/2 is optionally supported in the array.
http/3 is optionally supported in the array. | |
name | string | A custom name for your TLS configuration. Optional, we will assign a value to this if none is provided. | |
relationships.default_certificate.id | string | Alphanumeric string identifying the default TLS certificate. | |
relationships.default_ecdsa_certificate.id | string | Alphanumeric string identifying the default ECDSA TLS certificate. | |
tls_1_2_cipher_suite_profile | array | An ordered collection of OpenSSL-formatted cipher suite names used for TLS-1.0, TLS-1.1 and TLS-1.2 protocol versions. Note: Setting this field is an advanced feature that requires enablement by Fastly Support. | |
tls_protocols | array | TLS protocols available on your configuration. The following TLS protocols are supported: [“1.0”, “1.1”, “1.2”] [“1.0”, “1.1”, “1.2”, “1.3”] [“1.0”, “1.1”, “1.2”, “1.3+0RTT”] [“1.2”] [“1.2”, “1.3”] [“1.2”, “1.3+0RTT”]. | |
type | string | Resource type. [Default tls_configuration] |
