Anti-DDoS:Modify the TLS security policy for a website

Supported TLS protocol versions

The supported certificate types and configurable TLS versions depend on your instance region.

The following table shows the default and configurable TLS versions for each certificate type.

Note: TLS 1.3 is not included in the TLS version dropdown. To enable TLS 1.3, turn on the Enable TLS 1.3 Support switch separately, then select TLS 1.3 cipher suites under Custom Cipher Suite.

Prerequisites

Before you begin, ensure that you have:

• A website configuration with Protocol Type set to include HTTPS. For more information, see Add one or more websites

Modify the TLS security policy

The following steps apply to websites that use an international standard HTTPS certificate. TLS protocol versions and cipher suites cannot be modified for Guomi HTTPS certificates.

1. Log on to the Website Config page in the Anti-DDoS Proxy console.

2. In the top navigation bar, select the region of your instance.

   • Anti-DDoS Proxy (Chinese Mainland): Choose Chinese Mainland.

   • Anti-DDoS Proxy (Outside Chinese Mainland): Choose Outside Chinese Mainland.

3. Find the target domain name and click Edit in the Actions column.

4. On the Modify Website Configurations tab, configure the TLS Security Settings for the international standard HTTPS certificate. TLS versions for SSL certificate Select the minimum TLS protocol version to accept. Clients using an older version are dropped. For most use cases, select TLS 1.2 and later to balance security and compatibility. If your website must comply with Payment Card Industry Data Security Standard (PCI DSS) 3.2, select TLS 1.1 and later or TLS 1.2 and later to disable TLS 1.0. Cipher suites for SSL certificate Select the cipher suites to support. Hover over the icon next to any option to view the full list of suites it includes.

   Option	Supported versions	Security level
   TLS 1.0 and later	TLS 1.0, TLS 1.1, TLS 1.2	Low
   TLS 1.1 and later	TLS 1.1, TLS 1.2	Medium
   TLS 1.2 and later	TLS 1.2	High

   Option	Cipher suites	Availability
   All cipher suites (Default) — low security, high compatibility	ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, DES-CBC3-SHA	All TLS version settings
   Enhanced cipher suites — very high security, very low compatibility	ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384	Available only when TLS versions for SSL certificate is set to TLS 1.2 and later
   Strong cipher suites — high security, low compatibility	ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA	Available only when TLS versions for SSL certificate is set to TLS 1.2 and later
   Custom cipher suite	Select one or more cipher suites from all available suites. If TLS 1.3 is enabled, also select from: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_128_CCM_8_SHA256, TLS_AES_128_CCM_SHA256	All TLS version settings

5. Click Next and follow the on-screen instructions to complete the modification.