Hypertext Transfer Protocol Secure (HTTPS) is a secure version of HTTP that uses the SSL/TLS protocol to encrypt transmitted data. An HTTPS cipher suite is a group of encryption algorithms and protocols used to establish a secure connection between a client, such as a browser, and a server. Cloud-native API Gateway lets you select a specific cipher suite to meet your security, compatibility, performance, and compliance requirements when using a gateway.
Overview
An HTTPS cipher suite consists of the following components:
A key exchange algorithm that is used to securely exchange keys for encrypted communications. Common key exchange algorithms include Rivest-Shamir-Adleman (RSA), Diffie-Hellman (DH), and Elliptic curve Diffie-Hellman (ECDH).
A Message Authentication Code (MAC) algorithm that is used to ensure data integrity and authentication. Common MAC algorithms include HMAC-SHA256 and HMAC-SHA384.
A symmetric encryption algorithm that is used to encrypt data itself. Common symmetric encryption algorithms include Advanced Encryption Standard (AES) and ChaCha20.
Limits
The version of your Cloud-native API Gateway instance must be 2.0.0 or later.
Supported suites
The following table lists the cipher suites supported by Cloud-native API Gateway and the corresponding TLS versions:
Suite name | Supported TLS versions |
ECDHE-ECDSA-AES128-SHA | TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 |
ECDHE-ECDSA-AES256-SHA | TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 |
ECDHE-RSA-AES128-SHA | TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 |
ECDHE-RSA-AES256-SHA | TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 |
AES128-SHA | TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 |
AES256-SHA | TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 |
ECDHE-ECDSA-AES128-GCM-SHA256 | TLS 1.2 and TLS 1.3 |
ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 and TLS 1.3 |
ECDHE-RSA-AES128-GCM-SHA256 | TLS 1.2 and TLS 1.3 |
ECDHE-RSA-CHACHA20-POLY1305 | TLS 1.2 and TLS 1.3 |
AES128-GCM-SHA256 | TLS 1.2 and TLS 1.3 |
ECDHE-ECDSA-AES256-GCM-SHA384 | TLS 1.2 and TLS 1.3 |
ECDHE-RSA-AES256-GCM-SHA384 | TLS 1.2 and TLS 1.3 |
AES256-GCM-SHA384 | TLS 1.2 and TLS 1.3 |
Procedure
Log on to the API Gateway console.
In the left-side navigation pane, click Domain Name. In the top navigation bar, select a region.
To add a domain name, click Add Domain Name. To edit an existing domain name, click Edit in the Actions column of the domain name.
Add a domain name
On the Add Domain Name page, select HTTPS from the drop-down list.
Click Advanced Settings. For Cipher Suite, select Custom. From the list of available algorithms, select the required algorithms, and then click Create.
Edit a domain name
On the Edit Domain Name page, select HTTPS from the Protocol drop-down list.
Click Advanced Options. Set Cipher Suite to Custom. Select the required algorithms from the list and click OK.
Verify the result
Set the cipher suite for an HTTPS domain name. For example, set the suite to
ECDHE-ECDSA-AES128-GCM-SHA256.
Send an access request using the specified cipher suite,
ECDHE-ECDSA-AES128-GCM-SHA256.
The request that uses the specified suite
ECDHE-ECDSA-AES128-GCM-SHA256returns a successful response, and both parties negotiate to use theECDHE-ECDSA-AES128-GCM-SHA256cipher suite.
The specified suite
ECDHE-ECDSA-AES256-GCM-SHA256causes an abnormal request that fails.