All Products
Search

This Product

    Certificate Management Service:How do I configure the supported TLS versions for my certificate?

    Document Center

    Certificate Management Service:How do I configure the supported TLS versions for my certificate?

    Last Updated:Feb 12, 2025

    Supported TLS versions are TLS 1.1, TLS 1.2, and TLS 1.3. TLS 1.0 is forbidden. A later version of TLS provides higher security of communication over HTTPS than an earlier version. You can configure the supported TLS versions for the certificate that you install on your web server or Alibaba Cloud service based on your business requirements.

    Certificate installed on an Alibaba Cloud service

    If your certificate is installed on the following Alibaba Cloud services, follow the instructions provided on the following tabs to configure supported TLS versions. Each tab provides only a brief overview of the procedure. For more detailed instructions, refer to the references that are provided.

    Anti-DDoS Proxy

    Procedure

    1. Log on to the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. In the left-side navigation pane, choose Provisioning > Website Config.

    4. Find the domain name that you want to manage and click TLS Security Settings in the Certificate Status column.

    5. In the TLS Security Settings dialog box, configure the parameters such as TLS Versions for SSL Certificate and click OK. For more information about the other parameters, see Configure a custom TLS security policy.

      Region

      Supported TLS version for SSL certificates that use internationally accepted algorithms

      Anti-DDoS Proxy (Chinese Mainland)

      • Valid values in the Standard function plan:

        • TLS 1.0 and later. This setting provides the best compatibility but low security: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.

        • TLS 1.2 and later. This setting provides good compatibility and high security level: TLS 1.2 is supported.

      • Valid values in the Enhanced function plan:

        • TLS 1.0 and later. This setting provides the best compatibility but low security: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.

        • TLS 1.1 and later. This setting provides good compatibility and medium security: TLS 1.1 and TLS 1.2 are supported.

        • TLS 1.2 and later. This setting provides good compatibility and high security level: TLS 1.2 is supported.

        You can select Enable TLS 1.3 Support based on your business requirements.

      Anti-DDoS Proxy (Outside Chinese Mainland)

      • TLS 1.0 and later. This setting provides the best compatibility but low security: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.

      • TLS 1.1 and later. This setting provides good compatibility and medium security: TLS 1.1 and TLS 1.2 are supported.

      • TLS 1.2 and later. This setting provides good compatibility and high security level: TLS 1.2 is supported.

      You can select Enable TLS 1.3 Support based on your business requirements.

    For more information, see Configure a custom TLS security policy.  

    WAF

    Procedure

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, click Website Configuration.

    3. On the CNAME Record tab, click Default SSL/TLS Settings above the domain name list.

      image

    4. In the CNAME Record dialog box, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      HTTPSUpload Type

      Specify the method used to upload the SSL certificate. For more information, see the HTTPSUpload Type parameter in this topic.

      TLS Version

      Specify the TLS protocol versions that are supported for HTTPS communication. Valid values:

      • TLS 1.0 and Later (Best Compatibility and Low Security) (default)

      • TLS 1.1 and Later (High Compatibility and High Security)

      • TLS 1.2 and Later (High Compatibility and Best Security)

      If you want to enable TLS 1.3, select Support TLS 1.3.

      HTTPSCipher Suite

      Specify the cipher suites that are supported for HTTPS communication. Valid values:

      • All Cipher Suites (High Compatibility and Low Security) (default)

      • Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.)

        For more information about custom cipher suites, see View supported cipher suites.

    For more information, see Add a domain name to WAF.

    SLB

    Procedure

    When you create or configure an HTTPS listener for a high-performance Classic Load Balancer (CLB) instance, you can select a TLS security policy. To select a TLS security policy, go to the Configure SSL Certificate step and click Modify on the right side of Advanced Settings. The following example describes how to configure the supported TLS versions for a CLB instance.

    Note

    The Server Load Balancer (SLB) family includes the following load balancing services: Application Load Balancer (ALB), Network Load Balancer (NLB), and CLB. You can choose a service based on your business requirements.

