I’m pleased to announce that our Load Balancers now fully support TLS 1.3. Newly created load balancers have actually supported TLS 1.3 for a while but we’ve now finished rolling out the update to all existing load balancers. It will automatically be used if your users’ browsers support it.
TLS 1.0 is 21 years old now and has some quite serious vulnerabilities and TLS 1.1 isn’t faring much better, despite various mitigations and workarounds. All the major browsers deprecated both 1.0 and 1.1 earlier this year and will automatically use 1.2 or 1.3 when available. Almost all browsers in common use now support at least TLS 1.2.
And to help you tighten up security, we’ve added the ability to set the minimum accepted version of TLS, which essentially locks out anyone with an older browser. This may sound a bit extreme but for some use cases it’s critical that a user cannot accidentally use weak encryption. The PCI-DSS requirements in particular have “strongly encouraged” a minimum of TLS 1.2 for a couple of years now (an explicitly forbid 1.0).
To set this option, our Load Balancer
API now has an attribute
named ssl_minimum_version which can be set to TLSv1.0, TLSv1.1, TLSv1.2
or TLSv1.3. The attribute can be set using the CLI tool argument
--ssl-min-ver and support in our GUI will be available soon.
All existing load balancers continue to support TLS 1.0+ unless you explicitly change the minimum allowed version to something else. All new load balancers default to allowing only TLS 1.2 and above.
And as always, we follow the Mozilla recommended TLS cipher configurations. When the minimum version is set to TLS 1.0, the “Old backward compatibility” ciphers are used. For TLS 1.2+ the “Intermediate compatibility” ciphers are used and for TLS 1.3 the “Modern compatibility” ciphers are used.
