Modify the TLS security policy for your website
Anti-DDoS Proxy supports custom TLS security policies. You can specify the TLS protocol versions and cipher suites for websites protected by Anti-DDoS Proxy to meet your business requirements. After you modify the TLS security policy for a website, the Anti-DDoS Proxy instance uses the configured TLS protocol versions, cipher suites, and Guomi-related settings to process requests for the domain. The instance drops requests that do not meet the requirements. This topic describes how to customize a TLS security policy.
Supported TLS protocol versions
Anti-DDoS Proxy supports both international standard HTTPS certificates and Guomi HTTPS certificates. Anti-DDoS Proxy supports only international standard HTTPS certificates.
The following table describes the default and configurable TLS versions after you upload an HTTPS certificate.
Type | Default TLS versions | Configurable TLS versions |
International standard HTTPS certificate | Anti-DDoS Proxy: Supports TLS 1.0, TLS 1.1, and TLS 1.2 by default. Anti-DDoS Proxy: Supports TLS 1.1 and TLS 1.2 by default. | You can modify the TLS protocol versions and cipher suites. The supported protocol versions are:
Note To use TLS 1.3, you must separately turn on the Enable TLS 1.3 Support switch. For example, if you have an Anti-DDoS Proxy instance and your business must comply with PCI DSS 3.2, you can disable TLS 1.0 by setting TLS Versions for SSL Certificate to TLS 1.1 and later. This setting provides good compatibility and medium security. in the TLS security policy. If another service requires client endpoints to support TLS 1.3, you can turn on the Enable TLS 1.3 Support switch. |
Guomi HTTPS certificate | Supports NTLS 1.1 by default. | You cannot modify the TLS protocol version or cipher suite. |
Prerequisites
You must add a website configuration and set its Protocol Type to include HTTPS. For more information, see Add a Website Configuration.
Modify the TLS security policy
Log on to the Website Config page in the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
On the Website Config page, find the target domain name and click Edit in the Actions column.
On the Modify Website Configurations tab, modify the TLS Security Settings for the international standard HTTPS certificate.
Parameter
Description
TLS Versions for SSL Certificate
Select the TLS protocol versions supported by the international standard HTTPS certificate. The following options are available:
TLS 1.0 and later. This setting provides the best compatibility but low security.: Supports TLS 1.0, TLS 1.1, and TLS 1.2.
TLS 1.1 and later. This setting provides good compatibility and medium security.: Supports TLS 1.1 and TLS 1.2.
TLS 1.2 and later. This setting provides good compatibility and high security level.: Supports TLS 1.2.
NoteYou can also enable TLS 1.3 support and select the corresponding TLS 1.3 suites from the Custom Cipher Suite options.
Cipher Suites for SSL Certificate
Select the cipher suites for the international standard HTTPS certificate.
NoteYou can hover over the
icon next to an option to view the included cipher suites.Click Next and follow the on-screen instructions to complete the update.
FAQ
Does Anti-DDoS Proxy validate the HTTPS certificate status of backend servers?
No, it does not.
Anti-DDoS Proxy instances do not validate the validity of HTTPS certificates on backend servers (such as ALB, WAF, or origin ECS instances). This includes checks for expiration, domain name matching, or issuer trustworthiness. The mechanism works as follows:
Frontend SSL/TLS Termination: When a client establishes an HTTPS connection with the Anti-DDoS Proxy instance, the instance completes the SSL/TLS handshake and decrypts the traffic at the frontend.
Backend Forwarding (Plaintext or Re-encryption): The decrypted traffic is forwarded to the backend server via HTTP, or re-encrypted via HTTPS depending on your configuration.
Certificate Independence: Since TLS termination occurs at the Anti-DDoS Proxy layer, the security of the backend link does not depend on the certificate status of the backend server. Therefore, even if the backend server’s certificate is expired, self-signed, or invalid, the HTTPS communication between the client and the Anti-DDoS Proxy instance will establish normally as long as the frontend certificate on the Anti-DDoS Proxy instance is valid. Business access remains unaffected.
NoteAlthough Anti-DDoS Proxy does not validate backend certificates, we recommend using valid and trusted certificates on backend servers to ensure end-to-end security, especially when HTTPS origin fetching is enabled between the protection instance and the backend.
What should I do if an SSL security scanner reports a 3DES-related vulnerability?
If an SSL security scanner reports a 3DES-related vulnerability (e.g., detecting
DES-CBC3-SHA), it indicates that your current cipher suite configuration includes this weak algorithm.DES-CBC3-SHAis based on the 3DES algorithm, which has been deemed insecure by the industry and is vulnerable to attacks such as Sweet32.Solutions:
Switch to Preset Cipher Suites (Recommended)
In the Anti-DDoS Proxy console, switch the HTTPS certificate cipher suite configuration to "Strong Cipher Suites" or "Enhanced Cipher Suites." These preset configurations excludeDES-CBC3-SHAand can quickly resolve the vulnerability.Customize Cipher Suites
If you need to retain specific ciphers, select "Custom Cipher Suites" and manually uncheckDES-CBC3-SHAfrom the list. Ensure that the remaining suites use modern secure algorithms (such as AES-GCM or CHACHA20).
If the vulnerability persists after configuration changes, troubleshoot the following:
Verify Configuration Application: Log in to the Anti-DDoS Proxy console and confirm that the cipher suite configuration currently applied to the instance has been updated to the target settings.
Clear Scanner Cache: Some scanning tools cache historical results. Clear the cache and re-run the scan.
Rule Out False Positives: Ensure that the scan target is the Anti-DDoS Proxy IP address (not the backend origin server directly) and check if the scanning tool has any logical false positives.