When you add an HTTPS service to Web Application Firewall (WAF) in CNAME record mode, you can specify cipher suites that WAF supports based on the cipher suites that are supported by the origin server. This allows WAF to listen on traffic only from clients that use the specified cipher suites. This topic describes the cipher suites that are supported by WAF.

Scenarios

If you add a domain name to WAF in CNAME record mode, you can specify cipher suites in the Change Forwarding Rule step of the Add Domain Name wizard. The following figure shows an example. After you specify the cipher suites, WAF listens on only the requests from the clients that use the specified cipher suites. For more information, see Configuration wizard description.

Configure Listener

Specify cipher suites

In CNAME record mode, you can configure Cipher Suite to allow WAF to listen on only the requests from the clients that use one or more of the following cipher suites:
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DES-CBC3-SHA