When you add or configure an HTTPS listener for a guaranteed-performance Server Load Balancer (SLB) instance, you can select from a variety of TLS security policies and apply one according to your requirements.
You can select a TLS security policy when you set advanced configurations of SSL Certificates for an HTTPS listener. For more information, see Add an HTTPS listener.
A TLS security policy contains supported TLS protocol versions and cipher suites.
TLS security policy
| Security policy | Feature | Supported TLS version | Supported cipher suite |
|---|---|---|---|
| tls_cipher_policy_1_0 | Optimal compatibility and with basic security | TLSv1.0, TLSv1.1, and TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_1 | Compatible and with standard security | TLSv1.1 and TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_2 | Compatible and with advanced security | TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_2_strict | Supports only perfect forward secrecy (PFS) cipher suites and offers premium security. | TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
| tls_cipher_policy_1_2_strict_with_1_3
Note Currently, TLS1.3 is supported in the following regions:
|
Supports only perfect forward secrecy (PFS) cipher suites and offers premium security. | TLS1.2 and TLS1.3 | TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
Algorithm support of different TLS security policies
| Security policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
|---|---|---|---|---|---|---|
| TLS | - | 1.2/1.1/1.0 | 1.2/1.1 | 1.2 | 1.2 | 1.2 and 1.3 |
| CIPHER | ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
| AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
| AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
| AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
| ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-SHA | ✔ | ✔ | ✔ | - | - | |
| AES256-SHA | ✔ | ✔ | ✔ | - | - | |
| DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
| TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
| TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-GCM-SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-GCM-SHA384 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-SHA384 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-SHA | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-SHA | - | - | - | - | ✔ | |