All Products
Search

This Product

    Edge Security Acceleration:TLS cipher suites and versions

    Document Center

    Edge Security Acceleration:TLS cipher suites and versions

    Last Updated:Aug 26, 2025

    When a client sends an HTTPS request to an Edge Security Acceleration (ESA) edge node, the node responds and starts the Transport Layer Security (TLS) handshake. The client and the node negotiate a compatible cipher suite and protocol version to ensure secure bidirectional data transmission. You can adjust the TLS cipher suite and protocol version as needed.

    TLS versions

    TLS and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide secure communication over a computer network. The protocol encrypts data exchanged between endpoints to ensure the reliability and confidentiality of the communication.

    TLS protocol versions include 1.0, 1.1, 1.2, and 1.3. TLS 1.3 offers the highest security and performance.

    TLS cipher suite groups

    A TLS cipher suite is a combination of encryption algorithms used in the TLS protocol. It consists of three parts: authentication, encryption, and a message authentication code. During a TLS handshake, the client and server agree on a compatible cipher suite. This ensures that data transmitted between the client and server is securely encrypted using the selected suite. Different cipher suites offer different levels of security.

    A TLS cipher suite group is a combination of cipher suites.

    How to select a TLS cipher suite group and TLS version

    Scenario

    Cipher suite group

    Supported TLS versions

    Features

    For most websites or applications that require high compatibility and can have relaxed security requirements.

    All Cipher Suites (Default)

    TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 (optional)

    Supports the largest number of cipher suites and protocols. It offers excellent compatibility with older browsers and various client devices. However, some of the included cipher suites are less secure.

    For websites or applications that require high security.

    Strong Cipher Suite

    TLS 1.2 and TLS 1.3

    All supported cipher suites and protocols are secure. This option improves your website's security but offers less compatibility than the All Cipher Suites (Default) option.

    To specify a custom cipher suite.

    Custom Cipher Suite

    TLS 1.2 and TLS 1.3

    Lets you select custom encryption algorithms. Security and compatibility vary based on the algorithms you select.

    For more information about the algorithms supported by different cipher suite groups, see Algorithms supported by cipher suite groups.

    Configure TLS cipher suites and versions

    1. In the ESA console, click Websites. In the Website column, click the target site.

    2. In the navigation pane on the left, choose SSL/TLS > Edge Certificates.

    3. In the TLS Cipher Suite and Version area, click Configure. Select a cipher suite group and TLS versions as needed.image

      Note

      • The Enhanced Cipher Suite and Custom Cipher Suite options support only TLS 1.2 and TLS 1.3. These protocols are selected by default and cannot be changed.

      • The TLS versions that you enable must be consecutive. If there is a gap in the enabled versions, only the highest consecutive block of versions will be active.

        • For example, if you enable TLS 1.0, TLS 1.1, and TLS 1.3 but disable TLS 1.2, only TLS 1.3 is active.

        • For example, if you enable TLS 1.0, TLS 1.2, and TLS 1.3 but disable TLS 1.1, only TLS 1.2 and TLS 1.3 are active.

    4. Click OK.