In most cases, websites or applications deployed on Alibaba Cloud use HTTPS to encrypt data transmission. Classic Load Balancer (CLB) provides some commonly used TLS security policies to enhance the security of services that use HTTPS. You can select TLS security policies to protect your services.
Limits
When you create or configure an HTTPS listener for a high-performance CLB instance, you can select a TLS security policy.
How to configure a TLS security policy
When you add or modify an HTTPS listener, you can click Modify on the right side of Advanced Settings in the Configure SSL Certificate step. Then, select a TLS security policy. For more information, see Add an HTTPS listener.
Supported TLS security policies
A TLS security policy consists of TLS versions and cipher suites. A later version supports higher protection but lower compatibility with browsers.
Security policy | Supported TLS version | Supported cipher suite |
tls_cipher_policy_1_0 |
| ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
tls_cipher_policy_1_1 |
| ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
tls_cipher_policy_1_2 | TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA, AES128-SHA, AES256-SHA, and DES-CBC3-SHA |
tls_cipher_policy_1_2_strict | TLSv1.2 | ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
tls_cipher_policy_1_2_strict_with_1_3 |
| TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES128-SHA, and ECDHE-RSA-AES256-SHA |
Differences between TLS security policies
In the following table, a check mark (✔) indicates that the cipher suite is supported by the TLS version. A hyphen (-) indicates that the cipher suite is not supported by the TLS version.
Security policy | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
TLS | v1.0 | ✔ | - | - | - | - |
v1.1 | ✔ | ✔ | - | - | - | |
v1.2 | ✔ | ✔ | ✔ | ✔ | ✔ | |
v1.3 | - | - | - | - | ✔ | |
CIPHER | ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-SHA | ✔ | ✔ | ✔ | - | - | |
AES256-SHA | ✔ | ✔ | ✔ | - | - | |
DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES128-GCM-SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES256-GCM-SHA384 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES128-SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES256-SHA384 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES128-SHA | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES256-SHA | - | - | - | - | ✔ | |
FAQ
Does CLB support custom TLS security policies?
CLB does not support custom TLS security policies.
Application Load Balancer (ALB) and Network Load Balancer (NLB) support custom TLS security policies. If you want to use custom TLS security policies, we recommend that you use ALB or NLB.
For more information about the features and functions of ALB, NLB, and CLB, see What is SLB?
If you want to use Layer 7 listeners, we recommend that you use ALB. For more information, see TLS security policies, Use custom TLS security policies to improve website security, and What is ALB?
If you want to use Layer 4 listeners, we recommend that you use NLB. For more information, see TLS security policies and What is NLB?
References
For more information about how to configure HTTPS listeners, see Add an HTTPS listener and FAQ about Layer 7 listeners that use HTTPS or HTTP.
For more information about how to configure HTTPS for different scenarios, see Configure one-way authentication for HTTPS requests, Configure mutual authentication on an HTTPS listener, Redirect requests from HTTP to HTTPS, and Configure a CLB instance to serve multiple domain names over HTTPS.