    1. Log on to the CLB console.

    2. In the top navigation bar, select the region in which the CLB instance is deployed.

    3. On the Instances page, find the CLB instance that you want to manage.

      • Click Configure Listener in the Actions column.

      • Click the ID of the CLB instance that you want to manage. On the Listener tab of the instance details page, click Add Listener.

    4. In the Protocol & Listener step, set the Select Listener Protocol parameter to HTTPS. Click Next. For more information about the other parameters, see Add an HTTPS listener.

    5. In the Certificate Management Service step, select an uploaded server certificate or click Create Server Certificate to upload a server certificate. You can also purchase a certificate. For more information, see Create a certificate.

    6. Click Modify next to Advanced Settings and configure the TLS Security Policy parameter.

      Note

      • TLS security policies are supported only by high-performance CLB instances.

      • A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS. For more information, see TLS security policies.

    7. After you configure the parameters in the other steps, click Submit. For more information, see Add an HTTPS listener for a CLB instance.

    For more information, see Add an HTTPS listener.

    CDN

    Procedure

    Before you perform the following operations, make sure that an SSL certificate is configured. For more information, see Configure an SSL certificate.

    Note

    By default, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are enabled.

    1. Log on to the Alibaba Cloud CDN console.

    2. In the left-side navigation pane, click Domain Names.

    3. On the Domain Names page, find the domain name that you want to manage and click Manage in the Actions column.

    4. In the left-side navigation tree of the domain name, click HTTPS.

    5. In the Configure TLS Cipher Suite and Version section, configure the cipher suites and versions based on your business requirements.

      TLS版本控制

      The following cipher suites are supported. You can select cipher suites based on your business requirements:

      • All Cipher Suite Groups (Default): This type of cipher suites provides low security and high compatibility. For more information about supported encryption algorithms, see Default TLS encryption algorithms.

      • Enhanced Cipher Suite: This type of cipher suites provides high security and low compatibility. The following encryption algorithms are supported:

        • TLS_AES_256_GCM_SHA384

        • TLS_AES_128_GCM_SHA256

        • TLS_CHACHA20_POLY1305_SHA256

        • ECDHE-ECDSA-CHACHA20-POLY1305

        • ECDHE-RSA-CHACHA20-POLY1305

        • ECDHE-ECDSA-AES128-GCM-SHA256

        • ECDHE-RSA-AES128-GCM-SHA256

        • ECDHE-ECDSA-AES128-CCM8

        • ECDHE-ECDSA-AES128-CCM

        • ECDHE-ECDSA-AES256-GCM-SHA384

        • ECDHE-RSA-AES256-GCM-SHA384

        • ECDHE-ECDSA-AES256-CCM8

        • ECDHE-ECDSA-AES256-CCM

        • ECDHE-ECDSA-ARIA256-GCM-SHA384

        • ECDHE-ARIA256-GCM-SHA384

        • ECDHE-ECDSA-ARIA128-GCM-SHA256

        • ECDHE-ARIA128-GCM-SHA256

      • Custom Cipher Suite: You can select cipher suites based on your business requirements.

      For more information about TLS versions, see Background information.

    For more information, see Configure TLS versions and cipher suites.

    DCDN

    Procedure

    Before you perform the following operations, make sure that an SSL certificate is configured. For more information, see Configure an SSL certificate.

    Note

    By default, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are enabled.

    1. Log on to the DCDN console.

    2. In the left-side navigation pane, click Domain Names.

    3. On the Domain Names page, find the domain name that you want to manage and click Configure.

    4. In the left-side navigation tree of the domain name, click HTTPS Settings.

    5. In the Configure TLS Cipher Suite and Version section, configure the cipher suites and versions based on your business requirements.

      TLS版本控制

      The following cipher suites are supported. Select a cipher suite based on your business requirements:

      • All Cipher Suite Groups (Default): This type of cipher suites provides low security and high compatibility. For more information about supported encryption algorithms, see Default TLS encryption algorithms.

