Anti-DDoS Pro and Anti-DDoS Premium allow you to configure a custom Transport Layer Security (TLS) policy. After you add your website to Anti-DDoS Pro or Anti-DDoS Premium, you can select TLS protocol versions and cipher suites and configure SM settings for your website based on your business requirements. This topic describes how to configure a custom TLS security policy.

Background information

Anti-DDoS Pro supports both certificates that use internationally accepted algorithms and SM certificates. Anti-DDoS Premium supports only certificates that use internationally accepted algorithms. If you upload a certificate for your website that is protected by Anti-DDoS Pro or Anti-DDoS Premium, the certificate supports different TLS protocol versions. The following list describes the details:
  • Anti-DDoS Pro: By default, certificates that use internationally accepted algorithms support TLS 1.0, TLS 1.1, and TLS 1.2, and SM certificates support National Transport Layer Security (NTLS) 1.1.
  • Anti-DDoS Premium: By default, certificates that use internationally accepted algorithms support TLS 1.1 and TLS 1.2.

Supported TLS protocol versions

If the default configurations cannot meet your business requirements, you can select different TLS protocol versions and cipher suites. The following table describes the TLS protocol versions that you can select for the certificates supported by Anti-DDoS Pro and Anti-DDoS Premium. For more information about the cipher suites that correspond to different TLS protocol versions, see Procedure.

Anti-DDoS Pro

Function plan Certificate that uses internationally accepted algorithms SM certificate
Standard function plan
  • Supports TLS 1.0 and later versions, including TLS 1.0, TLS 1.1, and TLS 1.2
  • Supports TLS 1.2
Note If you want to use TLS 1.3 or custom cipher suites, upgrade your instance to the Enhanced function plan. For more information, see Upgrade an instance.
You cannot change the TLS protocol versions and cipher suites.
Enhanced function plan
  • Supports TLS 1.0 and later versions, including TLS 1.0, TLS 1.1, and TLS 1.2
  • Supports TLS 1.1 and later versions, including TLS 1.1 and TLS 1.2
  • Supports TLS 1.2 and later versions, including TLS 1.2
Note If you want to use TLS 1.3, you must select Enable TLS 1.3. For more information, see Procedure.

Anti-DDoS Premium

Function plan Certificate that uses internationally accepted algorithms
Standard function plan You cannot configure custom TLS security policies.

You must upgrade your instance to the Enhanced function plan before you can configure custom TLS security policies. For more information, see Upgrade an instance.

Enhanced function plan
  • Supports TLS 1.0 and later versions, including TLS 1.0, TLS 1.1, and TLS 1.2
  • Supports TLS 1.1 and later versions, including TLS 1.1 and TLS 1.2
  • Supports TLS 1.2 and later versions, including TLS 1.2
Note If you want to use TLS 1.3, you must select Enable TLS 1.3. For more information, see Procedure.

Scenarios

For example, you have purchased an Anti-DDoS Pro instance of the Enhanced function plan and you want to disable TLS 1.0 for one of your services because the service needs to comply with Payment Card Industry Data Security Standard (PCI DSS) 3.2, you can change the value of the TLS Versions parameter to TLS 1.1 and later versions. This setting provides a good compatibility and a medium security level. If the devices that access your another service uses TLS 1.3, you can select Enable TLS 1.3.

Prerequisites

  • A website is added to Anti-DDoS Pro or Anti-DDoS Premium, and HTTPS is selected for Protocol. For more information, see Add a website.
  • An SSL certificate is uploaded for the website based on your business requirements. For more information, see Upload an SSL certificate.

