Policy docs are here - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
I suspect we want to choose TLSv1.2_2021, but I don't know if there's a good way to evaluate whether we're cutting anyone off. Anything routed through Fastly should be pretty safe to switch to the newer policy I think.
Our Fastly configuration is currently "TLS v1.2 & TLS v1.3 + 0RTT" across all 4 domains here -- afaict, that's limiting to 1.2 and 1.3 (with optional early data support).1
Current setup:
TLSv1:
- static.crates.io
- cloudfront-static.crates.io
- static.staging.crates.io
- cloudfront-static.staging.crates.io
- staging.crates.io
- crates.io
- www.crates.io
- cratesio.com
- www.cratesio.com
- www.docs.rs
- www.docsrs.com
- docsrs.com
- arewewebyet.org
- package.metadata.docs.rs
- index.crates.io
- index.staging.crates.io
- cfp.rustconf.com
TLSv1.1_2016:
TLSv1.2_2021:
- prev.rust-lang.org
- forge.rust-lang.org
- ci-mirrors.rust-lang.org
- ci-caches.rust-lang.org
- ci-artifacts.rust-lang.org
- perf-data.rust-lang.org
- crates-io-index-temp.rust-lang.org
- static.docs.rs
Policy docs are here - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
I suspect we want to choose TLSv1.2_2021, but I don't know if there's a good way to evaluate whether we're cutting anyone off. Anything routed through Fastly should be pretty safe to switch to the newer policy I think.
Our Fastly configuration is currently "TLS v1.2 & TLS v1.3 + 0RTT" across all 4 domains here -- afaict, that's limiting to 1.2 and 1.3 (with optional early data support).1
Current setup:
TLSv1:
TLSv1.1_2016:
TLSv1.2_2021:
Footnotes
HTTP/3 is technically supported but seems to need a different domain (n.sni.global.fastly.net) which we don't CNAME to. ↩