You can select a Transport Layer Security (TLS) security policy when you create an HTTPS listener for a Global Accelerator (GA) instance. By default, the system selects the tls_cipher_policy_1_0 security policy. If you require higher security, you can select a TLS security policy of a higher level.
TLS security policies
A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. A later TLS version offers higher security but comprises compatibility with browsers. The following table describes the TLS protocol versions and cipher suites that are supported by each TLS security policy.
Security policy | Supported TLS version | Supported cipher suite |
tls_cipher_policy_1_0 | TLS 1.0, TLS 1.1, and TLS 1.2 |
|
tls_cipher_policy_1_1 | TLS 1.1 and TLS 1.2 |
|
tls_cipher_policy_1_2 | TLS 1.2 |
|
tls_cipher_policy_1_2_strict | TLS 1.2 |
|
tls_cipher_policy_1_2_strict_with_1_3 | TLS 1.2 and TLS 1.3 |
|
Cipher suites that are supported by TLS security policies
Security policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
TLS | 1.0, 1.1, and 1.2 | 1.1 and 1.2 | 1.2 | 1.2 | 1.2 and 1.3 | |
CIPHER | ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-SHA | ✔ | ✔ | ✔ | - | - | |
AES256-SHA | ✔ | ✔ | ✔ | - | - | |
DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES128-GCM-SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES256-GCM-SHA384 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES128-SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES256-SHA384 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES128-SHA | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES256-SHA | - | - | - | - | ✔ | |
The √ sign in the preceding table indicates that a cipher suite is supported, while the - sign indicates that a cipher suite is not supported.
Select a TLS security policy
By default, the system selects the tls_cipher_policy_1_0 security policy when you create or configure an HTTPS listener. You can change the TLS security policy in the advanced settings. For more information, see Add an HTTP or HTTPS listener. 