Anti-DDoS Pro and Anti-DDoS Premium allow you to configure a custom Transport Layer Security (TLS) policy. After you add your website to Anti-DDoS Pro or Anti-DDoS Premium, you can select TLS protocol versions and cipher suites and configure SM settings for your website based on your business requirements. This topic describes how to configure a custom TLS security policy.

Background information

Anti-DDoS Pro supports both certificates that use internationally accepted algorithms and SM certificates. Anti-DDoS Premium supports only certificates that use internationally accepted algorithms. If you upload a certificate for your website that is protected by Anti-DDoS Pro or Anti-DDoS Premium, the certificate supports different TLS protocol versions. The following list describes the details:
  • Anti-DDoS Pro: By default, certificates that use internationally accepted algorithms support TLS 1.0, TLS 1.1, and TLS 1.2, and SM certificates support National Transport Layer Security (NTLS) 1.1.
  • Anti-DDoS Premium: By default, certificates that use internationally accepted algorithms support TLS 1.1 and TLS 1.2.
If the preceding configurations cannot meet your business requirements, you can select different TLS protocol versions and cipher suites. The following table describes the TLS protocol versions and cipher suites that you can select for the certificates supported by Anti-DDoS Pro and Anti-DDoS Premium.
Instance type Standard function plan Enhanced function plan
Anti-DDoS Pro
  • Certificates that use internationally accepted algorithms:
    • If you select TLS 1.0 and later versions, including TLS 1.0, TLS 1.1, and TLS 1.2, you can select only all cipher suites.
    • If you select TLS 1.2 and later versions, you can select all cipher suites or enhanced cipher suites.
    Note
    • For more information about the cipher suites, see Procedure.
    • If you want to use TLS 1.3 and custom cipher suites, upgrade your instance to the Enhanced function plan. For more information, see Upgrade an instance.
  • SM certificates: You can specify whether to enable SM certificate-based verification and whether to allow requests only from SM certificate-based clients. You cannot change the TLS protocol versions and cipher suites.
  • Certificates that use internationally accepted algorithms:
    • If you select TLS 1.0 and later versions, including TLS 1.0, TLS 1.1, and TLS 1.2, you can select all cipher suites or custom cipher suites.
    • If you select TLS 1.1 and later versions, including TLS 1.1 and TLS 1.2, you can select all cipher suites or custom cipher suites.
    • If you select TLS 1.2 and later versions, you can select all cipher suites, enhanced cipher suites, strong cipher suites, or custom cipher suites.
    Note If you want to use TLS 1.3, you must select Enable TLS 1.3. For more information, see Procedure.
  • SM certificates: You can specify whether to enable SM certificate-based verification and whether to allow requests only from SM certificate-based clients. You cannot change the TLS protocol versions and cipher suites.
Anti-DDoS Premium You cannot configure custom TLS security policies.

If the default configurations cannot meet your business requirements and you want to configure custom TLS security policies, upgrade your instance to the Enhanced function plan. For more information, see Upgrade an instance.

Certificates that use internationally accepted algorithms:
  • If you select TLS 1.0 and later versions, including TLS 1.0, TLS 1.1, and TLS 1.2, you can select all cipher suites or custom cipher suites.
  • If you select TLS 1.1 and later versions, including TLS 1.1 and TLS 1.2, you can select all cipher suites or custom cipher suites.
  • If you select TLS 1.2 and later versions, you can select all cipher suites, enhanced cipher suites, strong cipher suites, or custom cipher suites.
Note If you want to use TLS 1.3, you must select Enable TLS 1.3. For more information, see Procedure.

You can configure custom TLS security policies for different services. For example, you have purchased an Anti-DDoS Pro instance of the Enhanced function plan and you want to disable TLS 1.0 for one of your services because the service needs to comply with Payment Card Industry Data Security Standard (PCI DSS) 3.2, you can change the value of the TLS Versions parameter to TLS1.1 and later versions. This setting provides a good compatibility and a medium security level. If the terminals that access your another service use TLS 1.3, you can select Enable TLS 1.3.

