To ensure secure communication and protect data in transit, all clients connecting to our APIs must meet the following Transport Layer Security (TLS) requirements:

✅ Minimum TLS Version

TLS 1.2 or higher is required
TLS 1.0 and 1.1 are not supported

❌ Deprecated Cipher Suites

Connections using the following will be rejected:

SSL/TLS protocols below TLS 1.2
Cipher suites using:
- RSA key exchange without PFS
- SHA-1 or MD5 hashes
- Block ciphers without AEAD (e.g., CBC without GCM)

🔑 Cipher Suite Requirements for Clients

Ensure your client libraries (e.g., OpenSSL, Java, curl) are up to date
Validate that your system negotiates TLS 1.2+ with modern cipher support according to Fastly’s TLS Guidelines
Avoid hardcoding legacy ciphers or TLS versions

The following ciphers are supported on TLS 1.2, the minimum standard version of TLS supported by Fastly.

RFC Cipher Name	`openssl` Cipher Name
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`	`ECDHE-RSA-AES128-GCM-SHA256`
`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`	`ECDHE-ECDSA-AES128-GCM-SHA256`
`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`	`ECDHE-RSA-AES256-GCM-SHA384`
`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`	`ECDHE-ECDSA-AES256-GCM-SHA384`
`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`	`ECDHE-RSA-CHACHA20-POLY1305`
`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`	`ECDHE-ECDSA-CHACHA20-POLY1305`
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`	`ECDHE-RSA-AES128-SHA256`
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`	`ECDHE-ECDSA-AES128-SHA256`

For full compatibility details, refer to Fastly’s TLS configuration guide.