When you configure an HTTPS listener for a Classic Load Balancer (CLB) instance, the TLS security policy determines the TLS protocol versions and cipher suites used for TLS negotiation between the CLB instance and clients. CLB offers a selection of predefined TLS security policies.
How it works
A tls security policy on a CLB instance specifies the supported tls protocol versions and cipher suites for tls negotiation. During the tls handshake, the client sends a list of supported protocol versions and cipher suites in a Client Hello message. Based on the policy, the CLB instance selects a mutually supported protocol version and cipher suite from the client's list and responds with a Server Hello message. The selected combination determines subsequent steps, such as key exchange and session key generation.
TLS security policy
To comply with certain information security standards, you may need to apply a specific TLS security policy to CLB. This table lists the TLS protocol versions and cipher suites for each policy to help you select one based on your requirements. CLB does not support custom TLS security policies. For custom policies, use Application Load Balancer (ALB) or Network Load Balancer (NLB).
For Internet-facing applications without special compatibility requirements, we recommend using tls_cipher_policy_1_2 or a stricter policy.
Configure a TLS security policy
Console
When you add an HTTPS listener, on the SSL Certificate tab, click Modify next to Advanced Settings. In the expanded section, select a TLS security policy.
To modify a TLS security policy, go to the Listener tab on the instance details page. Click the name of the target HTTPS listener to open the Listener Details dialog box. In the SSL Certificate section, modify the TLS security policy.
API
To create or modify an HTTPS listener via the API, call the CreateLoadBalancerHTTPSListener or SetLoadBalancerHTTPSListenerAttribute operation and specify the TLS security policy in the TLSCipherPolicy parameter.
Billing
TLS security policies are free of charge. You will incur fees for purchasing and using CLB instances.
FAQ
Does CLB support custom TLS security policies?
No. Currently, CLB only supports predefined TLS security policies.
If you need custom TLS security policies, consider using the following products:
-
ALB: Supports custom TLS security policies for HTTPS listeners.
-
NLB: Supports custom TLS security policies for TCP/SSL listeners.
Production environment
-
TLS protocol version: If your application has no special compatibility requirements, use TLS 1.2 and TLS 1.3 to ensure security.
-
Rollback: If an issue occurs after you adjust the TLS security policy, immediately roll back the change by modifying the listener configuration. Perform this change during off-peak hours.
-
Key exchange algorithm: If your application has no special compatibility requirements, avoid the following RSA-based key exchange cipher suites:
AES128-GCM-SHA256,AES256-GCM-SHA384,AES128-SHA256,AES256-SHA256,AES128-SHA,AES256-SHA, andDES-CBC3-SHA. These suites do not support perfect forward secrecy (PFS) and are vulnerable to side-channel attacks. Prioritize cipher suites that include ECDHE or DHE key exchange.
TLS cipher suite mappings
This table maps the OpenSSL format, IANA standard format, and hexadecimal value for each cipher suite.