TLS Security Policy
Scenarios
When you add HTTPS listeners, you can select appropriate security policies to improve security. A security policy is a combination of TLS protocols of different versions and supported cipher suites.
Adding a Security Policy
- Log in to the management console.
- In the upper left corner of the page, click and select the desired region and project.
- Hover on
in the upper left corner to display Service List and choose Network > Elastic Load Balance. - Locate the load balancer and click its name.
- Under Listeners, click Add Listener.
- In the Add Listener dialog box, set Frontend Protocol to HTTPS.
- Expand Advanced Settings and select a security policy.
Table 1 shows the default security policies.
Table 1 Default security policies Security Policy
Description
TLS Versions
Cipher Suites
TLS-1-0
TLS 1.0, TLS 1.1, and TLS 1.2 and supported cipher suites (high compatibility and moderate security)
TLS 1.2
TLS 1.1
TLS 1.0
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- AES128-SHA256
- AES256-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES256-SHA
- AES128-SHA
- AES256-SHA
TLS-1-1
TLS 1.1 and TLS 1.2 and supported cipher suites (moderate compatibility and moderate security)
TLS 1.2
TLS 1.1
TLS-1-2
TLS 1.2 and supported cipher suites (moderate compatibility and high security)
TLS 1.2
TLS-1-2-Strict
Strict TLS 1.2 and supported cipher suites (low compatibility and ultra-high security)
TLS 1.2
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- AES128-SHA256
- AES256-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
TLS-1-0-WITH-1-3
TLS 1.0 and later, and supported cipher suites (ultra-high compatibility and low security)
TLS 1.3
TLS 1.2
TLS 1.1
TLS 1.0
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- AES128-SHA256
- AES256-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES256-SHA
- AES128-SHA
- AES256-SHA
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_CCM_SHA256
- TLS_AES_128_CCM_8_SHA256
TLS-1-2-FS-WITH-1-3
TLS 1.2 and later, and supported forward secrecy cipher suites (high compatibility and ultra-high security)
TLS 1.3
TLS 1.2
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_CCM_SHA256
- TLS_AES_128_CCM_8_SHA256
hybrid-policy-1-0
TLS 1.1 and TLS 1.2 and supported cipher suites (moderate compatibility and moderate security)
TLS 1.2
TLS 1.1
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- AES128-SHA256
- AES256-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES256-SHA
- AES128-SHA
- AES256-SHA
- ECC-SM4-SM3
- ECDHE-SM4-SM3
- This table lists the cipher suites supported by ELB. Generally, clients also support multiple cipher suites. In actual use, the cipher suites supported by ELB and clients are used, and the cipher suites supported by ELB take precedence.
- Click OK.
Differences Between Security Policies
Security Policy |
TLS-1-0 |
TLS-1-1 |
TLS-1-2 |
TLS-1-2-Strict |
|---|---|---|---|---|
TLS versions |
||||
TLS 1.3 |
- |
- |
- |
- |
TLS 1.2 |
√ |
√ |
√ |
√ |
TLS 1.1 |
√ |
√ |
- |
- |
TLS 1.0 |
√ |
- |
- |
- |
Cipher suites |
||||
EDHE-RSA-AES128-GCM-SHA256 |
√ |
√ |
√ |
√ |
ECDHE-RSA-AES256-GCM-SHA384 |
√ |
√ |
√ |
√ |
ECDHE-RSA-AES128-SHA256 |
√ |
√ |
√ |
√ |
ECDHE-RSA-AES256-SHA384 |
√ |
√ |
√ |
√ |
AES128-GCM-SHA256 |
√ |
√ |
√ |
√ |
AES256-GCM-SHA384 |
√ |
√ |
√ |
√ |
AES128-SHA256 |
√ |
√ |
√ |
√ |
AES256-SHA256 |
√ |
√ |
√ |
√ |
ECDHE-RSA-AES128-SHA |
√ |
√ |
√ |
- |
ECDHE-RSA-AES256-SHA |
√ |
√ |
√ |
- |
AES128-SHA |
√ |
√ |
√ |
- |
AES256-SHA |
√ |
√ |
√ |
- |
ECDHE-ECDSA-AES128-GCM-SHA256 |
√ |
√ |
√ |
√ |
ECDHE-ECDSA-AES128-SHA256 |
√ |
√ |
√ |
√ |
ECDHE-ECDSA-AES128-SHA |
√ |
√ |
√ |
- |
ECDHE-ECDSA-AES256-GCM-SHA384 |
√ |
√ |
√ |
√ |
ECDHE-ECDSA-AES256-SHA384 |
√ |
√ |
√ |
√ |
ECDHE-ECDSA-AES256-SHA |
√ |
√ |
√ |
- |
Changing a Security Policy
When you change a security policy, ensure that the security group containing backend servers allows traffic from 100.125.0.0/16 to backend servers and allows ICMP packets for UDP health checks. Otherwise, backend servers will be considered unhealthy, and routing will be affected.
- Log in to the management console.
- In the upper left corner of the page, click and select the desired region and project.
- Hover on in the upper left corner to display Service List and choose Network > Elastic Load Balance.
- Locate the load balancer and click its name.
- Click Listeners, locate the listener, and click its name.
- On the Summary tab page, click Edit on the top right.
- In the Modify Listener dialog box, expand Advanced Settings and change the security policy.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
