HTTPS security policies

Updated at:
Copy as MD

An HTTPS security policy defines the HTTP protocol version, TLS versions, and cipher suites that API Gateway enforces during the TLS handshake with clients.

Configure an HTTPS security policy for an API group

To configure an HTTPS security policy for an API group, you must first bind an independent domain name and a Secure Sockets Layer (SSL) certificate to the group. Available policies vary by region. To check which policies are supported in your region, open the API Gateway console and go to the Group Details page of the API group.

Supported HTTPS security policies

Each policy name encodes two dimensions: the HTTP protocol version (HTTPS1_1 = HTTP/1.1, HTTPS2 = HTTP/2) and the minimum TLS version the policy accepts (for example, TLS1_2 = minimum TLS 1.2). Use the following table to compare policies before reviewing the detailed cipher suite lists.

Policy

HTTP version

Accepted TLS versions

Use when

HTTPS1_1_TLS1_0

HTTP/1.1

TLS 1.0, 1.1, 1.2

Maximum client compatibility; legacy clients that cannot upgrade TLS

HTTPS2_TLS1_0

HTTP/2

TLS 1.0, 1.1, 1.2

HTTP/2 multiplexing with broad client compatibility

HTTPS2_TLS1_2

HTTP/2

TLS 1.2 only

Stricter security; clients must support TLS 1.2

HTTPS2_TLS1_3

HTTP/2

TLS 1.2, TLS 1.3

Modern security with TLS 1.3 support; clients must support at least TLS 1.2

HTTPS1_1_TLS1_0

  • HTTP/1.1 protocol.

  • Supported Transport Layer Security (TLS) protocol versions: TLS 1.0, TLS 1.1, and TLS 1.2.

    Note

    Clients that support TLS 1.0, 1.1, or 1.2 can call APIs in the group. Choose this policy only when you must support legacy clients that cannot be upgraded to TLS 1.2.

  • Supported cipher suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;

HTTPS2_TLS1_0

  • HTTP/2 protocol.

    Note

    HTTP/2 converts all header keys to lowercase.

  • Supported TLS protocol versions: TLS 1.0, TLS 1.1, and TLS 1.2.

    Note

    Clients that support TLS 1.0, 1.1, or 1.2 can call APIs in the group. Use this policy when you want HTTP/2 performance without restricting clients to a minimum TLS version.

  • Supported cipher suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;

HTTPS2_TLS1_2

  • HTTP/2 protocol.

    Note

    HTTP/2 converts all header keys to lowercase.

  • Supported TLS protocol version: TLS 1.2.

    Note

    Clients must support TLS 1.2 to call APIs in the group.

  • Supported cipher suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE:!3DES;

HTTPS2_TLS1_3

  • HTTP/2 protocol.

    Note

    HTTP/2 converts all header keys to lowercase.

  • Supported TLS protocol versions: TLS 1.2 and TLS 1.3.

    Note

    Clients must support at least TLS 1.2 to call APIs in the group. TLS 1.3 clients are also accepted.

  • Supported cipher suite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;