HTTPS security policies
An HTTPS security policy defines the HTTP protocol version, TLS versions, and cipher suites that API Gateway enforces during the TLS handshake with clients.
Configure an HTTPS security policy for an API group
To configure an HTTPS security policy for an API group, you must first bind an independent domain name and a Secure Sockets Layer (SSL) certificate to the group. Available policies vary by region. To check which policies are supported in your region, open the API Gateway console and go to the Group Details page of the API group.
Supported HTTPS security policies
Each policy name encodes two dimensions: the HTTP protocol version (HTTPS1_1 = HTTP/1.1, HTTPS2 = HTTP/2) and the minimum TLS version the policy accepts (for example, TLS1_2 = minimum TLS 1.2). Use the following table to compare policies before reviewing the detailed cipher suite lists.
|
Policy |
HTTP version |
Accepted TLS versions |
Use when |
|
|
HTTP/1.1 |
TLS 1.0, 1.1, 1.2 |
Maximum client compatibility; legacy clients that cannot upgrade TLS |
|
|
HTTP/2 |
TLS 1.0, 1.1, 1.2 |
HTTP/2 multiplexing with broad client compatibility |
|
|
HTTP/2 |
TLS 1.2 only |
Stricter security; clients must support TLS 1.2 |
|
|
HTTP/2 |
TLS 1.2, TLS 1.3 |
Modern security with TLS 1.3 support; clients must support at least TLS 1.2 |
HTTPS1_1_TLS1_0
HTTP/1.1 protocol.
-
Supported Transport Layer Security (TLS) protocol versions: TLS 1.0, TLS 1.1, and TLS 1.2.
NoteClients that support TLS 1.0, 1.1, or 1.2 can call APIs in the group. Choose this policy only when you must support legacy clients that cannot be upgraded to TLS 1.2.
Supported cipher suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
HTTPS2_TLS1_0
-
HTTP/2 protocol.
NoteHTTP/2 converts all header keys to lowercase.
-
Supported TLS protocol versions: TLS 1.0, TLS 1.1, and TLS 1.2.
NoteClients that support TLS 1.0, 1.1, or 1.2 can call APIs in the group. Use this policy when you want HTTP/2 performance without restricting clients to a minimum TLS version.
Supported cipher suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
HTTPS2_TLS1_2
-
HTTP/2 protocol.
NoteHTTP/2 converts all header keys to lowercase.
-
Supported TLS protocol version: TLS 1.2.
NoteClients must support TLS 1.2 to call APIs in the group.
Supported cipher suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!3DES;
HTTPS2_TLS1_3
-
HTTP/2 protocol.
NoteHTTP/2 converts all header keys to lowercase.
-
Supported TLS protocol versions: TLS 1.2 and TLS 1.3.
NoteClients must support at least TLS 1.2 to call APIs in the group. TLS 1.3 clients are also accepted.
Supported cipher suite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;