Prerequisites

You can configure a custom TLS security policy only when the following conditions are met:
  • A website is added to Anti-DDoS Pro or Anti-DDoS Premium, and HTTPS is selected for Protocol. For more information, see Add a website.
  • An SSL certificate is uploaded for the website based on your business requirements. For more information, see Upload an SSL certificate.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Mainland China: If you select this region, the Anti-DDoS Pro console appears.
    • Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. If you use an Anti-DDoS Pro instance, perform the following steps to configure a TLS security policy:
    1. Find the domain name for which you want to configure a custom TLS security policy and click TLS Security Settings in the Certificate Status column.
    2. In the TLS Security Settings dialog box, configure the parameters.
      Parameter Description
      TLS Versions Select the TLS versions for your SSL certificate that uses internationally accepted algorithms.
      • Valid values in the Standard function plan:
        • TLS 1.0 and later versions. This setting provides the best compatibility but a low security level.: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
        • TLS 1.2 and later versions. This setting provides a good compatibility and a high security level.: TLS 1.2 is supported.
      • Valid values in the Enhanced function plan:
        • TLS 1.0 and later versions. This setting provides the best compatibility but a low security level.: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
        • TLS 1.1 and later versions. This setting provides a good compatibility and a medium security level.: TLS 1.1 and TLS 1.2 are supported.
        • TLS 1.2 and later versions. This setting provides a good compatibility and a high security level.: TLS 1.2 is supported.

        You can select Enable TLS 1.3 based on your business requirements.

      Cipher Suites Select the cipher suites supported by your SSL certificate that uses internationally accepted algorithms. If you want to view more information about the cipher suites that are supported by the Enhanced function plan or the Standard function plan, go to the Anti-DDoS Pro console. The following options are available for the Enhanced function plan or the Standard function plan:
      Note To view the cipher suites that are included in an option, you can move your pointer over the Question mark icon icon of the option.
      • All cipher suites. This setting provides a low security level but a high compatibility. This is the default value.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES128-GCM-SHA256
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-ECDSA-AES256-SHA384
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
        • ECDHE-RSA-AES128-SHA256
        • ECDHE-RSA-AES256-SHA384
        • AES128-GCM-SHA256
        • AES256-GCM-SHA384
        • AES128-SHA256
        • AES256-SHA256
        • ECDHE-ECDSA-AES128-SHA
        • ECDHE-ECDSA-AES256-SHA
        • ECDHE-RSA-AES128-SHA
        • ECDHE-RSA-AES256-SHA
        • AES128-SHA
        • AES256-SHA
        • DES-CBC3-SHA
      • Enhanced cipher suites. This setting provides a very high security level but a very low compatibility.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
      • Strong cipher suites. This setting provides a high security level but a low compatibility.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES128-GCM-SHA256
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-ECDSA-AES256-SHA384
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
        • ECDHE-RSA-AES128-SHA256
        • ECDHE-RSA-AES256-SHA384
        • ECDHE-ECDSA-AES128-SHA
        • ECDHE-ECDSA-AES256-SHA
      • Selecting Your Cipher Suites: If you select this option, you must select one or more cipher suites from all cipher suites.
      Enable SM Certificate-based Verification Specify whether Anti-DDoS Pro can process requests from clients that use SM certificates.

      If you turn on the switch, Anti-DDoS Pro can process requests from 360 Secure Browser and the Haitai browser that use SM certificates.

      By default, the switch is turned off for an SM certificate that you upload.