Procedure

  1. Log on to the Anti-DDoS Pro console.
  2. In the top navigation bar, select the region where your instance resides.
    • Anti-DDoS Pro: If your instance is an Anti-DDoS Pro instance, select Chinese Mainland.
    • Anti-DDoS Premium: If your instance is an Anti-DDoS Premium instance, select Outside Chinese Mainland.
    You can switch the region to configure and manage Anti-DDoS Pro or Anti-DDoS Premium instances. Make sure that you select the required region when you use Anti-DDoS Pro or Anti-DDoS Premium.
  3. In the left-side navigation pane, choose Provisioning > Website Config.
  4. If you use an Anti-DDoS Pro instance, perform the following steps to configure a TLS security policy:
    1. Find the domain name that you want to configure and click TLS Security Settings in the Certificate Status column.
    2. In the TLS Security Settings dialog box, configure the parameters and click OK.
      Parameter Description
      TLS Versions Select the TLS versions for your SSL certificate that uses internationally accepted algorithms.
      • Valid values in the Standard function plan:
        • TLS 1.0 and later versions. This setting provides the best compatibility but a low security level.: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
        • TLS 1.2 and later versions. This setting provides a good compatibility and a high security level.: TLS 1.2 is supported.
      • Valid values in the Enhanced function plan:
        • TLS 1.0 and later versions. This setting provides the best compatibility but a low security level.: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
        • TLS 1.1 and later versions. This setting provides a good compatibility and a medium security level.: TLS 1.1 and TLS 1.2 are supported.
        • TLS 1.2 and later versions. This setting provides a good compatibility and a high security level.: TLS 1.2 is supported.

        You can select Enable TLS 1.3 based on your business requirements.

      Cipher Suites Select the cipher suites supported by your SSL certificate that uses internationally accepted algorithms. If you want to view more information about the cipher suites that are supported by the Enhanced function plan or the Standard function plan, go to the Anti-DDoS Pro or Anti-DDoS Premium console. The following options are available for the Enhanced function plan or the Standard function plan:
      Note To view the cipher suites that are included in an option, you can move your pointer over the Question mark icon icon of the option.
      • All cipher suites. This setting provides a low security level but a high compatibility. This is the default value.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES128-GCM-SHA256
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-ECDSA-AES256-SHA384
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
        • ECDHE-RSA-AES128-SHA256
        • ECDHE-RSA-AES256-SHA384
        • AES128-GCM-SHA256
        • AES256-GCM-SHA384
        • AES128-SHA256
        • AES256-SHA256
        • ECDHE-ECDSA-AES128-SHA
        • ECDHE-ECDSA-AES256-SHA
        • ECDHE-RSA-AES128-SHA
        • ECDHE-RSA-AES256-SHA
        • AES128-SHA
        • AES256-SHA
        • DES-CBC3-SHA
      • Enhanced cipher suites. This setting provides a very high security level but a very low compatibility.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
      • Strong cipher suites. This setting provides a high security level but a low compatibility.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES128-GCM-SHA256
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-ECDSA-AES256-SHA384
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
        • ECDHE-RSA-AES128-SHA256
        • ECDHE-RSA-AES256-SHA384
        • ECDHE-ECDSA-AES128-SHA
        • ECDHE-ECDSA-AES256-SHA
      • Selecting Your Cipher Suites

        If you select this option, you must select one or more cipher suites from all cipher suites.

      Enable SM Certificate-based Verification

      You can configure this parameter only after you upload an SM certificate. By default, the switch is turned off for the SM certificate that you upload.

      Specify whether Anti-DDoS Pro can process requests from clients that use SM certificates.

      If you turn on the switch, Anti-DDoS Pro can process requests from 360 Secure Browser and the Haitai browser that use SM certificates.

      • If you turn on Enable SM Certificate-based Verification, Anti-DDoS Pro can process requests from clients that use SM certificates.
      • If you turn off Enable SM Certificate-based Verification, Anti-DDoS Pro cannot process requests from clients that use SM certificates.
      Before you can turn off Enable SM Certificate-based Verification, you must turn off Allow Access Only from SM Certificate-based Clients.
      Allow Access Only from SM Certificate-based Clients Specify whether Anti-DDoS Pro processes only requests from clients that use SM certificates. By default, the switch is turned off for an SM certificate that you upload.
      • If you turn on Allow Access Only from SM Certificate-based Clients, Anti-DDoS Pro processes only requests from clients that use SM certificates.
      • If you turn off Allow Access Only from SM Certificate-based Clients, Anti-DDoS Pro processes requests from clients that use certificates of the two types. The two types include SM certificates and certificates that use internationally accepted algorithms.

