Help Center/ Content Delivery Network/ User Guide/ Custom Domain Name Configuration/ HTTPS Settings/ TLS Versions and Cipher Suites
Updated on 2025-10-17 GMT+08:00
View PDF
Share

TLS Versions and Cipher Suites

You can configure TLS versions and cipher suites as required.

Background

TLS is a security protocol used to ensure security and data integrity for Internet communication. The most typical application is HTTPS. TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 are available. A later version is more secure, but is less compatible with browsers of earlier versions.

A cipher suite is a combination of encryption algorithms used by the server and client. Suites typically use TLS or SSL. In a TLS handshake, the client notifies the server of the list of supported cipher suites. The server then picks one that both sides support.

Table 1 TLS versions supported by mainstream browsers

TLS Version

Mainstream Browser

TLS 1.0
  • Chrome 1
  • Firefox 2+

TLS 1.1
  • Chrome 22+
  • Firefox 24+
  • Safari 7+

TLS 1.2
  • Chrome 30+
  • Firefox 27+
  • Safari 7+

TLS 1.3
  • Chrome 70+
  • Firefox 63+
  • Safari 14+

Constraints

  • Before configuring the TLS versions, configure an international HTTPS certificate first. For details, see Configuring an HTTPS Certificate.
  • If the domain name is bound to a certificate with Chinese cryptographic algorithm, TLS versions cannot be configured.
  • If you change the certificate type from International to Chinese (SM2), TLS version settings will become invalid.
  • If you set two certificates for a domain name, TLS version settings take effect only for the international certificate.
  • You can enable a single version or consecutive versions. For example, you cannot enable TLS 1.0 and TLS 1.2 but disable TLS 1.1.
  • You need to enable at least one version.
  • By default, TLS 1.1, TLS 1.2, and TLS 1.3 are enabled.
  • TLS versions cannot be configured for domain names with special configurations.

Procedure

  1. Log in to the CDN console.
  2. In the navigation pane, choose Domains.
  3. In the domain list, click the target domain name or click Configure in the Operation column.
  4. Click the HTTPS Settings tab.
  5. In the TLS Versions and Cipher Suites area, click Edit.
    Figure 1 Configuring the TLS versions
    Table 2 Parameter description

    Parameter

    Description

    Versions
    • Options are TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.
    • Enable only a single version or consecutive versions. For example, you cannot enable TLS 1.0 and TLS 1.2 but disable TLS 1.1.
    • Enable at least one version.
    • By default, TLS 1.1, TLS 1.2, and TLS 1.3 are enabled.

    Cipher Suite Type

    CDN supports cipher suites of multiple strengths and custom cipher suites. For details about the supported cipher suites, see Table 3.

    Strong: poor browser compatibility but high security.

    Moderate: moderate browser compatibility and security.

    Default: strong browser compatibility but low security.

    Custom: Customize cipher suites to meet your needs.

    NOTE:

    CDN matches TLS versions with the cipher suite type to determine the supported cipher suites. Therefore, when you select only TLS 1.0 or TLS 1.1, you cannot select the strong cipher suite.

    Example: If you select TLS 1.3 for Versions and Default for Cipher Suite Type, CDN supports these cipher suites: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, DHE-RSA-CHACHA20-POLY1305, and ECDHE-RSA-CHACHA20-POLY1305.

    Custom Cipher Suites

    Select the required cipher suite as required.
    Table 3 Cipher suites supported by CDN