      • Enhanced Cipher Suite: This type of cipher suites provides high security and low compatibility. The following encryption algorithms are supported:

        • TLS_AES_256_GCM_SHA384

        • TLS_AES_128_GCM_SHA256

        • TLS_CHACHA20_POLY1305_SHA256

        • ECDHE-ECDSA-CHACHA20-POLY1305

        • ECDHE-RSA-CHACHA20-POLY1305

        • ECDHE-ECDSA-AES128-GCM-SHA256

        • ECDHE-RSA-AES128-GCM-SHA256

        • ECDHE-ECDSA-AES128-CCM8

        • ECDHE-ECDSA-AES128-CCM

        • ECDHE-ECDSA-AES256-GCM-SHA384

        • ECDHE-RSA-AES256-GCM-SHA384

        • ECDHE-ECDSA-AES256-CCM8

        • ECDHE-ECDSA-AES256-CCM

        • ECDHE-ECDSA-ARIA256-GCM-SHA384

        • ECDHE-ARIA256-GCM-SHA384

        • ECDHE-ECDSA-ARIA128-GCM-SHA256

        • ECDHE-ARIA128-GCM-SHA256

      • Custom Cipher Suite: You can select cipher suites based on your business requirements.

    For more information, see Configure TLS versions and cipher suites.

    Note

    If you have questions when you configure the supported TLS versions for your certificate, contact your account manager for the Alibaba Cloud service.

    Certificate installed on a web server

    Modify the ssl_protocols parameter in the certificate configuration file of the web server based on your business requirements. For example, if your environment supports only TLS 1.1 and TLS 1.2, you can set the ssl_protocols parameter to TLSv1.1 TLSv1.2. If you also want your environment to support TLS 1.3, you can set ssl_protocols to TLSv1.1 TLSv1.2 TLSv1.3.

    The following example describes how to modify the supported TLS versions of a certificate installed on an NGINX server.

    Step 1: Open the configuration file of NGINX

    You can run the following command to open the configuration file of NGINX. In most cases, the configuration file is /etc/nginx/nginx.conf or a .conf file in the /etc/nginx/conf.d/ directory. 

    sudo nano /etc/nginx/nginx.conf

    If you have a separate configuration file for NGINX, run the following command to open the configuration file:

    sudo nano /etc/nginx/sites-available/default

    Step 2: Modify the settings in the server block

    Find the HTTPS-related server block and add or modify the ssl_protocols parameter to specify the TLS versions that you want your certificate to support. In the following code, TLS 1.2 and TLS 1.3 are specified. Before you perform this step, make sure that your client supports the TLS versions that you want to specify. Otherwise, connection failures may occur. 

       server {
       listen 443 ssl;
       server_name yourdomain.com;

       # The paths to the certificate and private key files.
       ssl_certificate /path/to/your_certificate.crt;
       ssl_certificate_key /path/to/your_private.key;

       # Specify the TLS versions that you want the certificate to support.
       ssl_protocols TLSv1.2 TLSv1.3;

       # Optional. Specify a cipher suite that provides higher security.
       ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
       
       location / {
           root /var/www/html;
           index index.html index.htm;
       }
   }

    Step 3: Check the configurations and restart the NGINX service

    After you save the changes, run one of the following commands to check whether the NGINX configurations are valid:

    sudo systemctl reload nginx

    or

    sudo service nginx restart

    In this case, the supported TLS versions of the NGINX server are modified.

    Step 4: Verify whether the configurations take effect

    1. Run the following command to view the TLS configurations of your server: 

       # Replace "your_ip" with your IP address. 
 sudo openssl s_client -connect your_ip:443

    2. View the supported TLS versions and certificate information in the output to verify whether the TLS configurations take effect. If the supported TLS versions are displayed in the output, the configurations are in effect.

      image

    Note

    New security standards may emerge over time and old standards may no longer be recommended for use. Therefore, regular reviews and updates of encryption standards are essential to maintain the security of websites.