When you create or configure an HTTPS listener for a high-performance Classic Load Balancer (CLB) instance, you can select a Transport Layer Security (TLS) security policy.
Select a TLS security policy
When you create or configure an HTTPS listener, you can modify the advanced settings
on the SSL Certificates page and select a TLS security policy. For more information, see Add an HTTPS listener. 
TLS security policies
A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS.
| TLS security policy | Feature | Supported TLS version | Supported cipher suite |
|---|---|---|---|
| tls_cipher_policy_1_0 | Provides optimal compatibility and basic security | TLS 1.0, TLS 1.1, and TLS 1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_1 | Provides high compatibility and standard security | TLS 1.1 and TLS 1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_2 | Provides high compatibility and advanced security | TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256,AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_2_strict | Supports only perfect forward secrecy (PFS) cipher suites and provides premium security | TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
| tls_cipher_policy_1_2_strict_with_1_3 | Supports only PFS cipher suites and provides premium security | TLS 1.2 and TLS 1.3 | TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256,
TLS_AES_128_CCM_8_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384,
ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256,
ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA,
ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA
Note TLS 1.3 is supported in the following regions:
|
| hybrid_cipher_policy_1_0 | Provides high compatibility and premium security | Supports SM and international cipher suites | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, DES-CBC3-SHA, and ECC-SM2-WITH-SM4-SM3 |
Cipher suites supported by TLS security policies
| TLS security policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
|---|---|---|---|---|---|---|
| TLS | 1.2, 1.1, and 1.0 | 1.1 and 1.2 | 1.2 | 1.2 | 1.2 and 1.3 | |
| CIPHER | ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
| AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
| AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
| AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
| ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-SHA | ✔ | ✔ | ✔ | - | - | |
| AES256-SHA | ✔ | ✔ | ✔ | - | - | |
| DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
| TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
| TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-GCM-SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-GCM-SHA384 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-SHA384 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-SHA | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-SHA | - | - | - | - | ✔ | |
Note The ✔ sign in the preceding table indicates that a cipher suite is supported, while
the - sign indicates that a cipher suite is not supported.