性能保障型负载均衡实例在创建和配置HTTPS监听时,支持选择TLS安全策略。

选择TLS安全策略

您可以在添加或者配置HTTPS监听时,修改SSL证书高级配置,选择TLS安全策略,具体操作,请参见添加HTTPS监听配置监听

TLS安全策略

TLS安全策略包含HTTPS可选的TLS协议版本和配套的加密算法套件。

安全策略 特点 支持TLS版本 支持加密算法套件
tls_cipher_policy_1_0 兼容性最好,安全性较低 TLSv1.0、TLSv1.1和TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256、ECDHE-ECDSA-AES256-GCM-SHA384、ECDHE-ECDSA-AES128-SHA256、ECDHE-ECDSA-AES256-SHA384、ECDHE-RSA-AES128-GCM-SHA256、ECDHE-RSA-AES256-GCM-SHA384、ECDHE-RSA-AES128-SHA256、ECDHE-RSA-AES256-SHA384、AES128-GCM-SHA256、AES256-GCM-SHA384、AES128-SHA256、AES256-SHA256、ECDHE-ECDSA-AES128-SHA、ECDHE-ECDSA-AES256-SHA、ECDHE-RSA-AES128-SHA、ECDHE-RSA-AES256-SHA、AES128-SHA、AES256-SHA、DES-CBC3-SHA
tls_cipher_policy_1_1 兼容性较好,安全性较好 TLSv1.1和TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256、ECDHE-ECDSA-AES256-GCM-SHA384、ECDHE-ECDSA-AES128-SHA256、ECDHE-ECDSA-AES256-SHA384、ECDHE-RSA-AES128-GCM-SHA256、ECDHE-RSA-AES256-GCM-SHA384、ECDHE-RSA-AES128-SHA256、ECDHE-RSA-AES256-SHA384、AES128-GCM-SHA256、AES256-GCM-SHA384、AES128-SHA256、AES256-SHA256、ECDHE-ECDSA-AES128-SHA、ECDHE-ECDSA-AES256-SHA、ECDHE-RSA-AES128-SHA、ECDHE-RSA-AES256-SHA、AES128-SHA、AES256-SHA、DES-CBC3-SHA
tls_cipher_policy_1_2 兼容性较好,安全性很高 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256、ECDHE-ECDSA-AES256-GCM-SHA384、ECDHE-ECDSA-AES128-SHA256、ECDHE-ECDSA-AES256-SHA384、ECDHE-RSA-AES128-GCM-SHA256、ECDHE-RSA-AES256-GCM-SHA384、ECDHE-RSA-AES128-SHA256、ECDHE-RSA-AES256-SHA384、AES128-GCM-SHA256、AES256-GCM-SHA384、AES128-SHA256,AES256-SHA256、ECDHE-ECDSA-AES128-SHA、ECDHE-ECDSA-AES256-SHA、ECDHE-RSA-AES128-SHA、ECDHE-RSA-AES256-SHA、AES128-SHA、AES256-SHA、DES-CBC3-SHA
tls_cipher_policy_1_2_strict 仅支持前向安全的加密套件,安全性极高 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256、ECDHE-ECDSA-AES256-GCM-SHA384、ECDHE-ECDSA-AES128-SHA256、ECDHE-ECDSA-AES256-SHA384、ECDHE-RSA-AES128-GCM-SHA256、ECDHE-RSA-AES256-GCM-SHA384、ECDHE-RSA-AES128-SHA256、ECDHE-RSA-AES256-SHA384、ECDHE-ECDSA-AES128-SHA、ECDHE-ECDSA-AES256-SHA、ECDHE-RSA-AES128-SHA、ECDHE-RSA-AES256-SHA
tls_cipher_policy_1_2_strict_with_1_3 仅支持前向安全的加密套件,安全性极高 TLSv1.2及TLSv1.3 TLS_AES_128_GCM_SHA256、TLS_AES_256_GCM_SHA384、TLS_CHACHA20_POLY1305_SHA256、TLS_AES_128_CCM_SHA256、TLS_AES_128_CCM_8_SHA256、ECDHE-ECDSA-AES128-GCM-SHA256、ECDHE-ECDSA-AES256-GCM-SHA384、ECDHE-ECDSA-AES128-SHA256、ECDHE-ECDSA-AES256-SHA384、ECDHE-RSA-AES128-GCM-SHA256、ECDHE-RSA-AES256-GCM-SHA384、ECDHE-RSA-AES128-SHA256、ECDHE-RSA-AES256-SHA384、ECDHE-ECDSA-AES128-SHA、ECDHE-ECDSA-AES256-SHA、ECDHE-RSA-AES128-SHA、ECDHE-RSA-AES256-SHA
说明 目前支持TLS1.3的地域如下:
  • 英国(伦敦)
  • 华北1(青岛)
  • 华北5(呼和浩特)
  • 西南1(成都)
  • 新加坡
  • 日本(东京)
  • 印度(孟买)
  • 澳大利亚(悉尼)
  • 马来西亚(吉隆坡)
  • 美国(硅谷)
  • 美国(弗吉利亚)
  • 德国(法兰克福)
  • 阿联酋(迪拜)
hybrid_cipher_policy_1_0 兼容性好,安全性极高 支持国密和国际相关加密套件 ECDHE-ECDSA-AES128-GCM-SHA256、ECDHE-ECDSA-AES256-GCM-SHA384、ECDHE-ECDSA-AES128-SHA256、ECDHE-ECDSA-AES256-SHA384、ECDHE-RSA-AES128-GCM-SHA256、ECDHE-RSA-AES256-GCM-SHA384、ECDHE-RSA-AES128-SHA256、ECDHE-RSA-AES256-SHA384、AES128-GCM-SHA256、AES256-GCM-SHA384、AES128-SHA256、AES256-SHA256、ECDHE-ECDSA-AES128-SHA、ECDHE-ECDSA-AES256-SHA、ECDHE-RSA-AES128-SHA、ECDHE-RSA-AES256-SHA、AES128-SHA、AES256-SHA、DES-CBC3-SHA、ECC-SM2-WITH-SM4-SM3

TLS安全策略支持的加密算法套件

安全策略 tls_cipher_policy_1_0 tls_cipher_policy_1_1 tls_cipher_policy_1_2 tls_cipher_policy_1_2_strict tls_cipher_policy_1_2_strict_with_1_3
TLS 1.2、1.1及1.0 1.1及1.2 1.2 1.2 1.2及1.3
CIPHER ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
AES128-GCM-SHA256 - -
AES256-GCM-SHA384 - -
AES128-SHA256 - -
AES256-SHA256 - -
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
AES128-SHA - -
AES256-SHA - -
DES-CBC3-SHA - -
TLS_AES_128_GCM_SHA256 - - - -
TLS_AES_256_GCM_SHA384 - - - -
TLS_CHACHA20_POLY1305_SHA256 - - - -
TLS_AES_128_CCM_SHA256 - - - -
TLS_AES_128_CCM_8_SHA256 - - - -
ECDHE-ECDSA-AES128-GCM-SHA256 - - - -
ECDHE-ECDSA-AES256-GCM-SHA384 - - - -
ECDHE-ECDSA-AES128-SHA256 - - - -
ECDHE-ECDSA-AES256-SHA384 - - - -
ECDHE-ECDSA-AES128-SHA - - - -
ECDHE-ECDSA-AES256-SHA - - - -
说明 上表中的✔表示支持,-表示不支持。