Effective March 31, 2025, support for TLS 1.3 will be enabled for Azure Cosmos DB.

Hello Thin Tran Van

Greetings!

Kindly please review the below information, which will be helpful for you regarding the Azure Cosmos DB TLS 1.3 version.

We have received the following notification: "Effective March 31, 2025, support for TLS 1.3 will be enabled for Azure Cosmos DB." Could you provide a specific timeline for when Microsoft will complete the activation of TLS 1.3 support for services deployed in the Japan East region?

• TLS 1.3 support is already enabled in East Asia and West Central US and will be enabled in North Central US in the next week, to allow customers to test their changes. Please be informed that for below regions the TLS version 1.3 is enabled.
• I would like to inform you that I had an internal discussion with the team and got to know that Japan East region is not enabled at present. And the team is working on this rollout. I request you to please set the TLS version to 1.2 for your Azure Cosmos DB.
• Clients that utilize the latest available TLS version automatically pick TLS 1.3 when it's available. Azure Cosmos DB continues to support TLS 1.2 in addition to TLS 1.3. 

Kindly please refer the below document for better understanding,

https://learn.microsoft.com/en-us/azure/cosmos-db/self-serve-minimum-tls-enforcement
https://devblogs.microsoft.com/cosmosdb/tls-1-3-support-in-azure-cosmos-db/

Before Microsoft enables TLS 1.3 for Azure Cosmos DB, we would like to ensure that our application remains functional without any issues. Is there any way for us to test our application's compatibility with an Azure Cosmos DB instance that already has TLS 1.3 enabled before the official rollout?

• We recommend that you can perform this in your test environment to ensure everything works correctly before updating the application. Note: Only Java SDK using direct mode between versions 4.20 and 4.40 + using a JRE/JDK that does not have TLS 1.3 support (< 1.8u262) will cause the issue to occur. Note that both conditions are required for the issue to occur.
  
• Azure Cosmos DB will enable TLS 1.3 support on public endpoints across its platform globally to align with security best practices. This article provides extra guidance on how to prepare for the upcoming support of TLS 1.3 for Azure Cosmos DB.
• TLS 1.3 introduces substantial enhancements compared to its predecessors. TLS 1.3 improvements focus on both performance and security, featuring faster handshakes and a streamlined set of more secure cipher suites, namely TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256. Notably, TLS 1.3 prioritizes Perfect Forward Secrecy (PFS) by eliminating key exchange algorithms that don't support it. 

Kindly please refer the below document for better understanding,
https://learn.microsoft.com/en-us/azure/cosmos-db/tls-support#known-issues-affect-and-mitigation

Since TLS version 1.3 is not yet enabled in the Japan East region, you cannot create the test environment there for testing purposes.

To check the impact after enabling the TLS version 1.3, the only way is to create the environment in TLS 1.3 enabled regions, as shown below

I hope this has been helpful!

Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

If this answers your query, do click Accept Answer and Upvote for was this answer helpful.