When you add or configure an HTTPS listener for a guaranteed-performance Server Load Balancer (SLB) instance, you can select from a variety of TLS security policies and apply one according to your requirements.
You can select the TLS security policy when you set advanced configurations of SSL Certificates for an HTTPS listener. For more information, see Add an HTTPS listener.
The TLS security policy contains supported TLS protocol versions and cipher suites.
TLS security policy
| Security policy | Features | Supported TLS versions | Supported cipher suites |
|---|---|---|---|
| tls_cipher_policy_1_0 | Optimal compatibility and with basic security | TLSv1.0、TLSv1.1和TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_1 | Compatible and with standard security | TLSv1.1 and TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA and DES-CBC3-SHA. |
| tls_cipher_policy_1_2 | Compatible and with advanced security | TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
| tls_cipher_policy_1_2_strict | Supports only perfect forward secrecy (PFS) cipher suites and offers premium security. | TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
| tls_cipher_policy_1_2_strict_with_1_3
Note Currently, only the UK (London) region supports TLS1.3.
|
Supports only perfect forward secrecy (PFS) cipher suites and offers premium security. | TLS1.2 and TLS1.3 | TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
Algorithm support of different TLS security policies
| Security Policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
|---|---|---|---|---|---|---|
| TLS | 1.2/1.1/1.0 | 1.2/1.1 | 1.2 | 1.2 | 1.2 and 1.3 | |
| CIPHER | ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-GCM-SHA256 | ✔ | ✔ | ✔ | |||
| AES256-GCM-SHA384 | ✔ | ✔ | ✔ | |||
| AES128-SHA256 | ✔ | ✔ | ✔ | |||
| AES256-SHA256 | ✔ | ✔ | ✔ | |||
| ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
| AES128-SHA | ✔ | ✔ | ✔ | |||
| AES256-SHA | ✔ | ✔ | ✔ | |||
| DES-CBC3-SHA | ✔ | ✔ | ✔ | |||
| TLS_AES_128_GCM_SHA256 | ✔ | |||||
| TLS_AES_256_GCM_SHA384 | ✔ | |||||
| TLS_CHACHA20_POLY1305_SHA256 | ✔ | |||||
| TLS_AES_128_CCM_SHA256 | ✔ | |||||
| TLS_AES_128_CCM_8_SHA256 | ✔ | |||||
| ECDHE-ECDSA-AES128-GCM-SHA256 | ✔ | |||||
| ECDHE-ECDSA-AES256-GCM-SHA384 | ✔ | |||||
| ECDHE-ECDSA-AES128-SHA256 | ✔ | |||||
| ECDHE-ECDSA-AES256-SHA384 | ✔ | |||||
| ECDHE-ECDSA-AES128-SHA | ✔ | |||||
| ECDHE-ECDSA-AES256-SHA | ✔ | |||||