How to customize a TLS security policy - Anti-DDoS - Alibaba Cloud Documentation Center

Anti-DDoS Pro and Anti-DDoS Premium allow you to customize a Transport Layer Security (TLS) policy. You can set the TLS protocol versions and cipher suites for websites that are protected by Anti-DDoS Pro or Anti-DDoS Premium. After you modify the TLS security policy for a website, the Anti-DDoS Pro or Anti-DDoS Premium instance processes request traffic to the website's domain name based on the configured TLS protocol version, cipher suites, and National Transport Layer Security (NTLS) settings. Requests that do not meet the requirements are dropped. This topic describes how to customize a TLS security policy.

Supported TLS protocol versions

Anti-DDoS Pro and Anti-DDoS Premium (the Chinese mainland) support both international standard HTTPS certificates and NTLS-based HTTPS certificates. Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland) support only international standard HTTPS certificates.

The following table describes the default TLS versions and the configurable TLS protocol versions after you upload an HTTPS certificate.

Certificate type

Default TLS versions

Configurable TLS protocol versions

International standard HTTPS certificate

Anti-DDoS Pro and Anti-DDoS Premium (the Chinese mainland): TLS 1.0, TLS 1.1, and TLS 1.2 are supported by default.

Anti-DDoS Pro and Anti-DDoS Premium (outside the Chinese mainland): TLS 1.1 and TLS 1.2 are supported by default.

You can modify the TLS protocol versions and the corresponding cipher suites. The following protocol versions are supported.

TLS 1.0 and later (includes TLS 1.0, TLS 1.1, and TLS 1.2)
TLS 1.1 and later (includes TLS 1.1 and TLS 1.2)
TLS 1.2 and later (includes TLS 1.2)

Note

To use TLS 1.3, you must turn on the Enable TLS 1.3 Support switch.

For example, you have an Anti-DDoS Pro or Anti-DDoS Premium instance in the Chinese mainland. If your business must comply with the Payment Card Industry Data Security Standard (PCI DSS) 3.2, you may want to disable the TLS 1.0 protocol. To do this, set TLS Versions for SSL Certificate to TLS 1.0 and later. This setting provides the best compatibility but low security. If another business has clients that require TLS 1.3 support, turn on the Enable TLS 1.3 Support switch.

Guomi HTTPS certificate

NTLS 1.1 is supported by default.

You cannot modify the TLS protocol versions and cipher suites.

Prerequisites

You have added a website configuration and set its Protocol Type to include HTTPS. For more information, see Add one or more websites.

Modify the TLS security policy for an international standard HTTPS certificate

Log on to the Website Config page in the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
- Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
- Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
On the Website Config page, find the target domain name and click Edit in the Actions column.

On the Modify Website Configurations tab, modify the TLS Security Settings for the international standard HTTPS certificate.

Configuration item

Description

TLS Versions for SSL Certificate

Select the TLS protocol versions supported by the international standard HTTPS certificate. Options:

TLS 1.0 and later. This setting provides the best compatibility but low security.: Supports TLS 1.0, TLS 1.1, and TLS 1.2.
TLS 1.1 and later. This setting provides good compatibility and medium security: Supports TLS 1.1 and TLS 1.2.
TLS 1.2 and later. This setting provides good compatibility and high security level.: Supports TLS 1.2.

Note

As needed, you can also enable TLS 1.3 support and select the corresponding TLS 1.3 suites in the custom cipher suite settings.

Cipher Suites for SSL Certificate

Select the cipher suites supported by the international standard HTTPS certificate.

Note

You can move the pointer over the icon next to a cipher suite option to view the cipher suites included in that option.

All cipher suites. This setting provides low security but high compatibility. (Default)
This option includes the following cipher suites:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA384
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-SHA256
- AES256-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- AES128-SHA
- AES256-SHA
- DES-CBC3-SHA
Enhanced cipher suites. This setting provides a very high security level but a very low compatibility.
This option is available only when TLS Version is set to TLS 1.2 And Later. Good Compatibility, High Security.
This option includes the following cipher suites:
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
Strong cipher suites. This setting provides a high security level but a low compatibility.
This option is available only when TLS Version is set to TLS 1.2 And Later. Good Compatibility, High Security.
This option includes the following cipher suites:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
Custom Cipher Suite
This option lets you select one or more cipher suites from all available suites. If you enable TLS 1.3, select the following suites:
- TLS_AES_256_GCM_SHA384 (TLS 1.3)
- TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)
- TLS_AES_128_GCM_SHA256 (TLS 1.3)
- TLS_AES_128_CCM_8_SHA256 (TLS 1.3)
- TLS_AES_128_CCM_SHA256 (TLS 1.3)

Click Next and follow the on-screen instructions to complete the modification.