When you create or configure an HTTPS listener for a high-performance Server Load Balancer (SLB) instance, you can select a Transport Layer Security (TLS) security policy.
Select a TLS security policy.
When you create or configure an HTTPS listener, you can modify the advanced settings
on the SSL Certificates page and select a TLS security policy. For more information, see Add an HTTPS listener. 
A TLS security policy contains available TLS versions and supported cipher suites.
TLS security policies
| Security policy | Feature | Supported TLS version | Supported cipher suite |
|---|---|---|---|
| tls_cipher_policy_1_0 | Provides optimal compatibility and basic security | TLSv1.0, TLSv1.1, and TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_1 | Provides high compatibility and standard security | TLSv1.1 and TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_2 | Provides high compatibility and advanced security | TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256,AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_2_strict | Supports only perfect forward secrecy (PFS) cipher suites and provides premium security | TLSv1.2 | ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
| tls_cipher_policy_1_2_strict_with_1_3
Note TLSv1.3 is supported in the following regions:
|
Supports only PFS cipher suites and provides premium security | TLSv1.2 and TLSv1.3 | TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
Cipher suites supported by TLS security policies
| TLS security policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
|---|---|---|---|---|---|---|
| TLS | - | Version 1.2, 1.1, and 1.0 | Version 1.1 and 1.2 | 1.2 | 1.2 | Version 1.2 and 1.3 |
| CIPHER | ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
| AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
| AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
| AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
| ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-SHA | ✔ | ✔ | ✔ | - | - | |
| AES256-SHA | ✔ | ✔ | ✔ | - | - | |
| DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
| TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
| TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
| TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-GCM-SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-GCM-SHA384 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-SHA256 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-SHA384 | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES128-SHA | - | - | - | - | ✔ | |
| ECDHE-ECDSA-AES256-SHA | - | - | - | - | ✔ | |
Note The ✔ sign in the preceding table indicates that the cipher suite is supported, while
the - sign indicates that the cipher suite is not supported.