All Products
Search
Document Center

Server Load Balancer:TLS security policies

Last Updated:Jan 24, 2024

This topic describes how to configure a custom TLS security policy for Application Load Balancer (ALB). In most cases, websites or applications deployed on Alibaba Cloud use HTTPS to encrypt data transmission. ALB provides some commonly used TLS security policies to enhance the security of services that use HTTPS. ALB also allows you to configure custom TLS security policies. For example, you can specify the TLS versions that you want to use, or disable certain TLS cipher suites.

System TLS security policies

System TLS security policies

A TLS security policy consists of TLS versions and cipher suites. A later version supports higher protection but lower compatibility with browsers.

Security policy

Supported TLS version

Supported cipher suite

tls_cipher_policy_1_0

  • TLSv1.0

  • TLSv1.1

  • TLSv1.2

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES256-GCM-SHA384

  • AES128-SHA256

  • AES256-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-SHA

  • AES256-SHA

  • DES-CBC3-SHA

tls_cipher_policy_1_1

  • TLSv1.1

  • TLSv1.2

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES256-GCM-SHA384

  • AES128-SHA256

  • AES256-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-SHA

  • AES256-SHA

  • DES-CBC3-SHA

tls_cipher_policy_1_2

TLSv1.2

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES256-GCM-SHA384

  • AES128-SHA256

  • AES256-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-SHA

  • AES256-SHA

  • DES-CBC3-SHA

tls_cipher_policy_1_2_strict

TLSv1.2

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

tls_cipher_policy_1_2_strict_with_1_3

  • TLSv1.2

  • TLSv1.3

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_128_CCM_SHA256

  • TLS_AES_128_CCM_8_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

Differences between system TLS security policies

In the following table, a check mark (✔) indicates that the cipher suite is supported by the TLS version. A hyphen (-) indicates that the cipher suite is not supported by the TLS version.

Security policy

tls_cipher_policy_1_0

tls_cipher_policy_1_1

tls_cipher_policy_1_2

tls_cipher_policy_1_2_strict

tls_cipher_policy_1_2_strict_with_1_3

TLS

v1.0

-

-

-

-

v1.1

-

-

-

v1.2

v1.3

-

-

-

-

CIPHER

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES128-SHA256

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA384

AES128-GCM-SHA256

-

-

AES256-GCM-SHA384

-

-

AES128-SHA256

-

-

AES256-SHA256

-

-

ECDHE-ECDSA-AES128-SHA

ECDHE-ECDSA-AES256-SHA

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES256-SHA

AES128-SHA

-

-

AES256-SHA

-

-

DES-CBC3-SHA

-

-

TLS_AES_128_GCM_SHA256

-

-

-

-

TLS_AES_256_GCM_SHA384

-

-

-

-

TLS_CHACHA20_POLY1305_SHA256

-

-

-

-

TLS_AES_128_CCM_SHA256

-

-

-

-

TLS_AES_128_CCM_8_SHA256

-

-

-

-

Custom TLS security policies

Applicable scenarios

ALB provides some commonly used TLS security policies to enhance the security of services. ALB also allows you to configure custom TLS security policies. For example, you can specify the TLS versions that you want to use, or disable certain TLS cipher suites.

Procedure

To create a custom TLS security policy, perform the following steps:

  1. Log on to the ALB console.

  2. In the left-side navigation pane, choose ALB > TLS Security Policies.

  3. On the TLS Security Policies page, click Create Custom Policy on the Custom Policy tab.

  4. In the Create TLS Security Policy dialog box, set the parameters. The following table describes only the parameters that are relevant to this topic. You can set the other parameters based on your business requirements, or use the default values. After you set the preceding parameters, click Create.

    Parameter

    Description

    Name

    Enter a name for the TLS security policy.

    Minimal Version

    Select the versions of the TLS security policy that you want to create.

    • TLS 1.0 or later

    • TLS 1.1 or later

    • TLS 1.2 or later

    Enable TLS 1.3

    Select whether to enable TLS 1.3.

    Important

    To enable TLS 1.3, you must select a cipher suite that is supported by TLS 1.3. If you do not select the supported cipher suite, the system may fail to create the connection.

    Cipher Suite

    Select cipher suites that are supported by the specified TLS version.

  5. After you create the custom TLS security policy, you must create an HTTPS listener and an SSL certificate. For more information, see Add an HTTPS listener.

References