      • If you turn on Enable SM Certificate-based Verification, Anti-DDoS Pro can process requests from clients that use SM certificates.
      • If you turn off Enable SM Certificate-based Verification, Anti-DDoS Pro cannot process requests from clients that use SM certificates.
      Note
      • Before you can turn on Allow Access Only from SM Certificate-based Clients, you must turn on Enable SM Certificate-based Verification.
      • Before you can turn off Enable SM Certificate-based Verification, you must turn off Allow Access Only from SM Certificate-based Clients.
      Allow Access Only from SM Certificate-based Clients Specify whether Anti-DDoS Pro processes only requests from clients that use SM certificates. By default, the switch is turned off for an SM certificate that you upload.
      • If you turn on Allow Access Only from SM Certificate-based Clients, Anti-DDoS Pro processes only requests from clients that use SM certificates.
      • If you turn off Allow Access Only from SM Certificate-based Clients, Anti-DDoS Pro processes requests from clients that use certificates of the two types. The two types include SM certificates and certificates that use internationally accepted algorithms.
      Note
      • Before you can turn on Allow Access Only from SM Certificate-based Clients, you must turn on Enable SM Certificate-based Verification.
      • Before you can turn off Enable SM Certificate-based Verification, you must turn off Allow Access Only from SM Certificate-based Clients.
      SM Cipher Suites for HTTPS Support After you upload an SM certificate, the following cipher suites are automatically enabled. You cannot select cipher suites for the SM certificate.
      • ECC-SM2-SM4-CBC-SM3
      • ECC-SM2-SM4-GCM-SM3
      • ECDHE-SM2-SM4-CBC-SM3
      • ECDHE-SM2-SM4-GCM-SM3
    3. Click OK.
  5. If you use an Anti-DDoS Premium instance, perform the following steps to configure a TLS security policy:
    Note You can configure a custom TLS security policy only for Anti-DDoS Premium instances of the Enhanced function plan.
    1. Find the domain name for which you want to configure a custom TLS security policy and click TLS Security Settings in the Certificate Status column.
    2. In the TLS Security Settings dialog box, configure the parameters.
      Parameter Description
      TLS Versions Select the TLS versions for your SSL certificate that uses internationally accepted algorithms. Valid values:
      • TLS 1.0 and later versions. This setting provides the best compatibility but a low security level.: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
      • TLS 1.1 and later versions. This setting provides a good compatibility and a medium security level.: TLS 1.1 and TLS 1.2 are supported.
      • TLS 1.2 and later versions. This setting provides a good compatibility and a high security level.: TLS 1.2 is supported.

      You can select Enable TLS 1.3 based on your business requirements.

      Cipher Suites Select the cipher suites supported by your SSL certificate that uses internationally accepted algorithms. Valid values:
      Note To view the cipher suites that are included in an option, you can move your pointer over the Question mark icon icon of the option.
      • All cipher suites. This setting provides a low security level but a high compatibility. This is the default value.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES128-GCM-SHA256
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-ECDSA-AES256-SHA384
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
        • ECDHE-RSA-AES128-SHA256
        • ECDHE-RSA-AES256-SHA384
        • AES128-GCM-SHA256
        • AES256-GCM-SHA384
        • AES128-SHA256
        • AES256-SHA256
        • ECDHE-ECDSA-AES128-SHA
        • ECDHE-ECDSA-AES256-SHA
        • ECDHE-RSA-AES128-SHA
        • ECDHE-RSA-AES256-SHA
        • AES128-SHA
        • AES256-SHA
        • DES-CBC3-SHA
      • Strong cipher suites. This setting provides a high security level but a low compatibility.: This option is available only when TLS Versions is set to TLS 1.2 and later versions. This setting provides a good compatibility and a high security level.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES128-GCM-SHA256
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-ECDSA-AES256-SHA384
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
        • ECDHE-RSA-AES128-SHA256
        • ECDHE-RSA-AES256-SHA384
        • ECDHE-ECDSA-AES128-SHA
        • ECDHE-ECDSA-AES256-SHA
      • Selecting Your Cipher Suites: If you select this option, you must select one or more cipher suites from all cipher suites.
    3. Click OK.

Result

After you configure a custom TLS security policy for your website, Anti-DDoS Pro or Anti-DDoS Premium forwards requests that are destined for your website based on the TLS security policy. If a client uses a TLS protocol version or cipher suite that is not specified in the TLS policy, the requests that are sent from the client are discarded.