TLS security policies - Server Load Balancer - Alibaba Cloud Documentation Center

You can select a TLS security policy when you create a listener that uses SSL over TCP. Listeners that use SSL over TCP support custom and default TLS security policies.

Default TLS security policies

A TLS security policy contains TLS protocol versions and cipher suites that are available for SSL over TCP. A later TLS version offers higher security but compromises compatibility with browsers.


Security policy management	Supported TLS version	Supported cipher suite
tls_cipher_policy_1_0	TLS 1.0, TLS 1.1, and TLS 1.2	The cipher suite that you select must be supported by one of the TLS versions that you use. For example, if you use TLS 1.3, you must select the cipher suites that are supported by TLS 1.3. TLS 1.0 and TLS 1.1 support the following cipher suites: ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA TLS 1.2 supports the following cipher suites: ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 TLS 1.3 supports the following cipher suites: TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256
tls_cipher_policy_1_1	TLS 1.1 and TLS 1.2
tls_cipher_policy_1_2	TLSv1.2
tls_cipher_policy_1_2_strict	TLSv1.2
tls_cipher_policy_1_2_strict_with_1_3	TLS 1.2 and TLS 1.3

Custom policies

To create a custom TLS security policy, perform the following steps:

Log on to the NLB console.
In the left-side navigation pane, click Network Load Balancer (NLB) > TLS Security Policies.
On the TLS Security Policies page, click Create Custom Policy on the Custom Policy tab.

In the Create TLS Security Policy dialog box, set the following parameters and click Create.


Parameter	Description
Name	Enter a name for the TLS security policy.
Minimal Version	Select the version of the TLS security policy that you want to create. TLS 1.0 or later TLS 1.1 or later TLS 1.2 or later
Enable TLS 1.3	Select whether to enable TLS 1.3. Important To enable TLS 1.3, you must select a cipher suite that is supported by TLS 1.3. If you do not select the supported cipher suite, the system may fail to create the connection.
Cipher Suite	Select a cipher suite that is supported by the specified TLS version. For more information about cipher suites that are supported by each TLS version, see Default TLS security policies.

Cipher suites supported by different TLS security policies

In the following table, a check mark (✓) indicates that the cipher suite is supported and a hyphen (-) indicates that the cipher suite is not supported.


Security policy		tls_cipher_policy_1_0	tls_cipher_policy_1_1	tls_cipher_policy_1_2	tls_cipher_policy_1_2_strict	tls_cipher_policy_1_2_strict_with_1_3
TLS	-	1.0, 1.1, and 1.2	1.1 and 1.2	1.2	1.2	1.2 and 1.3
CIPHER	ECDHE-RSA-AES128-GCM-SHA256	✓	✓	✓	✓	✓
	ECDHE-RSA-AES256-GCM-SHA384	✓	✓	✓	✓	✓
	ECDHE-RSA-AES128-SHA256	✓	✓	✓	✓	✓
	ECDHE-RSA-AES256-SHA384	✓	✓	✓	✓	✓
	AES128-GCM-SHA256	✓	✓	✓	-	-
	AES256-GCM-SHA384	✓	✓	✓	-	-
	AES128-SHA256	✓	✓	✓	-	-
	AES256-SHA256	✓	✓	✓	-	-
	ECDHE-RSA-AES128-SHA	✓	✓	✓	✓	✓
	ECDHE-RSA-AES256-SHA	✓	✓	✓	✓	✓
	AES128-SHA	✓	✓	✓	-	-
	AES256-SHA	✓	✓	✓	-	-
	DES-CBC3-SHA	✓	✓	✓	-	-
	TLS_AES_128_GCM_SHA256	-	-	-	-	✓
	TLS_AES_256_GCM_SHA384	-	-	-	-	✓
	TLS_CHACHA20_POLY1305_SHA256	-	-	-	-	✓
	TLS_AES_128_CCM_SHA256	-	-	-	-	✓
	TLS_AES_128_CCM_8_SHA256	-	-	-	-	✓
	ECDHE-ECDSA-AES128-GCM-SHA256	-	-	-	-	✓
	ECDHE-ECDSA-AES256-GCM-SHA384	-	-	-	-	✓
	ECDHE-ECDSA-AES128-SHA256	-	-	-	-	✓
	ECDHE-ECDSA-AES256-SHA384	-	-	-	-	✓
	ECDHE-ECDSA-AES128-SHA	-	-	-	-	✓
	ECDHE-ECDSA-AES256-SHA	-	-	-	-	✓