Are you or your business interested in cloud storage? Be sure to fill out WindRate.com's quick form to receive quotes from our MSPs. Some of WindRate.com's customers have saved over 70% off on cloud storage! Best of all, filling out the form takes just a minute and you get to choose who to respond to and when, if at all, once you receive the quotes.

Azure Storage Initiates Global TLS 1.3 Support on Public HTTPS Endpoints

by


Azure Storage is in the process of globally enabling TLS 1.3 support on its public HTTPS endpoints, aligning with current security best practices. Azure Storage’s public HTTPS endpoints currently support TLS 1.0, 1.1 (which is scheduled for deprecation by November 2024), and TLS 1.2. This implementation is part of an ongoing effort to enhance security and performance.

TLS 1.3 offers significant improvements over its predecessors, emphasizing faster handshakes and a reduced set of more secure cipher suites, specifically TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256. A key feature of TLS 1.3 is its focus on Perfect Forward Secrecy (PFS), achieved by eliminating key exchange algorithms that do not support PFS.

Clients using the latest available TLS version will automatically switch to TLS 1.3 when it becomes available. However, Azure Storage will continue to support TLS 1.2 alongside TLS 1.3, allowing users who need more time to upgrade the option to use TLS 1.2 by configuring their client settings.

There are known issues associated with the enablement of TLS 1.3, particularly affecting certain Java clients. These clients may experience high latencies, timeouts, and prolonged connection hang-ups due to bugs in the Java Http stack, identified as [JDK-8293562] and [JDK-8208526]. These issues are most apparent in applications with high request concurrency. The bugs have been fixed in the following JDK versions: JDK 11 (> 11.0.17), JDK 17 (> 17.0.6), and JDK 21.

Clients potentially affected include those running on JDK versions other than those mentioned above, and client tools like WASB and Azure Storage SDK for Java < v12 using the JDK version without the fix. It is noted that ABFS and Azure Storage Java SDK > V12 are not impacted.

For mitigation, Azure Storage recommends two options:

  1. Upgrading the application to the latest supported JDK versions or the latest Azure Storage SDK for Java.
  2. As a short-term workaround, particularly for those unable to immediately upgrade, setting the maximum TLS version for client versions to TLS 1.2 can be effective. This can be achieved either by setting system properties when invoking the Java application or directly in the code.

Discover more from WindRate Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading