All Products
Search
Document Center

Server Load Balancer:TLS security policies

Last Updated:May 11, 2026

When you configure an HTTPS listener for a CLB instance, the TLS security policy determines which TLS protocol versions and cipher suites are used for TLS negotiation with clients. CLB provides several predefined TLS security policies.

How it works

A TLS security policy for CLB defines the supported TLS protocol versions and cipher suites for TLS negotiation. During the TLS handshake, the client sends a list of its supported protocol versions and cipher suites in a Client Hello message. Based on the policy, CLB selects a mutually supported protocol version and cipher suite combination from the client's list and responds with a Server Hello message. This combination determines subsequent steps, such as key exchange and session key generation.

TLS security policies

Security compliance standards may require your CLB instance to use a specific TLS security policy. The following table describes the TLS protocol versions and cipher suites supported by each policy to help you select one that meets your requirements. CLB does not support custom TLS security policies. If you need this functionality, use Application Load Balancer (ALB) or Network Load Balancer (NLB).

For Internet-facing applications without special compatibility requirements, we recommend using the tls_cipher_policy_1_2 policy or a stricter one.

Policy details

Policy name

tls_cipher_policy_1_0

tls_cipher_policy_1_1

tls_cipher_policy_1_2

tls_cipher_policy_1_2_strict

tls_cipher_policy_1_2_strict_with_1_3

TLS protocol version

v1.0

Supported

Not supported

Not supported

Not supported

Not supported

v1.1

Supported

Supported

Not supported

Not supported

Not supported

v1.2

Supported

Supported

Supported

Supported

Supported

v1.3

Not supported

Not supported

Not supported

Not supported

Supported

Cipher suite

ECDHE-RSA-AES128-GCM-SHA256

Supported

Supported

Supported

Supported

Supported

ECDHE-RSA-AES256-GCM-SHA384

Supported

Supported

Supported

Supported

Supported

ECDHE-RSA-AES128-SHA256

Supported

Supported

Supported

Supported

Supported

ECDHE-RSA-AES256-SHA384

Supported

Supported

Supported

Supported

Supported

AES128-GCM-SHA256

Supported

Supported

Supported

Not supported

Not supported

AES256-GCM-SHA384

Supported

Supported

Supported

Not supported

Not supported

AES128-SHA256

Supported

Supported

Supported

Not supported

Not supported

AES256-SHA256

Supported

Supported

Supported

Not supported

Not supported

ECDHE-RSA-AES128-SHA

Supported

Supported

Supported

Supported

Supported

ECDHE-RSA-AES256-SHA

Supported

Supported

Supported

Supported

Supported

AES128-SHA

Supported

Supported

Supported

Not supported

Not supported

AES256-SHA

Supported

Supported

Supported

Not supported

Not supported

DES-CBC3-SHA

Supported

Supported

Supported

Not supported

Not supported

TLS_AES_128_GCM_SHA256

Not supported

Not supported

Not supported

Not supported

Supported

TLS_AES_256_GCM_SHA384

Not supported

Not supported

Not supported

Not supported

Supported

TLS_CHACHA20_POLY1305_SHA256

Not supported

Not supported

Not supported

Not supported

Supported

TLS_AES_128_CCM_SHA256

Not supported

Not supported

Not supported

Not supported

Supported

TLS_AES_128_CCM_8_SHA256

Not supported

Not supported

Not supported

Not supported

Supported

ECDHE-ECDSA-AES128-GCM-SHA256

Supported

Supported

Supported

Supported

Supported

ECDHE-ECDSA-AES256-GCM-SHA384

Supported

Supported

Supported

Supported

Supported

ECDHE-ECDSA-AES128-SHA256

Supported

Supported

Supported

Supported

Supported

ECDHE-ECDSA-AES256-SHA384

Supported

Supported

Supported

Supported

Supported

ECDHE-ECDSA-AES128-SHA

Supported

Supported

Supported

Supported

Supported

ECDHE-ECDSA-AES256-SHA

Supported

Supported

Supported

Supported

Supported

Configure a TLS security policy

Console

When adding an HTTPS listener, click Modify next to Advanced Settings on the Certificate Management Service tab. In the expanded section, select a TLS Security Policy.

To modify a TLS security policy, go to the Listener tab on the instance details page and click the name of the target HTTPS listener to open the Listener Details dialog box. In the SSL Certificate section, modify the TLS Security Policy.

API

When calling CreateLoadBalancerHTTPSListener to create an HTTPS listener or SetLoadBalancerHTTPSListenerAttribute to modify one, specify the TLS security policy in the TLSCipherPolicy parameter.

Billing

TLS security policies are free. However, using CLB instances incurs fees.

FAQ

Custom TLS security policies on CLB

No. CLB supports only predefined TLS security policies.

If you need a custom TLS security policy, for example, to meet specific security compliance requirements, use one of the following products:

Production environment

  • TLS protocol version: If your application has no special compatibility requirements, use TLS 1.2 and TLS 1.3 for optimal security.

  • Rollback: If an issue occurs after you adjust the TLS security policy, you can immediately roll back the change by modifying the listener configuration. Perform these changes during off-peak hours.

  • Key exchange algorithm: Unless your application has specific compatibility requirements, avoid the following RSA-based cipher suites in a production environment: AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, AES128-SHA, AES256-SHA, and DES-CBC3-SHA. Because they do not support Perfect Forward Secrecy (PFS), these suites are vulnerable to side-channel attacks. Prioritize cipher suites that use ECDHE or DHE for key exchange.

TLS cipher suite mapping

This table provides the mapping between the OpenSSL format, IANA standard format, and hexadecimal representation of TLS cipher suites.

Reference table

OpenSSL format

IANA standard format

Hexadecimal

ECDHE-ECDSA-AES128-GCM-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

0xC02B

ECDHE-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

0xC02C

ECDHE-ECDSA-AES128-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

0xC023

ECDHE-ECDSA-AES256-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

0xC024

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

0xC02F

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

0xC030

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

0xC027

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

0xC028

AES128-GCM-SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

0x009C

AES256-GCM-SHA384

TLS_RSA_WITH_AES_256_GCM_SHA384

0x009D

AES128-SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

0x003C

AES256-SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

0x003D

ECDHE-ECDSA-AES128-SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

0xC009

ECDHE-ECDSA-AES256-SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

0xC00A

ECDHE-RSA-AES128-SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

0xC013

ECDHE-RSA-AES256-SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

0xC014

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

0x002F

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

0x0035

DES-CBC3-SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

0x000A

TLS_AES_256_GCM_SHA384

TLS_AES_256_GCM_SHA384

0x1302

TLS_CHACHA20_POLY1305_SHA256

TLS_CHACHA20_POLY1305_SHA256

0x1303

TLS_AES_128_CCM_SHA256

TLS_AES_128_CCM_SHA256

0x1304

TLS_AES_128_CCM_8_SHA256

TLS_AES_128_CCM_8_SHA256

0x1305