Default TLS encryption algorithms

Updated at:
Copy as MD

Alibaba Cloud CDN enables the following TLS cipher suites by default for connections between clients and CDN edge nodes.

These cipher suites apply to client-to-edge connections. They control how browsers and other HTTP clients negotiate encryption with CDN edge nodes.

Supported cipher suites

TLS 1.3 and TLS 1.2 use separate cipher suite namespaces and cannot be mixed. TLS 1.3 suites follow the TLS_* naming format; TLS 1.2 and earlier suites use the ALGORITHM-ALGORITHM-... hyphenated format.

TLS 1.3 suites

Cipher suite
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

TLS 1.2 and earlier suites

Cipher suite
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-CCM8
ECDHE-ECDSA-AES128-CCM
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-ARIA256-GCM-SHA384
ECDHE-ARIA256-GCM-SHA384
ECDHE-ECDSA-ARIA128-GCM-SHA256
ECDHE-ARIA128-GCM-SHA256
ECDHE-ECDSA-CAMELLIA256-SHA384
ECDHE-RSA-CAMELLIA256-SHA384
ECDHE-ECDSA-CAMELLIA128-SHA256
ECDHE-RSA-CAMELLIA128-SHA256
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
RSA-PSK-AES256-GCM-SHA384
DHE-PSK-AES256-GCM-SHA384
RSA-PSK-CHACHA20-POLY1305
DHE-PSK-CHACHA20-POLY1305
ECDHE-PSK-CHACHA20-POLY1305
DHE-PSK-AES256-CCM8
DHE-PSK-AES256-CCM
RSA-PSK-ARIA256-GCM-SHA384
DHE-PSK-ARIA256-GCM-SHA384
AES256-GCM-SHA384
AES256-CCM8
AES256-CCM
ARIA256-GCM-SHA384
PSK-AES256-GCM-SHA384
PSK-CHACHA20-POLY1305
PSK-AES256-CCM8
PSK-AES256-CCM
PSK-ARIA256-GCM-SHA384
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
RSA-PSK-AES128-GCM-SHA256
DHE-PSK-AES128-GCM-SHA256
DHE-PSK-AES128-CCM8
DHE-PSK-AES128-CCM
RSA-PSK-ARIA128-GCM-SHA256
DHE-PSK-ARIA128-GCM-SHA256
AES128-GCM-SHA256
AES128-CCM8
AES128-CCM
ARIA128-GCM-SHA256
PSK-AES128-GCM-SHA256
PSK-AES128-CCM8
PSK-AES128-CCM
PSK-ARIA128-GCM-SHA256
ECDH-RSA-AES256-SHA384
ECDH-ECDSA-AES256-SHA384
AES256-SHA256
CAMELLIA256-SHA256
ECDH-RSA-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
AES128-SHA256
CAMELLIA128-SHA256
ECDHE-PSK-AES256-CBC-SHA384
ECDHE-PSK-AES256-CBC-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA
ECDH-RSA-AES256-SHA
ECDH-ECDSA-AES256-SHA
RSA-PSK-AES256-CBC-SHA384
DHE-PSK-AES256-CBC-SHA384
RSA-PSK-AES256-CBC-SHA
DHE-PSK-AES256-CBC-SHA
ECDHE-PSK-CAMELLIA256-SHA384
RSA-PSK-CAMELLIA256-SHA384
DHE-PSK-CAMELLIA256-SHA384
AES256-SHA
CAMELLIA256-SHA
PSK-AES256-CBC-SHA384
PSK-AES256-CBC-SHA
PSK-CAMELLIA256-SHA384
ECDHE-PSK-AES128-CBC-SHA256
ECDHE-PSK-AES128-CBC-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA
ECDH-RSA-AES128-SHA
ECDH-ECDSA-AES128-SHA
RSA-PSK-AES128-CBC-SHA256
DHE-PSK-AES128-CBC-SHA256
RSA-PSK-AES128-CBC-SHA
DHE-PSK-AES128-CBC-SHA
ECDHE-PSK-CAMELLIA128-SHA256
RSA-PSK-CAMELLIA128-SHA256
DHE-PSK-CAMELLIA128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
IDEA-CBC-SHA
PSK-AES128-CBC-SHA256
PSK-AES128-CBC-SHA
PSK-CAMELLIA128-SHA256

Customize cipher suites

The TLS Cipher Suite parameter controls which cipher suites are active for your domain.

  • All Cipher Suite Groups or Enhanced Cipher Suite: cipher suites are fixed and cannot be modified.

  • Custom Cipher Suite: select specific cipher suites based on your business requirements.

To configure special encryption algorithms, submit a ticket.