Anti-DDoS Pro and Anti-DDoS Premium allow you to configure a custom Transport Layer Security (TLS) policy. After you add your website to Anti-DDoS Pro or Anti-DDoS Premium, you can select TLS protocol versions and cipher suites and configure SM settings for your website based on your business requirements. This topic describes how to configure a custom TLS security policy.
Background information
- Anti-DDoS Pro: By default, certificates that use internationally accepted algorithms support TLS 1.0, TLS 1.1, and TLS 1.2, and SM certificates support National Transport Layer Security (NTLS) 1.1.
- Anti-DDoS Premium: By default, certificates that use internationally accepted algorithms support TLS 1.1 and TLS 1.2.
Supported TLS protocol versions
If the default configurations cannot meet your business requirements, you can select different TLS protocol versions and cipher suites. The following table describes the TLS protocol versions that you can select for the certificates supported by Anti-DDoS Pro and Anti-DDoS Premium. For more information about the cipher suites that correspond to different TLS protocol versions, see Procedure.
Anti-DDoS Pro
Function plan | Certificate that uses internationally accepted algorithms | SM certificate |
---|---|---|
Standard function plan |
Note If you want to use TLS 1.3 or custom cipher suites, upgrade your instance to the Enhanced
function plan. For more information, see Upgrade an instance.
|
You cannot change the TLS protocol versions and cipher suites. |
Enhanced function plan |
Note If you want to use TLS 1.3, you must select Enable TLS 1.3. For more information, see Procedure.
|
Anti-DDoS Premium
Function plan | Certificate that uses internationally accepted algorithms |
---|---|
Standard function plan | You cannot configure custom TLS security policies.
You must upgrade your instance to the Enhanced function plan before you can configure custom TLS security policies. For more information, see Upgrade an instance. |
Enhanced function plan |
Note If you want to use TLS 1.3, you must select Enable TLS 1.3. For more information, see Procedure.
|
Scenarios
For example, you have purchased an Anti-DDoS Pro instance of the Enhanced function plan and you want to disable TLS 1.0 for one of your services because the service needs to comply with Payment Card Industry Data Security Standard (PCI DSS) 3.2, you can change the value of the TLS Versions parameter to TLS 1.1 and later versions. This setting provides a good compatibility and a medium security level. If the devices that access your another service uses TLS 1.3, you can select Enable TLS 1.3.
Prerequisites
- A website is added to Anti-DDoS Pro or Anti-DDoS Premium, and HTTPS is selected for Protocol. For more information, see Add a website.
- An SSL certificate is uploaded for the website based on your business requirements. For more information, see Upload an SSL certificate.
Procedure
Result
After you configure a custom TLS security policy for your website, Anti-DDoS Pro or Anti-DDoS Premium forwards requests that are destined for your website based on the TLS security policy. If a client uses a TLS protocol version or cipher suite that is not specified in the TLS policy, the requests that are sent from the client are discarded.