Updated on 2024-09-20 GMT+08:00

TLS Security Policy

HTTPS encryption is commonly used for applications that require secure transmission of data, such as banks and finance. ELB allows you to use common TLS security policies to secure data transmission.

When you add HTTPS listeners, you can select the default security policies or create a custom policy to improve security.

A security policy is a combination of TLS protocols of different versions and supported cipher suites.

Default Security Policy

A later TLS version ensures higher HTTPS communication security, but is less compatible with some browsers.

You can use later TLS versions for applications that require enhanced security, and earlier TLS versions for applications that need wider compatibility.

Table 1 Default security policies

Security Policy

TLS Versions

Cipher Suites

TLS-1-0

TLS 1.2

TLS 1.1

TLS 1.0

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA

TLS-1-1

TLS 1.2

TLS 1.1

TLS-1-2

TLS 1.2

tls-1-0-inherit

TLS 1.2

TLS 1.1

TLS 1.0

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES128-SHA
  • DHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DHE-DSS-AES128-SHA
  • CAMELLIA128-SHA
  • EDH-RSA-DES-CBC3-SHA
  • DES-CBC3-SHA
  • ECDHE-RSA-RC4-SHA
  • RC4-SHA
  • DHE-RSA-AES256-SHA
  • DHE-DSS-AES256-SHA
  • DHE-RSA-CAMELLIA256-SHA

TLS-1-2-Strict

TLS 1.2

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384

TLS-1-0-WITH-1-3

TLS 1.3

TLS 1.2

TLS 1.1

TLS 1.0

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256

TLS-1-2-FS-WITH-1-3

TLS 1.3

TLS 1.2

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256

TLS-1-2-FS

TLS 1.2

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384

hybrid-policy-1-0

TLS 1.2

TLS 1.1

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • ECC-SM4-SM3
  • ECDHE-SM4-SM3

tls-1-2-strict-no-cbc

TLS 1.2

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256

The above table lists the cipher suites supported by ELB. Generally, clients also support multiple cipher suites. In actual use, the cipher suites supported by ELB and clients are used, and the cipher suites supported by ELB take precedence.

Differences Among Default Security Policies

√ indicates the metric is supported, and x indicates the metric is not supported.

