Configure custom TLS versions and cipher suites - Web Application Firewall - Alibaba Cloud - Web Application Firewall

Web Application Firewall (WAF) lets you enforce a minimum Transport Layer Security (TLS) version and restrict the cipher suites accepted for HTTPS domains added in CNAME record mode. Requests that fall outside the configured policy are blocked at the WAF layer before they reach your origin server.

Configure custom TLS settings when you need to:

Disable weak cipher suites to reduce the attack surface
Ensure only forward-secret cipher suites are accepted

Prerequisites

Before you begin, ensure that you have:

A domain added to WAF in CNAME record mode. For more information, see Add a domain name
An HTTPS-enabled domain with a valid certificate uploaded. For more information, see Upload an HTTPS certificate

Configure TLS settings

Log on to the WAF console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Asset Center > Website Access.
On the Domain Names tab, find the target domain and click Configure TLS in the Actions column.
Important
Configure TLS appears in the Actions column only if the domain's access mode is CNAME Record and an SSL certificate is uploaded (Update Certificate is shown in the Origin Server column). TLS settings cannot be configured for domains that do not use HTTPS.
On the Configure TLS Security Policy page, set the TLS version and cipher suite, then click Save.

Parameters

Domain Name

The domain name for which you want to configure TLS settings. This value is automatically filled. You do not need to enter the domain name.

TLS versions

Choose the minimum TLS version based on your compatibility and security requirements. Stricter versions improve security but may block older clients.

Option	Minimum TLS version	Effect on older connections
Support TLS 1.0 and Later (High Compatibility and Low Security)	TLS 1.0	All TLS connections accepted
Support TLS 1.1 and Later (Moderate Compatibility and Moderate Security)	TLS 1.1	TLS 1.0 connections are blocked
Support TLS 1.2 and Later (Moderate Compatibility and High Security)	TLS 1.2	TLS 1.0 and TLS 1.1 connections are blocked

You can also enable Support TLS 1.3 alongside any of the options above to add TLS 1.3 support.

Cipher suites

WAF offers two cipher suite options:

All Cipher Suites (High Compatibility and Low Security) — accepts the broadest range of clients, including those using older or weaker cipher suites. The included cipher suites are:

Strength	Cipher suite
Strong	`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
Strong	`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
Strong	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`
Strong	`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`
Strong	`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
Strong	`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
Strong	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`
Strong	`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`
Strong	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
Strong	`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
Weak	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
Weak	`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
Weak	`TLS_RSA_WITH_AES_128_GCM_SHA256`
Weak	`TLS_RSA_WITH_AES_256_GCM_SHA384`
Weak	`TLS_RSA_WITH_AES_128_CBC_SHA256`
Weak	`TLS_RSA_WITH_AES_256_CBC_SHA256`
Weak	`TLS_RSA_WITH_AES_128_CBC_SHA`
Weak	`TLS_RSA_WITH_AES_256_CBC_SHA`
Weak	`SSL_RSA_WITH_3DES_EDE_CBC_SHA`

Custom Cipher Suite — lets you select specific cipher suites based on the TLS version in use. Proceed with caution: an incorrect selection can break connectivity for legitimate clients.