為Global Acceleration執行個體配置HTTPS監聽時,支援選擇TLS安全性原則。系統預設選擇tls_cipher_policy_1_0安全性原則,若您有更高的安全要求,可以根據需要選擇更高等級的TLS安全性原則。
TLS安全性原則
TLS安全性原則包含HTTPS可選的TLS協議版本和配套的密碼編譯演算法套件。TLS協議版本越高,HTTPS通訊的安全性越高,但是相較於低版本TLS協議,高版本TLS協議對瀏覽器的相容性較差。TLS安全性原則對應的TLS協議版本和配套的密碼編譯演算法套件如下:
安全性原則 | 支援TLS版本 | 支援密碼編譯演算法套件 |
tls_cipher_policy_1_0 | TLSv1.0、TLSv1.1和TLSv1.2 |
|
tls_cipher_policy_1_1 | TLSv1.1和TLSv1.2 |
|
tls_cipher_policy_1_2 | TLSv1.2 |
|
tls_cipher_policy_1_2_strict | TLSv1.2 |
|
tls_cipher_policy_1_2_strict_with_1_3 | TLSv1.2及TLSv1.3 |
|
TLS安全性原則支援的密碼編譯演算法套件
安全性原則 | tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | |
TLS | 1.2、1.1及1.0 | 1.1及1.2 | 1.2 | 1.2 | 1.2及1.3 | |
CIPHER | ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-SHA | ✔ | ✔ | ✔ | - | - | |
AES256-SHA | ✔ | ✔ | ✔ | - | - | |
DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES128-GCM-SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES256-GCM-SHA384 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES128-SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES256-SHA384 | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES128-SHA | - | - | - | - | ✔ | |
ECDHE-ECDSA-AES256-SHA | - | - | - | - | ✔ |
上表中的✔表示支援,-表示不支援。
選擇TLS安全性原則
在您添加或者配置HTTPS監聽時,系統預設選擇tls_cipher_policy_1_0安全性原則。您可以通過修改進階配置選擇TLS安全性原則。具體操作,請參見添加HTTP或HTTPS協議監聽。