To ensure secure communication and protect data in transit, all clients connecting to our APIs must meet the following Transport Layer Security (TLS) requirements:
✅ Minimum TLS Version
- TLS 1.2 or higher is required
- TLS 1.0 and 1.1 are not supported
❌ Deprecated Cipher Suites
Connections using the following will be rejected:
- SSL/TLS protocols below TLS 1.2
- Cipher suites using:
- RSA key exchange without PFS
- SHA-1 or MD5 hashes
- Block ciphers without AEAD (e.g., CBC without GCM)
🔑 Cipher Suite Requirements for Clients
- Ensure your client libraries (e.g., OpenSSL, Java, curl) are up to date
- Validate that your system negotiates TLS 1.2+ with modern cipher support according to Fastly’s TLS Guidelines
- Avoid hardcoding legacy ciphers or TLS versions
The following ciphers are supported on TLS 1.2, the minimum standard version of TLS supported by Fastly.
| RFC Cipher Name | openssl Cipher Name |
|---|---|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ECDHE-RSA-AES128-GCM-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ECDHE-ECDSA-AES128-GCM-SHA256 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ECDHE-RSA-AES256-GCM-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ECDHE-ECDSA-AES256-GCM-SHA384 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | ECDHE-RSA-CHACHA20-POLY1305 |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ECDHE-ECDSA-CHACHA20-POLY1305 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDHE-RSA-AES128-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | ECDHE-ECDSA-AES128-SHA256 |
For full compatibility details, refer to Fastly’s TLS configuration guide.