When you configure an HTTPS listener for a CLB instance, the TLS security policy determines which TLS protocol versions and cipher suites are used for TLS negotiation with clients. CLB provides several predefined TLS security policies.
How it works
A TLS security policy for CLB defines the supported TLS protocol versions and cipher suites for TLS negotiation. During the TLS handshake, the client sends a list of its supported protocol versions and cipher suites in a Client Hello message. Based on the policy, CLB selects a mutually supported protocol version and cipher suite combination from the client's list and responds with a Server Hello message. This combination determines subsequent steps, such as key exchange and session key generation.
TLS security policies
Security compliance standards may require your CLB instance to use a specific TLS security policy. The following table describes the TLS protocol versions and cipher suites supported by each policy to help you select one that meets your requirements. CLB does not support custom TLS security policies. If you need this functionality, use Application Load Balancer (ALB) or Network Load Balancer (NLB).
For Internet-facing applications without special compatibility requirements, we recommend using the tls_cipher_policy_1_2 policy or a stricter one.
Configure a TLS security policy
Console
When adding an HTTPS listener, click Modify next to Advanced Settings on the Certificate Management Service tab. In the expanded section, select a TLS Security Policy.
To modify a TLS security policy, go to the Listener tab on the instance details page and click the name of the target HTTPS listener to open the Listener Details dialog box. In the SSL Certificate section, modify the TLS Security Policy.
API
When calling CreateLoadBalancerHTTPSListener to create an HTTPS listener or SetLoadBalancerHTTPSListenerAttribute to modify one, specify the TLS security policy in the TLSCipherPolicy parameter.
Billing
TLS security policies are free. However, using CLB instances incurs fees.
FAQ
Custom TLS security policies on CLB
No. CLB supports only predefined TLS security policies.
If you need a custom TLS security policy, for example, to meet specific security compliance requirements, use one of the following products:
-
ALB: You can configure custom TLS security policies for HTTPS listeners.
-
NLB: You can configure custom TLS security policies for TCP/SSL listeners.
Production environment
-
TLS protocol version: If your application has no special compatibility requirements, use TLS 1.2 and TLS 1.3 for optimal security.
-
Rollback: If an issue occurs after you adjust the TLS security policy, you can immediately roll back the change by modifying the listener configuration. Perform these changes during off-peak hours.
-
Key exchange algorithm: Unless your application has specific compatibility requirements, avoid the following RSA-based cipher suites in a production environment:
AES128-GCM-SHA256,AES256-GCM-SHA384,AES128-SHA256,AES256-SHA256,AES128-SHA,AES256-SHA, andDES-CBC3-SHA. Because they do not support Perfect Forward Secrecy (PFS), these suites are vulnerable to side-channel attacks. Prioritize cipher suites that use ECDHE or DHE for key exchange.
TLS cipher suite mapping
This table provides the mapping between the OpenSSL format, IANA standard format, and hexadecimal representation of TLS cipher suites.