Anti-DDoS Pro and Anti-DDoS Premium support custom transport layer security (TLS) policies for you to choose TLS protocols as required.

Prerequisites

  • A website is added to Anti-DDoS Pro or Anti-DDoS Premium and associated with an instance that uses the enhanced function plan. For more information, see Add a website.
  • The website supports the HTTPS protocol, and the required HTTPS certificate is uploaded. For more information, see Upload an SSL certificate.

Background information

If one of your services needs to comply with PCI DSS 3.2, you must disable TSL 1.0 for the service. However, the terminals of the another services only support TLS 1.0. To address this issue, you can customize TLS policies for different services.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region of your Anti-DDoS instance.
    • Mainland China: Anti-DDoS Pro
    • Outside Mainland China: Anti-DDoS Premium
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. Find the domain name for which you want to configure a TLS policy and click TLS Security Settings in the Certificate Status column.
    TLS Security Settings
  5. In the TLS Security Settings dialog box, set TLS Versions and Cipher Suites, and click OK.TLS Security Settings
    • TLS Versions
      • TLS1.0 and later versions. This setting provides the best compatibility but a low security level. This is the default setting
      • TLS1.1 and later versions. This setting provides a good compatibility and a medium security level.
      • TLS1.2 and later versions. This setting provides a good compatibility and a high security level.
    • Cipher Suites
      • Strong cipher suites. This setting provides a high security level but a low compatibility.
        The following strong cipher suites are supported:
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-RSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-ECDSA-WITH-CHACHA20-POLY1305
        • ECDHE-RSA-WITH-CHACHA20-POLY1305
        • ECDHE-RSA-AES256-CBC-SHA
        • ECDHE-RSA-AES128-CBC-SHA
        • ECDHE-ECDSA-AES256-CBC-SHA
        • ECDHE-ECDSA-AES128-CBC-SHA
      • All cipher suites. This setting provides a low security level but a high compatibility.
        The following weak cipher suites are supported:
        • RSA-AES256-CBC-SHA
        • RSA-AES128-CBC-SHA
        • ECDHE-RSA-3DES-EDE-CBC-SHA
        • RSA-3DES-EDE-CBC-SHA