      Before you can turn on Allow Access Only from SM Certificate-based Clients, you must turn on Enable SM Certificate-based Verification.

      SM Cipher Suites for HTTPS Support After you upload an SM certificate, the following cipher suites are automatically enabled. You cannot select cipher suites for the SM certificate.
      • ECC-SM2-SM4-CBC-SM3
      • ECC-SM2-SM4-GCM-SM3
      • ECDHE-SM2-SM4-CBC-SM3
      • ECDHE-SM2-SM4-GCM-SM3
  5. If you use an Anti-DDoS Premium instance, perform the following steps to configure a TLS security policy:
    Note You can configure a custom TLS security policy only for Anti-DDoS Premium instances of the Enhanced function plan.
    1. Find the domain name that you want to configure and click TLS Security Settings in the Certificate Status column.
    2. In the TLS Security Settings dialog box, configure the parameters and click OK.
      Parameter Description
      TLS Versions Select the TLS versions for your SSL certificate that uses internationally accepted algorithms. Valid values:
      • TLS 1.0 and later versions. This setting provides the best compatibility but a low security level.: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
      • TLS 1.1 and later versions. This setting provides a good compatibility and a medium security level.: TLS 1.1 and TLS 1.2 are supported.
      • TLS1.2 and later versions. This setting provides a good compatibility and a high security level.: TLS 1.2 is supported.

      You can select Enable TLS 1.3 based on your business requirements.

      Cipher Suites Select the cipher suites supported by your SSL certificate that uses internationally accepted algorithms. Valid values:
      Note To view the cipher suites that are included in an option, you can move your pointer over the Question mark icon icon of the option.
      • All cipher suites. This setting provides a low security level but a high compatibility. This is the default value.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES128-GCM-SHA256
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-ECDSA-AES256-SHA384
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
        • ECDHE-RSA-AES128-SHA256
        • ECDHE-RSA-AES256-SHA384
        • AES128-GCM-SHA256
        • AES256-GCM-SHA384
        • AES128-SHA256
        • AES256-SHA256
        • ECDHE-ECDSA-AES128-SHA
        • ECDHE-ECDSA-AES256-SHA
        • ECDHE-RSA-AES128-SHA
        • ECDHE-RSA-AES256-SHA
        • AES128-SHA
        • AES256-SHA
        • DES-CBC3-SHA
      • Strong cipher suites. This setting provides a high security level but a low compatibility.: This option is available only when TLS Versions is set to TLS1.2 and later versions. This setting provides a good compatibility and a high security level.
        This option includes the following cipher suites:
        • ECDHE-ECDSA-AES128-GCM-SHA256
        • ECDHE-ECDSA-AES256-GCM-SHA384
        • ECDHE-ECDSA-AES128-SHA256
        • ECDHE-ECDSA-AES256-SHA384
        • ECDHE-RSA-AES128-GCM-SHA256
        • ECDHE-RSA-AES256-GCM-SHA384
        • ECDHE-RSA-AES128-SHA256
        • ECDHE-RSA-AES256-SHA384
        • ECDHE-ECDSA-AES128-SHA
        • ECDHE-ECDSA-AES256-SHA
      • Selecting Your Cipher Suites

        If you select this option, you must select one or more cipher suites from all cipher suites.

Result

After you configure a custom TLS security policy for your website, Anti-DDoS Pro or Anti-DDoS Premium forwards requests that are destined for your website based on the TLS security policy. If a client uses a TLS protocol version or cipher suite that is not specified in the TLS policy, the requests that are sent from the client are discarded.