Anti-DDoS Proxy allows you to configure a custom Transport Layer Security (TLS) policy. After you add your website to Anti-DDoS Proxy, you can select TLS protocol versions and cipher suites and configure SM settings for your website based on your business requirements. This topic describes how to configure a custom TLS security policy.
Default TLS protocol versions
Anti-DDoS Proxy (Chinese Mainland) supports both certificates that use internationally accepted algorithms and SM certificates. Anti-DDoS Proxy (Outside Chinese Mainland) supports only certificates that use internationally accepted algorithms. If you upload a certificate for your website that is protected by Anti-DDoS Proxy, the certificate supports different TLS protocol versions. The following list describes the details:
Anti-DDoS Proxy (Chinese Mainland): By default, certificates that use internationally accepted algorithms support TLS 1.0, TLS 1.1, and TLS 1.2, and SM certificates support National Transport Layer Security (NTLS) 1.1.
Anti-DDoS Proxy (Outside Chinese Mainland): By default, certificates that use internationally accepted algorithms support TLS 1.1 and TLS 1.2.
Supported TLS protocol versions
If the default configurations cannot meet your business requirements, you can select different TLS protocol versions and cipher suites. The following table describes the TLS protocol versions that you can select for the certificates supported by Anti-DDoS Proxy. For more information about the cipher suites that correspond to different TLS protocol versions, see Procedure.
Anti-DDoS Proxy (Chinese Mainland)
Function plan | Certificate that uses internationally accepted algorithms | SM certificate |
Standard function plan |
Note If you want to use TLS 1.3 or custom cipher suites, upgrade your instance to the Enhanced function plan. For more information, see Upgrade an instance. | You cannot change the TLS protocol versions and cipher suites. |
Enhanced function plan |
Note If you want to use TLS 1.3, you must select Enable TLS 1.3 Support. For more information, see Procedure. |
Anti-DDoS Proxy (Outside Chinese Mainland)
Function plan | Certificate that uses internationally accepted algorithms |
Standard function plan | You cannot configure custom TLS security policies. You must upgrade your instance to the Enhanced function plan before you can configure custom TLS security policies. For more information, see Upgrade an instance. |
Enhanced function plan |
Note If you want to use TLS 1.3, you must select Enable TLS 1.3 Support. For more information, see Procedure. |
Scenarios
For example, you have purchased an Anti-DDoS Proxy (Chinese Mainland) instance of the Enhanced function plan and you want to disable TLS 1.0 for one of your services because the service needs to comply with Payment Card Industry Data Security Standard (PCI DSS) 3.2, you can change the value of the TLS Versions for SSL Certificate parameter to TLS 1.1 and later. This setting provides good compatibility and medium security. If the devices that access your another service uses TLS 1.3, you can select Enable TLS 1.3 Support.
Prerequisites
A website is added to Anti-DDoS Proxy, and HTTPS is selected for Protocol Type. For more information, see Add one or more websites.
An SSL certificate is uploaded for the website based on your business requirements. For more information, see Upload an HTTPS certificate.
Procedure
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): If your instance is an Anti-DDoS Proxy (Chinese Mainland) instance, select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): If your instance is an Anti-DDoS Proxy (Outside Chinese Mainland), select Outside Chinese Mainland.
In the left-side navigation pane, choose
.If you use an Anti-DDoS Proxy (Chinese Mainland) instance, perform the following steps to configure a TLS security policy:
Find the domain name that you want to configure and click TLS Security Settings in the Certificate Status column.
In the TLS Security Settings dialog box, configure the parameters and click OK.
Parameter
Description
TLS Versions for SSL Certificate
Select the TLS versions for your SSL certificate that uses internationally accepted algorithms. Valid values:
Valid values in the Standard function plan:
TLS 1.0 and later. This setting provides the best compatibility but low security: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
TLS 1.2 and later. This setting provides good compatibility and high security level: TLS 1.2 is supported.
Valid values in the Enhanced function plan:
TLS 1.0 and later. This setting provides the best compatibility but low security: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
TLS 1.1 and later. This setting provides good compatibility and medium security: TLS 1.1 and TLS 1.2 are supported.