    OpenSSL Encryption Suite

    Strong

    Moderate

    Default

    Custom

    ECDHE-ECDSA-AES128-GCM-SHA256

    Supported

    Supported

    Supported

    Supported

    ECDHE-ECDSA-AES256-GCM-SHA384

    Supported

    Supported

    Supported

    Supported

    ECDHE-RSA-AES128-GCM-SHA256

    Supported

    Supported

    Supported

    Supported

    ECDHE-RSA-AES256-GCM-SHA384

    Supported

    Supported

    Supported

    Supported

    DHE-RSA-AES128-GCM-SHA256

    Supported

    Supported

    Supported

    Supported

    DHE-RSA-AES256-GCM-SHA384

    Supported

    Supported

    Supported

    Supported

    ECDHE-ECDSA-AES128-SHA256

    -

    Supported

    Supported

    Supported

    ECDHE-ECDSA-AES256-SHA384

    -

    Supported

    Supported

    Supported

    ECDHE-RSA-AES128-SHA

    -

    -

    Supported

    Supported

    ECDHE-RSA-AES128-SHA256

    -

    Supported

    Supported

    Supported

    ECDHE-RSA-AES256-SHA

    -

    Supported

    Supported

    Supported

    ECDHE-RSA-AES256-SHA384

    -

    Supported

    Supported

    Supported

    DHE-RSA-AES128-SHA

    -

    Supported

    Supported

    Supported

    DHE-RSA-AES128-SHA256

    -

    Supported

    Supported

    Supported

    DHE-RSA-AES256-SHA

    -

    Supported

    Supported

    Supported

    DHE-RSA-AES256-SHA256

    -

    Supported

    Supported

    Supported

    AES128-GCM-SHA256

    -

    -

    Supported

    Supported

    AES256-GCM-SHA384

    -

    -

    Supported

    Supported

    AES128-SHA256

    -

    -

    Supported

    Supported

    AES256-SHA256

    -

    -

    Supported

    Supported

    ECDHE-ECDSA-CHACHA20-POLY1305

    Supported

    Supported

    Supported

    Supported

    ECDHE-RSA-CHACHA20-POLY1305

    Supported

    Supported

    Supported

    Supported

    DHE-RSA-CHACHA20-POLY1305

    Supported

    Supported

    Supported

    Supported

    ECDHE-ECDSA-AES128-SHA

    -

    -

    -

    Supported

    ECDHE-ECDSA-AES256-SHA

    -

    -

    -

    Supported

    AES128-SHA

    -

    -

    -

    Supported

    AES256-SHA

    -

    -

    -

    Supported

    DES-CBC3-SHA

    -

    -

    -

    Supported

    RC4-SHA

    -

    -

    -

    Supported
  6. Select TLS versions and cipher suites and click OK.

Relationship Between TLS Versions and Cipher Suites

Table 4 Relationship between TLS versions and cipher suites

OpenSSL Encryption Suite

TLS 1.3

TLS 1.2

TLS 1.1

TLS 1.0

ECDHE-ECDSA-AES128-GCM-SHA256

Supported

Supported

-

-

ECDHE-ECDSA-AES256-GCM-SHA384

Supported

Supported

-

-

ECDHE-RSA-AES128-GCM-SHA256

Supported

Supported

-

-

ECDHE-RSA-AES256-GCM-SHA384

Supported

Supported

-

-

DHE-RSA-AES128-GCM-SHA256

-

Supported

-

-

DHE-RSA-AES256-GCM-SHA384

-

Supported

-

-

ECDHE-ECDSA-AES128-SHA256

-

Supported

-

-

ECDHE-ECDSA-AES256-SHA384

-

Supported

-

-

ECDHE-RSA-AES128-SHA

-

Supported

Supported

Supported

ECDHE-RSA-AES128-SHA256

-

Supported

-

-

ECDHE-RSA-AES256-SHA

-

Supported

Supported

Supported

ECDHE-RSA-AES256-SHA384

-

Supported

-

-

DHE-RSA-AES128-SHA

-

Supported

Supported

Supported

DHE-RSA-AES128-SHA256

-

Supported

-

-

DHE-RSA-AES256-SHA

-

Supported

Supported

Supported

DHE-RSA-AES256-SHA256

-

Supported

-

-

AES128-GCM-SHA256

-

Supported

-

-

AES256-GCM-SHA384

-

Supported

-

-

AES128-SHA256

-

Supported

-

-

AES256-SHA256

-

Supported

-

-

ECDHE-ECDSA-CHACHA20-POLY1305

-

Supported

-

-

ECDHE-RSA-CHACHA20-POLY1305

Supported

Supported

-

-

DHE-RSA-CHACHA20-POLY1305

Supported

Supported

-

-

ECDHE-ECDSA-AES128-SHA

-

Supported

-

-

ECDHE-ECDSA-AES256-SHA

-

Supported

Supported

Supported

AES128-SHA

-

Supported

Supported

Supported

AES256-SHA

-

Supported

Supported

Supported

DES-CBC3-SHA

-

Supported

Supported

Supported

RC4-SHA

-

-

Supported

Supported
Parent topic: HTTPS Settings