All Products
Search
Document Center

Server Load Balancer:TLS security policies

Last Updated:Jan 24, 2024

In most cases, websites or applications deployed on Alibaba Cloud use HTTPS to encrypt data transmission. Classic Load Balancer (CLB) provides some commonly used TLS security policies to enhance the security of services that use HTTPS. You can select TLS security policies to protect your services.

Limits

When you create or configure an HTTPS listener for a high-performance CLB instance, you can select a TLS security policy.

How to configure a TLS security policy

When you add or modify an HTTPS listener, you can click Modify on the right side of Advanced Settings in the Configure SSL Certificate step. Then, select a TLS security policy. For more information, see Add an HTTPS listener.

Supported TLS security policies

A TLS security policy consists of TLS versions and cipher suites. A later version supports higher protection but lower compatibility with browsers.

Security policy

Supported TLS version

Supported cipher suite

tls_cipher_policy_1_0

  • TLSv1.0

  • TLSv1.1

  • TLSv1.2

ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA

tls_cipher_policy_1_1

  • TLSv1.1

  • TLSv1.2

ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA

tls_cipher_policy_1_2

TLSv1.2

ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA

tls_cipher_policy_1_2_strict

TLSv1.2

ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA

tls_cipher_policy_1_2_strict_with_1_3

  • TLSv1.2

  • TLSv1.3

TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA

Differences between TLS security policies

In the following table, a check mark (✔) indicates that the cipher suite is supported by the TLS version. A hyphen (-) indicates that the cipher suite is not supported by the TLS version.

Security policy

tls_cipher_policy_1_0

tls_cipher_policy_1_1

tls_cipher_policy_1_2

tls_cipher_policy_1_2_strict

tls_cipher_policy_1_2_strict_with_1_3

TLS

v1.0

-

-

-

-

v1.1

-

-

-

v1.2

v1.3

-

-

-

-

CIPHER

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

AES128-GCM-SHA256

-

-

AES256-GCM-SHA384

-

-

AES128-SHA256

-

-

AES256-SHA256

-

-

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES256-SHA

AES128-SHA

-

-

AES256-SHA

-

-

DES-CBC3-SHA

-

-

TLS_AES_256_GCM_SHA384

-

-

-

-

TLS_CHACHA20_POLY1305_SHA256

-

-

-

-

TLS_AES_128_CCM_SHA256

-

-

-

-

TLS_AES_128_CCM_8_SHA256

-

-

-

-

ECDHE-ECDSA-AES128-GCM-SHA256

-

-

-

-

ECDHE-ECDSA-AES256-GCM-SHA384

-

-

-

-

ECDHE-ECDSA-AES128-SHA256

-

-

-

-

ECDHE-ECDSA-AES256-SHA384

-

-

-

-

ECDHE-ECDSA-AES128-SHA

-

-

-

-

ECDHE-ECDSA-AES256-SHA

-

-

-

-

FAQ

Does CLB support custom TLS security policies?

CLB does not support custom TLS security policies.

Application Load Balancer (ALB) and Network Load Balancer (NLB) support custom TLS security policies. If you want to use custom TLS security policies, we recommend that you use ALB or NLB.

References