If you add a website to Web Application Firewall (WAF) and the website uses HTTPS for transmission, you can customize TLS version settings and cipher suites for the domain name of the website. This way, you can increase the security performance of the website in scenarios that require compliance with classified protection, and improve the TLS compatibility of the website in scenarios that need to offer compatibility with the earlier TLS versions of clients.

Prerequisites

  • WAF Business or a higher edition is activated.
  • The website uses HTTPS for transmission, and the required HTTPS certificate is uploaded.

Background information

You can specify the TLS versions and cipher suites for the domain names that are protected by WAF. If requests use the TLS versions and cipher suites that are not within the specified ranges, WAF blocks the requests. This ensures the secure communication of your website.

If your website uses HTTP for transmission, you do not need to configure TLS settings.

Supported editions

The following table describes the TLS versions and cipher suites that each WAF edition supports.
WAF edition TLS version Cipher suite
Pro Not supported Not supported
Business Supported
Note Valid values:
  • Support TLS 1.0 and Later (High Compatibility and Low Security): This value includes TLS 1.0, 1.1, and 1.2.
  • Support TLS 1.1 and Later (Moderate Compatibility and Moderate Security): This value includes TLS 1.1 and1.2.
  • Support TLS 1.2 and Later (Moderate Compatibility and High Security): This value includes only TLS 1.2.
Supported
Note You can select only All Cipher Suites (High Compatibility and Low Security) and Strong Cipher Suites (Low Compatibility and High Security). For more information about cipher suites, see Step 4 in Configure TLS settings.
Enterprise and Exclusive Supported
Note Valid values:
  • Support TLS 1.0 and Later (High Compatibility and Low Security): This value includes TLS 1.0, 1.1, and 1.2.
  • Support TLS 1.1 and Later (Moderate Compatibility and Moderate Security): This value includes TLS 1.1 and1.2.
  • Support TLS 1.2 and Later (Moderate Compatibility and High Security): This value includes only TLS 1.2.
You can also select Enable support for TLS 1.3.
Supported
Note You can select All Cipher Suites (High Compatibility and Low Security), Strong Cipher Suites (Low Compatibility and High Security), and Select cipher suites based on the protocol version. Proceed with caution. For more information about cipher suites, see Step 4 in Configure TLS settings.

Configure TLS settings

  1. Log on to the Web Application Firewall console.
  2. In the left-side navigation pane, choose Asset Center > Website Access.
  3. On the Website Access page, find the domain name for which you want to configure TLS settings and click Configure TLS.
    Note You can configure TLS settings only for the domain names that use HTTPS for transmission. If a domain name uses HTTP or a domain name uses HTTPS but has no HTTPS certificate uploaded, the Configure TLS button does not appear in this situation.
  4. On the Configure TLS Security Policy page, customize the TLS version settings and cipher suites.
    Parameter Description
    Domain Name The domain name for which you want to configure TLS settings. This value is automatically filled. You do not need to enter the domain name.
    TLS Versions Select the TLS version used by the website. Valid values:
    • Support TLS 1.0 and Later (High Compatibility and Low Security): WAF supports TLS 1.0 and later versions for your website.
    • Support TLS 1.1 and Later (Moderate Compatibility and Moderate Security): WAF supports TLS 1.1 and later versions for your website. If an access request of the website uses TLS 1.0, the request fails.
    • Support TLS 1.2 and Later (Moderate Compatibility and High Security): WAF supports TLS 1.2 and later versions for your website. If an access request of the website uses TLS 1.0 or 1.1, the request fails.
    Enable support for TLS 1.3. Select Enable support for TLS 1.3.
    Cipher Suites Select the cipher suite template that you want to use. Valid values:
    • All Cipher Suites (High Compatibility and Low Security): The following strong and weak cipher suites are included:
      • Strong cipher suites:
        • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
      • Weak cipher suites:
        • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        • TLS_RSA_WITH_AES_128_GCM_SHA256
        • TLS_RSA_WITH_AES_256_GCM_SHA384
        • TLS_RSA_WITH_AES_128_CBC_SHA256
        • TLS_RSA_WITH_AES_256_CBC_SHA256
        • TLS_RSA_WITH_AES_128_CBC_SHA
        • TLS_RSA_WITH_AES_256_CBC_SHA
        • SSL_RSA_WITH_3DES_EDE_CBC_SHA
    • Strong Cipher Suites (Low Compatibility and High Security): The following strong cipher suites are included:
      • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
      • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
      • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
      • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
      • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • Select cipher suites based on the protocol version. Proceed with caution.
  5. Click Save.
    If requests use the TLS versions and cipher suites that are not within the specified ranges, WAF blocks the requests.