When you create or configure an HTTPS listener for a guaranteed-performance server load balancer (SLB) instance, you can select from a variety of TLS security policies.
When you create or configure an HTTPS listener, you can modify the advanced settings
in the SSL Certificates step and select a TLS security policy. For more information, see Add an HTTPS listener.
A TLS security policy contains available TLS protocols and supported cipher suites.
TLS security policies
| Security policy | Feature | Supported TLS version | Supported cipher suite |
|---|---|---|---|
| tls_cipher_policy_1_0 | Provides optimal compatibility and basic security | TLSv1.0, TLSv1.1, and TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_1 | Provides high compatibility and standard security | TLSv1.1 and TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_2 | Provides high compatibility and advanced security | TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256,AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_2_strict | Supports only perfect forward secrecy (PFS) cipher suites and provides premium security. | TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
| tls_cipher_policy_1_2_strict_with_1_3
Note TLSv1.3 is supported in the following regions:
|
Supports only perfect forward secrecy (PFS) cipher suites and provides premium security. | TLSv1.2 and TLSv1.3 | TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
Cipher suites supported by different TLS security policies
| Security policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
|---|---|---|---|---|---|---|
| TLS | - | 1.2/1.1/1.0 | 1.2/1.1 | 1.2 | 1.2 | 1.2 and 1.3 |
| CIPHER | ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
| AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
| AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
| AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
| ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-SHA | ✔ | ✔ | ✔ | - | - | |
| AES256-SHA | ✔ | ✔ | ✔ | - | - | |
| DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
| TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
| TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-GCM-SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-GCM-SHA384 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-SHA384 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-SHA | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-SHA | - | - | - | - | ✔ | |