This topic describes how to configure a custom TLS security policy for Application Load Balancer (ALB). In most cases, websites or applications deployed on Alibaba Cloud use HTTPS to encrypt data transmission. ALB provides some commonly used TLS security policies to enhance the security of services that use HTTPS. ALB also allows you to configure custom TLS security policies. For example, you can specify the TLS versions that you want to use, or disable certain TLS cipher suites.
System TLS security policies
System TLS security policies
A TLS security policy consists of TLS versions and cipher suites. A later version supports higher protection but lower compatibility with browsers.
Security policy | Supported TLS version | Supported cipher suite |
tls_cipher_policy_1_0 |
|
|
tls_cipher_policy_1_1 |
|
|
tls_cipher_policy_1_2 | TLSv1.2 |
|
tls_cipher_policy_1_2_strict | TLSv1.2 |
|
tls_cipher_policy_1_2_strict_with_1_3 |
|
|
Differences between system TLS security policies
In the following table, a check mark (✔) indicates that the cipher suite is supported by the TLS version. A hyphen (-) indicates that the cipher suite is not supported by the TLS version.
Security policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
TLS | v1.0 | ✔ | - | - | - | - |
v1.1 | ✔ | ✔ | - | - | - | |
v1.2 | ✔ | ✔ | ✔ | ✔ | ✔ | |
v1.3 | - | - | - | - | ✔ | |
CIPHER | ECDHE-ECDSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
ECDHE-ECDSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
ECDHE-ECDSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-SHA | ✔ | ✔ | ✔ | - | - | |
AES256-SHA | ✔ | ✔ | ✔ | - | - | |
DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
Custom TLS security policies
Applicable scenarios
ALB provides some commonly used TLS security policies to enhance the security of services. ALB also allows you to configure custom TLS security policies. For example, you can specify the TLS versions that you want to use, or disable certain TLS cipher suites.
Limitations
Basic ALB instances do not support custom TLS security policies.
For standard and WAF-enabled ALB instances, only HTTPS listeners support TLS security policies.
Procedure
To create a custom TLS security policy, perform the following steps:
Log on to the ALB console.
In the left-side navigation pane, choose .
On the TLS Security Policies page, click Create Custom Policy on the Custom Policy tab.
In the Create TLS Security Policy dialog box, set the parameters. The following table describes only the parameters that are relevant to this topic. You can set the other parameters based on your business requirements, or use the default values. After you set the preceding parameters, click Create.
Parameter
Description
Name
Enter a name for the TLS security policy.
Minimal Version
Select the versions of the TLS security policy that you want to create.
TLS 1.0 or later
TLS 1.1 or later
TLS 1.2 or later
Enable TLS 1.3
Select whether to enable TLS 1.3.
ImportantTo enable TLS 1.3, you must select a cipher suite that is supported by TLS 1.3. If you do not select the supported cipher suite, the system may fail to create the connection.
Cipher Suite
Select cipher suites that are supported by the specified TLS version.
After you create the custom TLS security policy, you must create an HTTPS listener and an SSL certificate. For more information, see Add an HTTPS listener.
References
For more information about how to configure an HTTPS listener for ALB, see Add an HTTPS listener.
For more information about how to use custom TLS security policies to enhance security, see Use custom TLS security policies to improve website security.
For more information about how to configure HTTPS for different scenarios, see Configure end-to-end HTTPS encryption for data transfers, Configure an ALB instance to serve multiple domain names over HTTPS, Configure mutual authentication on an HTTPS listener, and Redirect HTTP requests to an HTTPS listener.