TLS 1.2 and later. This setting provides good compatibility and high security level: TLS 1.2 is supported.
You can select Enable TLS 1.3 Support based on your business requirements.
Cipher Suites for SSL Certificate
Select the cipher suites supported by your SSL certificate that uses internationally accepted algorithms. If you want to view more information about the cipher suites that are supported by the Enhanced function plan or the Standard function plan, go to the Anti-DDoS Proxy console. The following options are available for the Enhanced function plan or the Standard function plan:
NoteTo view the cipher suites that are included in an option, you can move your pointer over the icon of the option.
Enable SM Certificate-based Verification
You can configure this parameter only after you upload an SM certificate. By default, the switch is turned off for the SM certificate that you upload.
Specify whether Anti-DDoS Proxy (Chinese Mainland) can process requests from clients that use SM certificates.
If you turn on the switch, Anti-DDoS Proxy (Chinese Mainland) can process requests from 360 Secure Browser and the Haitai browser that use SM certificates.
If you turn on Enable SM Certificate-based Verification, Anti-DDoS Proxy (Chinese Mainland) can process requests from clients that use SM certificates.
If you turn off Enable SM Certificate-based Verification, Anti-DDoS Proxy (Chinese Mainland) cannot process requests from clients that use SM certificates.
Before you can turn off Enable SM Certificate-based Verification, you must turn off Allow Access Only from SM Certificate-based Clients.
Allow Access Only from SM Certificate-based Clients
Specify whether Anti-DDoS Proxy (Chinese Mainland) processes only requests from clients that use SM certificates. By default, the switch is turned off for an SM certificate that you upload.
If you turn on Allow Access Only from SM Certificate-based Clients, Anti-DDoS Proxy (Chinese Mainland) processes only requests from clients that use SM certificates.
If you turn off Allow Access Only from SM Certificate-based Clients, Anti-DDoS Proxy (Chinese Mainland) processes requests from clients that use certificates of the two types. The two types include SM certificates and certificates that use internationally accepted algorithms.
Before you can turn on Allow Access Only from SM Certificate-based Clients, you must turn on Enable SM Certificate-based Verification.
SM Cipher Suites for HTTPS Support
After you upload an SM certificate, the following cipher suites are automatically enabled. You cannot select cipher suites for the SM certificate.
ECC-SM2-SM4-CBC-SM3
ECC-SM2-SM4-GCM-SM3
ECDHE-SM2-SM4-CBC-SM3
ECDHE-SM2-SM4-GCM-SM3
If you use an Anti-DDoS Proxy (Outside Chinese Mainland) instance, perform the following steps to configure a TLS security policy:
NoteYou can configure a custom TLS security policy only for Anti-DDoS Proxy (Outside Chinese Mainland) instances of the Enhanced function plan.
Find the domain name that you want to configure and click TLS Security Settings in the Certificate Status column.
In the TLS Security Settings dialog box, configure the parameters and click OK.
Parameter
Description
TLS Versions for SSL Certificate
Select the TLS versions for your SSL certificate that uses internationally accepted algorithms. Valid values:
TLS 1.0 and later. This setting provides the best compatibility but low security: TLS 1.0, TLS 1.1, and TLS 1.2 are supported. This is the default value.
TLS 1.1 and later. This setting provides good compatibility and medium security: TLS 1.1 and TLS 1.2 are supported.
TLS 1.2 and later. This setting provides good compatibility and high security level: TLS 1.2 is supported.
You can select Enable TLS 1.3 Support based on your business requirements.
Cipher Suites for SSL Certificate
Select the cipher suites supported by your SSL certificate that uses internationally accepted algorithms. Valid values:
NoteTo view the cipher suites that are included in an option, you can move your pointer over the icon of the option.
Result
After you configure a custom TLS security policy for your website, Anti-DDoS Proxy forwards requests that are destined for your website based on the TLS security policy. If a client uses a TLS protocol version or cipher suite that is not specified in the TLS policy, the requests that are sent from the client are discarded.