If you add a website to Web Application Firewall (WAF) and the website uses HTTPS to transmit data, you can customize TLS version settings and cipher suites for the domain name of the website. This way, you can increase the security performance of the website in scenarios in which compliance with classified protection is required. You can also improve the TLS compatibility of the website in scenarios in which compatibility with earlier TLS versions of clients is required.

Prerequisites

  • The website is added to WAF.
  • The website uses HTTPS to transmit data, and the required HTTPS certificate is uploaded.

Background information

After an HTTPS website is added to WAF, WAF automatically specifies TLS settings for the website to ensure secure communication. If requests use TLS versions and cipher suites that are not within the specified ranges, WAF blocks the requests.

WAF allows you to customize TLS cipher suites. This helps prevent access failures caused by the mismatch between the cipher suites used by the website and the cipher suites automatically specified by WAF. You can modify TLS version settings and cipher suites for the website based on your business requirements.

Notice If your website uses HTTP to transmit data, you do not need to configure TLS settings.

Supported TLS settings

TLS version Cipher suite
TLS versions supported by WAF:
  • TLS 1.0, 1.1, and 1.2
  • TLS 1.1 and 1.2
  • TLS 1.2
Note You can also select Enable support for TLS 1.3.
Cipher suites supported by WAF:
  • Strong cipher suites:
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • Weak cipher suites:
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • SSL_RSA_WITH_3DES_EDE_CBC_SHA

Configure TLS settings

  1. Log on to the Web Application Firewall console.
  2. In the left-side navigation pane, choose Asset Center > Website Access.
  3. On the Website Access page, find the domain name for which you want to configure TLS settings and click Configure TLS in the Actions column.
    Note You can configure TLS settings only for the domain names that use HTTPS to transmit data. If a domain name uses HTTP or a domain name uses HTTPS but has no HTTPS certificate uploaded, the Configure TLS button does not appear.
  4. On the Configure TLS Security Policy page, configure the TLS version settings and cipher suites.
    Parameter Description
    Domain Name The domain name for which you want to configure TLS settings. This value is automatically filled. You do not need to enter the domain name.
    TLS Versions Select the TLS version used by the website. Valid values:
    • Support TLS 1.0 and Later (High Compatibility and Low Security): WAF supports TLS 1.0 and later for your website.
    • Support TLS 1.1 and Later (Moderate Compatibility and Moderate Security): WAF supports TLS 1.1 and later for your website. If an access request of the website uses TLS 1.0, the request fails.
    • Support TLS 1.2 and Later (Moderate Compatibility and High Security): WAF supports TLS 1.2 and later for your website. If an access request of the website uses TLS 1.0 or 1.1, the request fails.
    Enable support for TLS 1.3 Select Enable support for TLS 1.3.
    Cipher Suites Select the cipher suite template that you want to use. Valid values:
    • All Cipher Suites (High Compatibility and Low Security): The following cipher suites are supported:
      • Strong cipher suites:
        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
      • Weak cipher suites:
        • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        • TLS_RSA_WITH_AES_128_GCM_SHA256
        • TLS_RSA_WITH_AES_256_GCM_SHA384
        • TLS_RSA_WITH_AES_128_CBC_SHA256
        • TLS_RSA_WITH_AES_256_CBC_SHA256
        • TLS_RSA_WITH_AES_128_CBC_SHA
        • TLS_RSA_WITH_AES_256_CBC_SHA
        • SSL_RSA_WITH_3DES_EDE_CBC_SHA
    • Select cipher suites based on the protocol version. Proceed with caution.
  5. Click Save.
    If requests use the TLS versions and cipher suites that are not within the specified ranges, WAF blocks the requests.