You can select a Transport Layer Security (TLS) security policy when you create an HTTPS listener for a Global Accelerator (GA) instance. By default, the system selects the tls_cipher_policy_1_0 security policy. If you require higher security, you can select a TLS security policy of a higher level.

TLS security policies

A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. A later TLS version offers higher security but comprises compatibility with browsers. The following table describes the TLS protocol versions and cipher suites that are supported by each TLS security policy.
Security policy Supported TLS version Supported cipher suite
tls_cipher_policy_1_0 TLS 1.0, TLS 1.1, and TLS 1.2
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DES-CBC3-SHA
tls_cipher_policy_1_1 TLS 1.1 and TLS 1.2
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DES-CBC3-SHA
tls_cipher_policy_1_2 TLSv1.2
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DES-CBC3-SHA
tls_cipher_policy_1_2_strict TLSv1.2
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
tls_cipher_policy_1_2_strict_with_1_3 TLS 1.2 and TLS 1.3
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA

Cipher suites that are supported by TLS security policies

Security policy tls_cipher_policy_1_0 tls_cipher_policy_1_1 tls_cipher_policy_1_2 tls_cipher_policy_1_2_strict tls_cipher_policy_1_2_strict_with_1_3
TLS 1.0, 1.1, and 1.2 1.1 and 1.2 1.2 1.2 1.2 and 1.3
CIPHER ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
AES128-GCM-SHA256 - -
AES256-GCM-SHA384 - -
AES128-SHA256 - -
AES256-SHA256 - -
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
AES128-SHA - -
AES256-SHA - -
DES-CBC3-SHA - -
TLS_AES_128_GCM_SHA256 - - - -
TLS_AES_256_GCM_SHA384 - - - -
TLS_CHACHA20_POLY1305_SHA256 - - - -
TLS_AES_128_CCM_SHA256 - - - -
TLS_AES_128_CCM_8_SHA256 - - - -
ECDHE-ECDSA-AES128-GCM-SHA256 - - - -
ECDHE-ECDSA-AES256-GCM-SHA384 - - - -
ECDHE-ECDSA-AES128-SHA256 - - - -
ECDHE-ECDSA-AES256-SHA384 - - - -
ECDHE-ECDSA-AES128-SHA - - - -
ECDHE-ECDSA-AES256-SHA - - - -
Note The √ sign in the preceding table indicates that a cipher suite is supported, while the - sign indicates that a cipher suite is not supported.

Select a TLS security policy

By default, the system selects the tls_cipher_policy_1_0 security policy when you create or configure an HTTPS listener. You can change the TLS security policy in the advanced settings. For more information, see Create an HTTP or HTTPS listener. Select a TLS security policy