When you configure an HTTPS listener for a Classic Load Balancer (CLB) instance, the TLS security policy determines the TLS protocol versions and cipher suites that the instance supports during TLS negotiation with clients. CLB provides several predefined TLS security policies for you to choose from.
How it works
A TLS security policy is configured on the CLB instance. It defines the TLS protocol versions and cipher suites that the instance supports during TLS negotiation. During the TLS handshake, the client sends a list of supported protocol versions and cipher suites in the Client Hello message. The CLB instance selects a mutually supported protocol version and cipher suite combination from this list based on the configured policy and responds with a Server Hello message. All subsequent steps—including key exchange and session key generation—use this selected combination.
TLS security policies
Various information security standards may require specific TLS security policies for your CLB instance. You can expand the table below to view the TLS protocol versions and cipher suites supported by each policy. Configure the policy as needed. CLB does not support custom TLS security policies. If you need custom policies, use Application Load Balancer (ALB) or Network Load Balancer (NLB).
For Internet-facing applications without special compatibility requirements, use tls_cipher_policy_1_2 or a stricter policy.
Policy details
Policy name | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 |
TLS protocol versions | v1.0 | Supported | Not supported | Not supported | Not supported | Not supported |
v1.1 | Supported | Supported | Not supported | Not supported | Not supported |
v1.2 | Supported | Supported | Supported | Supported | Supported |
v1.3 | Not supported | Not supported | Not supported | Not supported | Supported |
Cipher suites | ECDHE-RSA-AES128-GCM-SHA256 | Supported | Supported | Supported | Supported | Supported |
ECDHE-RSA-AES256-GCM-SHA384 | Supported | Supported | Supported | Supported | Supported |
ECDHE-RSA-AES128-SHA256 | Supported | Supported | Supported | Supported | Supported |
ECDHE-RSA-AES256-SHA384 | Supported | Supported | Supported | Supported | Supported |
AES128-GCM-SHA256 | Supported | Supported | Supported | Not supported | Not supported |
AES256-GCM-SHA384 | Supported | Supported | Supported | Not supported | Not supported |
AES128-SHA256 | Supported | Supported | Supported | Not supported | Not supported |
AES256-SHA256 | Supported | Supported | Supported | Not supported | Not supported |
ECDHE-RSA-AES128-SHA | Supported | Supported | Supported | Supported | Supported |
ECDHE-RSA-AES256-SHA | Supported | Supported | Supported | Supported | Supported |
AES128-SHA | Supported | Supported | Supported | Not supported | Not supported |
AES256-SHA | Supported | Supported | Supported | Not supported | Not supported |
DES-CBC3-SHA | Supported | Supported | Supported | Not supported | Not supported |
TLS_AES_256_GCM_SHA384 | Not supported | Not supported | Not supported | Not supported | Supported |
TLS_CHACHA20_POLY1305_SHA256 | Not supported | Not supported | Not supported | Not supported | Supported |
TLS_AES_128_CCM_SHA256 | Not supported | Not supported | Not supported | Not supported | Supported |
TLS_AES_128_CCM_8_SHA256 | Not supported | Not supported | Not supported | Not supported | Supported |
ECDHE-ECDSA-AES128-GCM-SHA256 | Not supported | Not supported | Not supported | Not supported | Supported |
ECDHE-ECDSA-AES256-GCM-SHA384 | Not supported | Not supported | Not supported | Not supported | Supported |
ECDHE-ECDSA-AES128-SHA256 | Not supported | Not supported | Not supported | Not supported | Supported |
ECDHE-ECDSA-AES256-SHA384 | Not supported | Not supported | Not supported | Not supported | Supported |
ECDHE-ECDSA-AES128-SHA | Not supported | Not supported | Not supported | Not supported | Supported |
ECDHE-ECDSA-AES256-SHA | Not supported | Not supported | Not supported | Not supported | Supported |
Configure a TLS security policy for a listener
Console
When you add an HTTPS listener, on the SSL Certificate tab, click Advanced Settings, then click Edit. In the expanded section, select a TLS Security Policy.
To modify a TLS security policy: On the instance details page, go to the Listener tab. Click the name of the target HTTPS listener to open the Listener Details dialog box. In the SSL Certificate section, change the TLS Security Policy.
Billing
TLS security policies are free of charge. You are charged for purchasing and using CLB instances.
FAQ
Does CLB support custom TLS security policies?
No. CLB supports only predefined TLS security policies.
If you need custom TLS security policies—for example, to meet specific security compliance requirements—use one of the following services instead:
Apply in production
TLS protocol version: If your application does not have special compatibility requirements, use TLS 1.2 and TLS 1.3 to ensure security.
Rollback: If an issue occurs after you change the TLS security policy, immediately roll back the change by modifying the listener configuration. Perform these changes during off-peak hours.
TLS cipher suite name mapping table
The table below maps each cipher suite between OpenSSL format, IANA standard format, and hexadecimal notation.
Mapping table details
OpenSSL format | IANA standard format | Hexadecimal |
ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 0xC02B |
ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 0xC02C |
ECDHE-ECDSA-AES128-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 0xC023 |
ECDHE-ECDSA-AES256-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 0xC024 |
ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 0xC02F |
ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 0xC030 |
ECDHE-RSA-AES128-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 0xC027 |
ECDHE-RSA-AES256-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 0xC028 |
AES128-GCM-SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | 0x009C |
AES256-GCM-SHA384 | TLS_RSA_WITH_AES_256_GCM_SHA384 | 0x009D |
AES128-SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 | 0x003C |
AES256-SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA256 | 0x003D |
ECDHE-ECDSA-AES128-SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 0xC009 |
ECDHE-ECDSA-AES256-SHA | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 0xC00A |
ECDHE-RSA-AES128-SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 0xC013 |
ECDHE-RSA-AES256-SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 0xC014 |
AES128-SHA | TLS_RSA_WITH_AES_128_CBC_SHA | 0x002F |
AES256-SHA | TLS_RSA_WITH_AES_256_CBC_SHA | 0x0035 |
DES-CBC3-SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | 0x000A |
TLS_AES_256_GCM_SHA384 | TLS_AES_256_GCM_SHA384 | 0x1302 |
TLS_CHACHA20_POLY1305_SHA256 | TLS_CHACHA20_POLY1305_SHA256 | 0x1303 |
TLS_AES_128_CCM_SHA256 | TLS_AES_128_CCM_SHA256 | 0x1304 |
TLS_AES_128_CCM_8_SHA256 | TLS_AES_128_CCM_8_SHA256 | 0x1305 |