TLS security policies

When you configure an HTTPS listener for a Classic Load Balancer (CLB) instance, the TLS security policy for the listener determines the TLS protocol versions and cipher suites used to negotiate a secure connection between the instance and its clients. CLB provides a set of predefined TLS security policies.

How it works

A TLS security policy on a CLB instance defines the supported TLS protocol versions and cipher suites for TLS negotiation. During the TLS handshake, the client sends a list of supported protocol versions and cipher suites in the Client Hello message. Based on the configured policy, the CLB instance selects a mutually supported protocol version and cipher suite combination from the client's list and responds with a Server Hello message. The selected combination determines subsequent steps, such as key exchange and session key generation.

Various information security standards may require specific TLS security policies for your CLB instance. The following table describes the TLS protocol versions and cipher suites supported by each policy. CLB does not support custom TLS security policies. If you require custom policies, use Application Load Balancer (ALB) or Network Load Balancer (NLB).

For Internet-facing applications without special compatibility requirements, we recommend that you use tls_cipher_policy_1_2 or a stricter policy.

Policy details

Policy name		tls_cipher_policy_1_0	tls_cipher_policy_1_1	tls_cipher_policy_1_2	tls_cipher_policy_1_2_strict	tls_cipher_policy_1_2_strict_with_1_3
TLS protocol versions	v1.0	Supported	Not supported	Not supported	Not supported	Not supported
	v1.1	Supported	Supported	Not supported	Not supported	Not supported
	v1.2	Supported	Supported	Supported	Supported	Supported
	v1.3	Not supported	Not supported	Not supported	Not supported	Supported
Cipher suites	ECDHE-RSA-AES128-GCM-SHA256	Supported	Supported	Supported	Supported	Supported
	ECDHE-RSA-AES256-GCM-SHA384	Supported	Supported	Supported	Supported	Supported
	ECDHE-RSA-AES128-SHA256	Supported	Supported	Supported	Supported	Supported
	ECDHE-RSA-AES256-SHA384	Supported	Supported	Supported	Supported	Supported
	AES128-GCM-SHA256	Supported	Supported	Supported	Not supported	Not supported
	AES256-GCM-SHA384	Supported	Supported	Supported	Not supported	Not supported
	AES128-SHA256	Supported	Supported	Supported	Not supported	Not supported
	AES256-SHA256	Supported	Supported	Supported	Not supported	Not supported
	ECDHE-RSA-AES128-SHA	Supported	Supported	Supported	Supported	Supported
	ECDHE-RSA-AES256-SHA	Supported	Supported	Supported	Supported	Supported
	AES128-SHA	Supported	Supported	Supported	Not supported	Not supported
	AES256-SHA	Supported	Supported	Supported	Not supported	Not supported
	DES-CBC3-SHA	Supported	Supported	Supported	Not supported	Not supported
	TLS_AES_256_GCM_SHA384	Not supported	Not supported	Not supported	Not supported	Supported
	TLS_CHACHA20_POLY1305_SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	TLS_AES_128_CCM_SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	TLS_AES_128_CCM_8_SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES128-GCM-SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES256-GCM-SHA384	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES128-SHA256	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES256-SHA384	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES128-SHA	Not supported	Not supported	Not supported	Not supported	Supported
	ECDHE-ECDSA-AES256-SHA	Not supported	Not supported	Not supported	Not supported	Supported

Configure a TLS security policy for a listener

Console

When you add an HTTPS listener, on the Certificate Management Service step, click Modify next to Advanced Settings. In the expanded section, select a TLS Security Policy.

To modify a TLS security policy: On the instance details page, go to the Listener tab. Click the name of the target HTTPS listener to open the Listener Details dialog box. In the SSL Certificate section, click Manage Certificates to change the TLS Security Policy.

API

When you call the CreateLoadBalancerHTTPSListener operation to create an HTTPS listener or the SetLoadBalancerHTTPSListenerAttribute operation to modify an HTTPS listener, specify the TLS security policy in the TLSCipherPolicy parameter.

Billing

TLS security policies are free of charge. You are charged for purchasing and using CLB instances.

FAQ

How can I define a custom TLS security policy for a CLB instance?

You cannot define custom TLS security policies for a CLB instance. CLB only supports a set of predefined policies.

If you need to configure a custom TLS policy, for example, to meet specific security compliance requirements, use one of the following services instead:

ALB: Supports custom TLS security policies for HTTPS listeners.
NLB: Supports custom TLS security policies for TCP/SSL listeners.

Apply in production

TLS protocol version: If your application does not have special compatibility requirements, use TLS 1.2 and TLS 1.3 to ensure security.
Rollback: If an issue occurs after you change the TLS security policy, you can immediately roll back the change by modifying the listener configuration. Perform these changes during off-peak hours.