TLS Security Policy
HTTPS encryption is commonly used for applications that require secure transmission of data, such as banks and finance. ELB allows you to use common TLS security policies to secure data transmission.
When you add HTTPS listeners, you can select the default security policies or create a custom policy to improve security.
A security policy is a combination of TLS protocols of different versions and supported cipher suites.
Default Security Policy
A later TLS version ensures higher HTTPS communication security, but is less compatible with some browsers.
You can use later TLS versions for applications that require enhanced security, and earlier TLS versions for applications that need wider compatibility.
|
Security Policy |
TLS Versions |
Cipher Suites |
|---|---|---|
|
TLS-1-0 |
TLS 1.2 TLS 1.1 TLS 1.0 |
|
|
TLS-1-1 |
TLS 1.2 TLS 1.1 |
|
|
TLS-1-2 |
TLS 1.2 |
|
|
tls-1-0-inherit |
TLS 1.2 TLS 1.1 TLS 1.0 |
|
|
TLS-1-2-Strict |
TLS 1.2 |
|
|
TLS-1-0-WITH-1-3 |
TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0 |
|
|
TLS-1-2-FS-WITH-1-3 |
TLS 1.3 TLS 1.2 |
|
|
TLS-1-2-FS |
TLS 1.2 |
|
|
hybrid-policy-1-0 |
TLS 1.2 TLS 1.1 |
|
|
tls-1-2-strict-no-cbc |
TLS 1.2 |
|
The above table lists the cipher suites supported by ELB. Generally, clients also support multiple cipher suites. In actual use, the cipher suites supported by ELB and clients are used, and the cipher suites supported by ELB take precedence.
Differences Among Default Security Policies
√ indicates the metric is supported, and x indicates the metric is not supported.
|
Security Policy |
tls-1-0 |
tls-1-1 |
tls-1-2 |
tls-1-0-inherit |
tls-1-2-strict |
tls-1-0-with-1-3 |
tls-1-2-fs-with-1-3 |
tls-1-2-fs |
hybrid-policy-1-0 |
tls-1-2-strict-no-cbc |
|---|---|---|---|---|---|---|---|---|---|---|
|
TLS version |
||||||||||
|
Protocol-TLS 1.3 |
× |
× |
× |
× |
× |
√ |
√ |
√ |
× |
× |
|
Protocol-TLS 1.2 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Protocol-TLS 1.1 |
√ |
√ |
× |
√ |
× |
√ |
× |
× |
√ |
× |
|
Protocol-TLS 1.0 |
√ |
× |
× |
√ |
× |
√ |
× |
× |
× |
× |
|
Cipher suite |
||||||||||
|
ECDHE-RSA-AES128-GCM-SHA256 |
√ |
√ |
√ |
× |
√ |
× |
× |
× |
× |
√ |
|
ECDHE-RSA-AES256-GCM-SHA384 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
ECDHE-RSA-AES128-SHA256 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
× |
|
ECDHE-RSA-AES256-SHA384 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
× |
|
AES128-GCM-SHA256 |
√ |
√ |
√ |
√ |
√ |
√ |
× |
× |
√ |
× |
|
AES256-GCM-SHA384 |
√ |
√ |
√ |
√ |
√ |
√ |
× |
× |
√ |
× |
|
AES128-SHA256 |
√ |
√ |
√ |
√ |
√ |
√ |
× |
× |
√ |
× |
|
AES256-SHA256 |
√ |
√ |
√ |
√ |
√ |
√ |
× |
× |
√ |
× |
|
ECDHE-RSA-AES128-SHA |
√ |
√ |
√ |
√ |
× |
√ |
× |
× |
√ |
× |
|
ECDHE-RSA-AES256-SHA |
√ |
√ |
√ |
√ |
× |
√ |
× |
× |
√ |
× |
|
AES128-SHA |
√ |
√ |
√ |
√ |
× |
√ |
× |
× |
√ |
× |
|
AES256-SHA |
√ |
√ |
√ |
√ |
× |
√ |
× |
× |
√ |
× |
|
ECDHE-ECDSA-AES128-GCM-SHA256 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
ECDHE-ECDSA-AES128-SHA256 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
× |
|
ECDHE-ECDSA-AES128-SHA |
√ |
√ |
√ |
√ |
× |
√ |
× |
× |
√ |
× |
|
ECDHE-ECDSA-AES256-GCM-SHA384 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
ECDHE-ECDSA-AES256-SHA384 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
× |
|
ECDHE-ECDSA-AES256-SHA |
√ |
√ |
√ |
√ |
× |
√ |
× |
× |
√ |
× |
|
ECDHE-RSA-AES128-GCM-SHA256 |
× |
× |
× |
√ |
× |
√ |
√ |
√ |
√ |
× |
|
TLS_AES_256_GCM_SHA384 |
× |
× |
× |
× |
× |
√ |
√ |
√ |
× |
× |
|
TLS_CHACHA20_POLY1305_SHA256 |
× |
× |
× |
× |
× |
√ |
√ |
√ |
× |
× |
|
TLS_AES_128_GCM_SHA256 |
× |
× |
× |
× |
× |
√ |
√ |
√ |
× |
× |
|
TLS_AES_128_CCM_8_SHA256 |
× |
× |
× |
× |
× |
√ |
√ |
√ |
× |
× |
|
TLS_AES_128_CCM_SHA256 |
× |
× |
× |
× |
× |
√ |
√ |
√ |
× |
× |
|
DHE-RSA-AES128-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
DHE-DSS-AES128-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
CAMELLIA128-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
EDH-RSA-DES-CBC3-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
DES-CBC3-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
ECDHE-RSA-RC4-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
RC4-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
DHE-RSA-AES256-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
DHE-DSS-AES256-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
DHE-RSA-CAMELLIA256-SHA |
× |
× |
× |
√ |
× |
× |
× |
× |
× |
× |
|
ECC-SM4-SM3 |
× |
× |
× |
× |
× |
× |
× |
× |
√ |
× |
|
ECDHE-SM4-SM3 |
× |
× |
× |
× |
× |
× |
× |
× |
√ |
× |
|
Security Policy |
tls-1-0 |
tls-1-1 |
tls-1-2 |
tls-1-0-inherit |