Table 2 Differences among default security policies

Security Policy

tls-1-0

tls-1-1

tls-1-2

tls-1-0-inherit

tls-1-2-strict

tls-1-0-with-1-3

tls-1-2-fs-with-1-3

tls-1-2-fs

hybrid-policy-1-0

tls-1-2-strict-no-cbc

TLS version

Protocol-TLS 1.3

×

×

×

×

×

×

×

Protocol-TLS 1.2

Protocol-TLS 1.1

×

×

×

×

×

Protocol-TLS 1.0

×

×

×

×

×

×

×

Cipher suite

ECDHE-RSA-AES128-GCM-SHA256

×

×

×

×

×

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

×

ECDHE-RSA-AES256-SHA384

×

AES128-GCM-SHA256

×

×

×

AES256-GCM-SHA384

×

×

×

AES128-SHA256

×

×

×

AES256-SHA256

×

×

×

ECDHE-RSA-AES128-SHA

×

×

×

×

ECDHE-RSA-AES256-SHA

×

×

×

×

AES128-SHA

×

×

×

×

AES256-SHA

×

×

×

×

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-SHA256

×

ECDHE-ECDSA-AES128-SHA

×

×

×

×

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES256-SHA384

×

ECDHE-ECDSA-AES256-SHA

×

×

×

×

ECDHE-RSA-AES128-GCM-SHA256

×

×

×

×

×

TLS_AES_256_GCM_SHA384

×

×

×

×

×

×

×

TLS_CHACHA20_POLY1305_SHA256

×

×

×

×

×

×

×

TLS_AES_128_GCM_SHA256

×

×

×

×

×

×

×

TLS_AES_128_CCM_8_SHA256

×

×

×

×

×

×

×

TLS_AES_128_CCM_SHA256

×

×

×

×

×

×

×

DHE-RSA-AES128-SHA

×

×

×

×

×

×

×

×

×

DHE-DSS-AES128-SHA

×

×

×

×

×

×

×

×

×

CAMELLIA128-SHA

×

×

×

×

×

×

×

×

×

EDH-RSA-DES-CBC3-SHA

×

×

×

×

×

×

×

×

×

DES-CBC3-SHA

×

×

×

×

×

×

×

×

×

ECDHE-RSA-RC4-SHA

×

×

×

×

×

×

×

×

×

RC4-SHA

×

×

×

×

×

×

×

×

×

DHE-RSA-AES256-SHA

×

×

×

×

×

×

×

×

×

DHE-DSS-AES256-SHA

×

×

×

×

×

×

×

×

×

DHE-RSA-CAMELLIA256-SHA

×

×

×

×

×

×

×

×

×

ECC-SM4-SM3

×

×

×

×

×

×

×

×

×

ECDHE-SM4-SM3

×

×

×

×

×

×

×

×

×

Table 3 Security policies and compatible browsers and clients

Security Policy

tls-1-0

tls-1-1

tls-1-2

tls-1-0-inherit

tls-1-2-strict

tls-1-0-with-1-3

tls-1-2-fs-with-1-3

tls-1-2-fs

hybrid-policy-1-0

tls-1-2-strict-no-cbc

Android 8.0

Android 9.0

Chrome 70 / Win 10

Chrome 80 / Win 10

Firefox 62 / Win 7

Firefox 73 / Win 10

IE 8 / XP

×

×

×

×

×

IE 8-10 / Win 7

×

×

×

×

×

IE 11 / Win 7

IE 11 / Win 10

Edge 15 / Win 10

Edge 16 / Win 10

Edge 18 / Win 10

Java 8u161

Java 11.0.3

Java 12.0.1

OpenSSL 1.0.2s

OpenSSL 1.1.0k

OpenSSL 1.1.1c

Safari 10 / iOS 10

Safari 10 / OS X 10.12

Safari 12.1.1 / iOS 12.3.1

Creating a Custom Security Policy

ELB allows you to use common TLS security policies to secure data transmission. If you need to use a certain TLS version and disable some cipher suites, you can create a custom security policy and add it to an HTTPS listener to improve service security.

  1. Go to the load balancer list page.
  2. In the navigation pane on the left, choose TLS Security Policies.
  3. On the displayed page, click Create Custom Security Policy in the upper right corner.
  4. Configure the parameters based on Table 4.
    Table 4 Custom security policy parameters

    Parameter

    Description

    Name

    Specifies the name of the custom security policy.

    TLS Version

    Specifies the TLS version supported by the custom security policy.

    You can select multiple versions:

    • TLS 1.0
    • TLS 1.1
    • TLS 1.2
    • TLS 1.3

    Cipher Suite

    Specifies the cipher suites that match the selected TLS versions.

    Description

    Provides supplementary information about the custom security policy.

  5. Click OK.

Managing a Custom Security Policy

After a custom security policy is created, you can modify or delete it.

You can modify the name, TLS version, cipher suite, and description of a custom security policy as required.

  1. Go to the load balancer list page.
  2. In the navigation pane on the left, choose TLS Security Policies.
  3. On the TLS Security Policies page, click Custom Security Policies, locate the custom security policy, and click Modify in the Operation column.
  4. In displayed dialog box, modify the custom security policy as described in Table 4.
  5. Click OK.

You can delete a custom security policy as you need.

If a custom security policy is used by a listener, it cannot be deleted. Disassociate the security policy from the listener first.

  1. Go to the load balancer list page.
  2. In the navigation pane on the left, choose TLS Security Policies.
  3. On the TLS Security Policies page, click Custom Security Policies, locate the custom security policy, and click Delete in the Operation column.
  4. In the displayed dialog box, click OK.

Selecting a Security Policy for an HTTPS Listener

  1. Go to the load balancer list page.
  2. On the displayed page, locate the load balancer and click its name.
  3. Under Listeners, click Add Listener.
  4. On the Add Listener page, set Frontend Protocol to HTTPS.
  5. Expand Advanced Settings and select a security policy.

    You can select a default security policy or a custom security policy.

    If there is no custom security policy, you can create one by referring to Creating a Custom Security Policy.

  6. Confirm the configurations and go to the next step.

Changing a Security Policy for an HTTPS Listener

  1. Go to the load balancer list page.
  2. On the displayed page, locate the load balancer and click its name.
  3. Click Listeners, locate the listener, and click its name.
  4. On the Summary tab, click Edit on the top right.
  5. In the Edit dialog box, expand Advanced Settings and change the security policy.
  6. Click OK.