Modify certificates and TLS security policies of Anti-DDoS Proxy instances - Anti-DDoS

By default, an Anti-DDoS Proxy instance returns the built-in SSL certificate to a client. If your service requires higher security, you can upload a custom SSL certificate and modify the Transport Layer Security (TLS) security policy for the instance. This topic describes how to upload a custom SSL certificate and modify the TLS security policy for an Anti-DDoS Proxy instance.

Usage notes

You can modify the SSL certificate and the TLS security policy of only an Anti-DDoS Proxy instance that uses an IPv4 address.
- SSL certificate: You can change the SSL certificate only to a certificate that uses internationally accepted algorithms.
- TLS security policy: You can select the cipher suites that are pre-defined in Anti-DDoS Proxy. You can also configure custom cipher suites. However, only Anti-DDoS Proxy instances that use the Enhanced function plan support custom cipher suites.

The following table describes the TLS versions that are supported by different types of Anti-DDoS Proxy instances.

TLS version	Anti-DDoS Proxy (Chinese Mainland)		Anti-DDoS Proxy (Outside Chinese Mainland)
TLS version	Standard function plan	Enhanced function plan	Standard function plan	Enhanced function plan
Default TLS versions	TLS 1.0 and later	TLS 1.0 and later	TLS 1.1 and later	TLS 1.1 and later
Other supported TLS versions	TLS 1.2 and later	TLS 1.1 and later TLS 1.2 and later TLS 1.3	TLS 1.0 and later TLS 1.2 and later	TLS 1.0 and later TLS 1.2 and later TLS 1.3

Prerequisites

A website service is added to Anti-DDoS Proxy. For more information, see Add websites.

Procedure

Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
- Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland) instance, select Outside Chinese Mainland.
In the left-side navigation pane, choose Provisioning > Website Config.
In the upper-right corner of the page, click Default SSL/TLS Settings for Anti-DDoS. In the Default SSL/TLS Settings for Anti-DDoS panel, find the IP address of the Anti-DDoS instance that you want to manage and click Modify in the Actions column. In the Modify panel, modify the SSL certificate and TLS security policy of the instance.
- SSL Certificate
  - Upload: If you select this option, you need to configure the Certificate Name parameter and copy and paste the content from the certificate file and the private key file to the Certificate File and Private Key fields.
    Note
    If the certificate file is in the PEM, CER, or CRT format, you can use a text editor to open the certificate file and copy the file content. If the certificate file is in other formats, such as PFX and P7B, you must convert the file into the PEM format and then use a text editor to open the file and copy the file content. For more information about how to convert the format of a certificate file, see Convert the format of a certificate or How do I convert an HTTPS certificate to the PEM format?
    If the certificate file includes multiple certificates, such as a certificate chain, you must concatenate the content of these certificates and copy and paste the concatenated content to the Certificate File field.
  - Select Existing Certificate: If you have uploaded a certificate to Certificate Management Service, you can select this option and directly select a certificate from the SSL Certificate drop-down list. This option is recommended. For more information about how to upload a certificate, see Upload an SSL certificate.
- TLS Security Settings
  Important
  You can modify the TLS security policy only after you upload an SSL certificate. We recommend that you use the same TLS security policy as the domain name. For more information about how to configure the TLS security policy for a domain name, see Configure a custom TLS security policy.
  - TLS Version: You can select a TLS version based on your business requirements.
  - Cipher Suites:
    - All cipher suites. This setting provides low security but high compatibility. (default)
      This option includes the following cipher suites:
      ECDHE-ECDSA-AES128-GCM-SHA256
      ECDHE-ECDSA-AES256-GCM-SHA384
      ECDHE-ECDSA-AES128-SHA256
      ECDHE-ECDSA-AES256-SHA384
      ECDHE-RSA-AES128-GCM-SHA256
      ECDHE-RSA-AES256-GCM-SHA384
      ECDHE-RSA-AES128-SHA256
      ECDHE-RSA-AES256-SHA384
      AES128-GCM-SHA256
      AES256-GCM-SHA384
      AES128-SHA256
      AES256-SHA256
      ECDHE-ECDSA-AES128-SHA
      ECDHE-ECDSA-AES256-SHA
      ECDHE-RSA-AES128-SHA
      ECDHE-RSA-AES256-SHA
      AES128-SHA
      AES256-SHA
      DES-CBC3-SHA
    - Enhanced cipher suites. This setting provides a very high security level but a very low compatibility.
      This option includes the following cipher suites:
      ECDHE-ECDSA-AES256-GCM-SHA384
      ECDHE-ECDSA-AES128-SHA256
      ECDHE-RSA-AES128-GCM-SHA256
      ECDHE-RSA-AES256-GCM-SHA384
    - Strong cipher suites. This setting provides a high security level but a low compatibility.
      This option includes the following cipher suites:
      ECDHE-ECDSA-AES128-GCM-SHA256
      ECDHE-ECDSA-AES256-GCM-SHA384
      ECDHE-ECDSA-AES128-SHA256
      ECDHE-ECDSA-AES256-SHA384
      ECDHE-RSA-AES128-GCM-SHA256
      ECDHE-RSA-AES256-GCM-SHA384
      ECDHE-RSA-AES128-SHA256
      ECDHE-RSA-AES256-SHA384
      ECDHE-ECDSA-AES128-SHA
      ECDHE-ECDSA-AES256-SHA
    - Custom Cipher Suite
      If you select this option, you must select one or more cipher suites from all cipher suites.
      Note
      Only Anti-DDoS Proxy instances that use the Enhanced function plan support Custom Cipher Suite.
After the modification is complete, Custom Certificate is displayed in the Certificate Configuration Status column. You can click Reset to restore the certificate and TLS security policy to the default settings.