Alibaba Cloud Dynamic Route for CDN (DCDN) supports Transport Layer Security (TLS) version control. You can enable TLS versions for your domain names based on your business requirements. Early versions of TLS support browsers of earlier versions, but provide relatively low security. The latest versions of TLS provide enhanced security, but may not be compatible with browsers of earlier versions. This topic describes the concepts, use scenarios, and configuration method of TLS version control.

TLS versions

TLS is designed to ensure the security and integrity of data transmitted between two applications. A typical use case of TLS is HTTPS. HTTPS, also known as HTTP over TLS, is a secure version of HTTP. HTTPS runs below the top application layer (HTTP) and above the transport layer (TCP), and provides data encryption and decryption services.
Version Description Supported mainstream browser
TLSv1.0 TLS 1.0 was defined in RFC 2246 in 1999 as an update to SSL 3.0. TLS 1.0 is vulnerable to various attacks, such as BEAST and POODLE attacks. TLS 1.0 is no longer recommended for network protection due to the weak encryption performance. TLS 1.0 is not compliant with Payment Card Industry Data Security Standard (PCI DSS).
  • Internet Explorer 6 and later
  • Google Chrome 1 and later
  • Firefox 2 and later
TLSv1.1 TLS 1.1 was defined in RFC 4346 in 2006 as an update to TLS 1.0. TLS 1.1 fixed some vulnerabilities in TLS 1.0.
  • Internet Explorer 11 and later
  • Google Chrome 22 and later
  • Firefox 24 and later
  • Safari 7 and later
TLSv1.2 TLS 1.2 was defined in RFC 5246 in 2008 and is a widely used TLS version.
  • Internet Explorer 11 and later
  • Google Chrome 30 and later
  • Firefox 27 and later
  • Safari 7 and later
TLSv1.3 TLS 1.3 was defined in RFC 8446 in 2018 as the latest TLS version. TLS 1.3 supports the zero round trip time resumption (0-RTT) mode and allows you to establish faster connections. TLS 1.3 supports only key exchange algorithms of perfect forward secrecy to enhance security.
  • Google Chrome 70 and later
  • Firefox 63 and later

Procedure

An SSL certificate is configured for the domain name. For more information, see Configure an SSL certificate.

Note By default, TLS 1.0, TLS 1.1, and TLS 1.2 are enabled.
  1. Log on to the DCDN console.
  2. In the left-side navigation pane, click Domain Names.
  3. On the Domain Names page, find the domain name that you want to manage, and click Configure in the Actions column.
  4. In the left-side navigation pane on the details page of the specified domain name, click HTTPS Settings.
  5. In the TLS Version Control section, enable or disable specific TLS versions based on your business requirements.
    TLS version control

Recommended versions

Scenario Recommended version
Require compatibility with browsers of earlier versions and security is not a priority TLS 1.0, TLS 1.1, and TLS 1.2
Security is a priority and incompatibility with some browsers is acceptable TLS 1.2
Early adopters TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3