Anti-DDoS Pro and Anti-DDoS Premium allow you to customize Transport Layer Security (TLS) policies. After you add your website to Anti-DDoS Pro or Anti-DDoS Premium, you can select TLS protocol versions and cipher suites for the website based on your business requirements. This topic describes how to customize a TLS policy.

Prerequisites

  • A website is added to an Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Enhanced function plan. For more information, see Add a website.

    You can customize a TLS policy only in an Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Enhanced function plan. If you use an Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Standard function plan, upgrade the function plan of your instance to Enhanced before you can customize a TLS policy. For more information about how to upgrade an Anti-DDoS Pro or Anti-DDoS Premium instance, see Upgrade the specifications of an Anti-DDoS Pro or Anti-DDoS Premium instance.

  • Your website supports HTTPS, and the required SSL certificate is uploaded. For more information, see Upload an HTTPS certificate.

Background information

Anti-DDoS Pro and Anti-DDoS Premium support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. By default, websites that are added to an Anti-DDoS Pro instance support TLS 1.0, TLS 1.1, and TLS 1.2 and websites that are added to an Anti-DDoS Premium instance support TLS 1.1 and TLS 1.2. If the default settings do not meet your business requirements, you can customize a TLS policy.

If one of your services must comply with PCI DSS 3.2, you must disable TLS 1.0 for the service. However, the terminals that access other services support only TLS 1.0, you can customize the TLS policy for each service.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Mainland China: If you select this region, the Anti-DDoS Pro console appears.
    • Outside Mainland China: If you select this region, the Anti-DDoS Premium console appears.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. Find the domain name that you want to configure and click TLS Security Settings in the Certificate Status column.
    Notice You can customize a TLS policy only if the following conditions are met: The domain name of your website is added to an Anti-DDoS Pro or Anti-DDoS Premium instance that uses the Enhanced function plan. Your website supports HTTPS. The Certificate Status is Normal.
    TLS Security Settings
  5. In the TLS Security Settings dialog box, configure TLS Versions and Cipher Suites. TLS Security Settings
    Parameter Description
    TLS Versions Select TLS protocol versions that are supported by HTTPS. Valid values:
    • TLS 1.0 and later versions. This setting provides the best compatibility but a low security level.: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
    • TLS1.1 and later versions. This setting provides a good compatibility and a medium security level.: TLS 1.1 and TLS 1.2 are supported.
    • TLS1.2 and later versions. This setting provides a good compatibility and a high security level.: TLS 1.2 is supported.

    You can also select Enable TLS 1.3 based on your business requirements.

    Cipher Suites Select cipher suites that are supported by HTTPS. The following options are available:
    Note To view the cipher suites contained in an option, you can move your pointer over the Question mark icon icon of an option.
    • All cipher suites. This setting provides a low security level but a high compatibility. This is the default value.
      This option includes the following cipher suites:
      • ECDHE-ECDSA-AES128-GCM-SHA256
      • ECDHE-ECDSA-AES256-GCM-SHA384
      • ECDHE-ECDSA-AES128-SHA256
      • ECDHE-ECDSA-AES256-SHA384
      • ECDHE-RSA-AES128-GCM-SHA256
      • ECDHE-RSA-AES256-GCM-SHA384
      • ECDHE-RSA-AES128-SHA256
      • ECDHE-RSA-AES256-SHA384
      • AES128-GCM-SHA256
      • AES256-GCM-SHA384
      • AES128-SHA256 AES256-SHA256
      • ECDHE-ECDSA-AES128-SHA
      • ECDHE-ECDSA-AES256-SHA
      • ECDHE-RSA-AES128-SHA
      • ECDHE-RSA-AES256-SHA
      • AES128-SHA AES256-SHA
      • DES-CBC3-SHA
    • Strong cipher suites. This setting provides a high security level but a low compatibility.: This option is available only when TLS Versions is set to TLS1.2 and later versions. This setting provides a good compatibility and a high security level.
      This option includes the following cipher suites:
      • ECDHE-ECDSA-AES128-GCM-SHA256
      • ECDHE-ECDSA-AES256-GCM-SHA384
      • ECDHE-ECDSA-AES128-SHA256
      • ECDHE-ECDSA-AES256-SHA384
      • ECDHE-RSA-AES128-GCM-SHA256
      • ECDHE-RSA-AES256-GCM-SHA384
      • ECDHE-RSA-AES128-SHA256
      • ECDHE-RSA-AES256-SHA384
      • ECDHE-ECDSA-AES128-SHA
      • ECDHE-ECDSA-AES256-SHA
    • Selecting Your Cipher Suites: If you select this option, you must select one or more cipher suites from all cipher suites.
  6. Click OK.

Result

After you customize the TLS policy for your website, Anti-DDoS Pro or Anti-DDoS Premium forwards access requests that are destined for your website based on the TLS policy. If a client uses a TLS protocol version that is not specified in the TLS policy, the access requests that are sent from the client are discarded.