tls-1-2-strict |
tls-1-0-with-1-3 |
tls-1-2-fs-with-1-3 |
tls-1-2-fs |
hybrid-policy-1-0 |
tls-1-2-strict-no-cbc |
|---|---|---|---|---|---|---|---|---|---|---|
|
Android 8.0 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Android 9.0 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Chrome 70 / Win 10 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Chrome 80 / Win 10 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Firefox 62 / Win 7 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Firefox 73 / Win 10 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
IE 8 / XP |
√ |
√ |
√ |
√ |
× |
√ |
× |
× |
× |
× |
|
IE 8-10 / Win 7 |
√ |
√ |
√ |
√ |
× |
√ |
× |
× |
× |
× |
|
IE 11 / Win 7 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
IE 11 / Win 10 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Edge 15 / Win 10 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Edge 16 / Win 10 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Edge 18 / Win 10 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Java 8u161 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Java 11.0.3 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Java 12.0.1 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
OpenSSL 1.0.2s |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
OpenSSL 1.1.0k |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
OpenSSL 1.1.1c |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Safari 10 / iOS 10 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Safari 10 / OS X 10.12 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Safari 12.1.1 / iOS 12.3.1 |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
Creating a Custom Security Policy
ELB allows you to use common TLS security policies to secure data transmission. If you need to use a certain TLS version and disable some cipher suites, you can create a custom security policy and add it to an HTTPS listener to improve service security.
- Go to the load balancer list page.
- In the navigation pane on the left, choose TLS Security Policies.
- On the displayed page, click Create Custom Security Policy in the upper right corner.
- Configure the parameters based on Table 4.
Table 4 Custom security policy parameters Parameter
Description
Name
Specifies the name of the custom security policy.
TLS Version
Specifies the TLS version supported by the custom security policy.
You can select multiple versions:
- TLS 1.0
- TLS 1.1
- TLS 1.2
- TLS 1.3
Cipher Suite
Specifies the cipher suites that match the selected TLS versions.
Description
Provides supplementary information about the custom security policy.
- Click OK.
Managing a Custom Security Policy
After a custom security policy is created, you can modify or delete it.
You can modify the name, TLS version, cipher suite, and description of a custom security policy as required.
- Go to the load balancer list page.
- In the navigation pane on the left, choose TLS Security Policies.
- On the TLS Security Policies page, click Custom Security Policies, locate the custom security policy, and click Modify in the Operation column.
- In displayed dialog box, modify the custom security policy as described in Table 4.
- Click OK.
You can delete a custom security policy as you need.
If a custom security policy is used by a listener, it cannot be deleted. Disassociate the security policy from the listener first.
- Go to the load balancer list page.
- In the navigation pane on the left, choose TLS Security Policies.
- On the TLS Security Policies page, click Custom Security Policies, locate the custom security policy, and click Delete in the Operation column.
- In the displayed dialog box, click OK.
Selecting a Security Policy for an HTTPS Listener
- Go to the load balancer list page.
- On the displayed page, locate the load balancer and click its name.
- Under Listeners, click Add Listener.
- On the Add Listener page, set Frontend Protocol to HTTPS.
- Expand Advanced Settings and select a security policy.
You can select a default security policy or a custom security policy.
If there is no custom security policy, you can create one by referring to Creating a Custom Security Policy.
- Confirm the configurations and go to the next step.
Changing a Security Policy for an HTTPS Listener
- Go to the load balancer list page.
- On the displayed page, locate the load balancer and click its name.
- Click Listeners, locate the listener, and click its name.
- On the Summary tab, click Edit on the top right.
- In the Edit dialog box, expand Advanced Settings and change the security policy.
- Click OK.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
