TLS security policies

When you configure an HTTPS listener for Classic Load Balancer (CLB), the TLS security policy determines the TLS versions and cipher suites that are supported during TLS negotiation between the CLB instance and clients. CLB provides preset TLS security policies for you to choose from.

How it works

A TLS security policy is configured on a CLB instance to define the supported TLS versions and cipher suites for TLS negotiation. During a TLS handshake, a client sends a list of supported protocol versions and cipher suites in a ClientHello message. The CLB instance selects a supported combination of a protocol version and a cipher suite from the list based on the policy and sends a ServerHello message in response. Subsequent steps, such as key exchange and session key generation, are performed based on the selected combination.

Different information security standards may have specific requirements for the TLS security policies of CLB. The following table describes the TLS versions and cipher suites that are supported by each policy. You can select a policy based on your requirements. CLB does not support custom TLS security policies. If you require custom policies, you can use Application Load Balancer (ALB) or Network Load Balancer (NLB).

For applications that are exposed to the internet and have no special compatibility requirements, use the tls_cipher_policy_1_2 policy or a later version.

Policy details

Policy Name		tls_cipher_policy_1_0	tls_cipher_policy_1_1	tls_cipher_policy_1_2	tls_cipher_policy_1_2_strict	tls_cipher_policy_1_2_strict_with_1_3
TLS version	v1.0	Supported	Not supported	Not supported	Not supported	Not supported
	v1.1	Supported	Supported	Not supported	Not supported	Not supported
	v1.2	Supported	Supported	Supported	Supported	Supported
	v1.3	Not supported	Not supported	Not supported	Not supported	Supported
Cipher suite	ECDHE-RSA-AES128-GCM-SHA256	Supported	Supported	Supported	Supported	Supported
	ECDHE-RSA-AES256-GCM-SHA384	Supported	Supported	Supported	Supported	Supported
	ECDHE-RSA-AES128-SHA256	Supported	Supported	Supported	Supported	Supported
	ECDHE-RSA-AES256-SHA384	Supported	Supported	Supported	Supported	Supported
	AES128-GCM-SHA256	Supported	Supported	Supported	Not supported	Not supported
	AES256-GCM-SHA384	Supported	Supported	Supported	Not supported	Not supported
	AES128-SHA256	Supported	Supported	Supported	Not supported	Not supported
	AES256-SHA256	Supported	Supported	Supported	Not supported	Not supported
	ECDHE-RSA-AES128-SHA	Supported	Supported	Supported	Supported	Supported
	ECDHE-RSA-AES256-SHA	Supported	Supported	Supported	Supported	Supported
	AES128-SHA	Supported	Supported	Supported	Not supported	Not supported
	AES256-SHA	Supported	Supported	Supported	Not supported	Not supported
	DES-CBC3-SHA	Supported	Supported	Supported	Not supported	Not supported
	TLS_AES_256_GCM_SHA384	Not supported	Not supported	Not supported	Not supported	Supported
	TLS_CHACHA20_POLY1305_SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	TLS_AES_128_CCM_SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	TLS_AES_128_CCM_8_SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES128-GCM-SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES256-GCM-SHA384	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES128-SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES256-SHA384	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES128-SHA	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES256-SHA	Not supported	Not supported	Not supported	Not supported	Supported

Configure a TLS security policy for a listener

Console

When you add an HTTPS listener, on the SSL Certificate tab, click Edit next to Advanced Configuration, and then select a TLS Security Policy.

To modify a TLS security policy, on the Listeners tab of the instance details page, click the name of the target HTTPS listener to open the Listener Details dialog box. In the SSL Certificate section, modify the TLS Security Policy.

API

When you call the CreateLoadBalancerHTTPSListener operation to create an HTTPS listener or the SetLoadBalancerHTTPSListenerAttribute operation to modify the configuration of an HTTPS listener, set the TLSCipherPolicy parameter to the desired TLS security policy.

Billing

TLS security policies are free of charge. Purchasing and using CLB instances incurs fees.

FAQ

Does CLB support custom TLS security policies?

No, it does not. CLB supports only preset TLS security policies.

If you require custom TLS security policies, you can use one of the following products:

Application Load Balancer (ALB): When you configure an HTTPS listener, you can create custom TLS security policies.
Network Load Balancer (NLB): When you configure a TCP/SSL listener, you can create custom TLS security policies.

Going live

TLS version: If your application has no special compatibility requirements, use TLS 1.2 and TLS 1.3 to ensure security.
Change and rollback: If an exception occurs after you change the TLS security policy, immediately roll back the change by modifying the listener configuration. Perform changes during off-peak hours.