TLS Security Policy
When your deployed business needs to provide services to internet users, HTTPS encryption is generally used to ensure the secure transmission of data. For the HTTPS scenario, the security policy function provides the ability to configure the minimum version of the TLS protocol and the encryption algorithm suite. When creating and configuring HTTPS listening, you can bind your own security policy to ensure the security of your business and achieve the necessary security requirements.
Predefined Policy
Predefined policies do not support editing and deleting. The encryption suites and TLS protocols supported by the currently supported eight predefined policies are shown in the following table.
| Policy Name | Minimum TLS Protocol Version | Supported Encryption Suite |
|---|---|---|
| Native Policy | TLSv1 | OpenSSL syntax format ALL:!NULL:!aNULL:!DSS:!RC4:!RC2:!EXP:!LOW |
| TLS minimum version 1.2, high security | TLSv1.2 | ECDHE-ECDSA-AES128-CCMECDHE-ECDSA-AES128-CCM8ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-SHAECDHE-ECDSA-AES128-SHA256ECDHE-ECDSA-AES256-CCMECDHE-ECDSA-AES256-CCM8ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-ECDSA-AES256-SHAECDHE-ECDSA-AES256-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES128-SHAECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES256-SHAECDHE-RSA-AES256-SHA384ECDHE-RSA-CHACHA20-POLY1305 |
| TLS minimum version 1.1, high security | TLSv1.1 | ECDHE-ECDSA-AES128-CCMECDHE-ECDSA-AES128-CCM8ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-SHAECDHE-ECDSA-AES128-SHA256ECDHE-ECDSA-AES256-CCMECDHE-ECDSA-AES256-CCM8ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-ECDSA-AES256-SHAECDHE-ECDSA-AES256-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES128-SHAECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES256-SHAECDHE-RSA-AES256-SHA384ECDHE-RSA-CHACHA20-POLY1305 |
| TLS minimum version 1.0, high security | TLSv1 | ECDHE-ECDSA-AES128-CCMECDHE-ECDSA-AES128-CCM8ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-SHAECDHE-ECDSA-AES128-SHA256ECDHE-ECDSA-AES256-CCMECDHE-ECDSA-AES256-CCM8ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-ECDSA-AES256-SHAECDHE-ECDSA-AES256-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES128-SHAECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES256-SHAECDHE-RSA-AES256-SHA384ECDHE-RSA-CHACHA20-POLY1305 |
| TLS minimum version 1.2, medium security | TLSv1.2 | AES128-CCMAES128-CCM8AES128-GCM-SHA256AES128-SHA256AES256-CCMAES256-CCM8AES256-GCM-SHA384AES256-SHA256ECDHE-ECDSA-AES128-CCMECDHE-ECDSA-AES128-CCM8ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-SHAECDHE-ECDSA-AES128-SHA256ECDHE-ECDSA-AES256-CCMECDHE-ECDSA-AES256-CCM8ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-ECDSA-AES256-SHAECDHE-ECDSA-AES256-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES128-SHAECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES256-SHAECDHE-RSA-AES256-SHA384ECDHE-RSA-CHACHA20-POLY1305 |
| TLS minimum version 1.1, medium security | TLSv1.1 | AES128-CCMAES128-CCM8AES128-GCM-SHA256AES128-SHA256AES256-CCMAES256-CCM8AES256-GCM-SHA384AES256-SHA256ECDHE-ECDSA-AES128-CCMECDHE-ECDSA-AES128-CCM8ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-SHAECDHE-ECDSA-AES128-SHA256ECDHE-ECDSA-AES256-CCMECDHE-ECDSA-AES256-CCM8ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-ECDSA-AES256-SHAECDHE-ECDSA-AES256-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES128-SHAECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES256-SHAECDHE-RSA-AES256-SHA384ECDHE-RSA-CHACHA20-POLY1305 |
| TLS minimum version 1.0, medium security | TLSv1 | AES128-CCMAES128-CCM8AES128-GCM-SHA256AES128-SHA256AES256-CCMAES256-CCM8AES256-GCM-SHA384AES256-SHA256ECDHE-ECDSA-AES128-CCMECDHE-ECDSA-AES128-CCM8ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-SHAECDHE-ECDSA-AES128-SHA256ECDHE-ECDSA-AES256-CCMECDHE-ECDSA-AES256-CCM8ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-ECDSA-AES256-SHAECDHE-ECDSA-AES256-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES128-SHAECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-RSA-AES256-SHAECDHE-RSA-AES256-SHA384ECDHE-RSA-CHACHA20-POLY1305 |
| Only TLS version change, minimum version 1.2 | TLSv1.2 | - |
| Only TLS version change, minimum version 1.1 | TLSv1.1 | - |
Differences between predefined policies, see the following table
| Minimum TLS version 1.2, high security | Minimum TLS version 1.1, high security | Minimum TLS version 1.0, high security | Minimum TLS version 1.2, medium security | Minimum TLS version 1.1, medium security | Minimum TLS version 1.0, medium security | |
|---|---|---|---|---|---|---|
| ECDHE-ECDSA-AES128-CCM | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-AES128-CCM8 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-AES256-CCM | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-AES256-CCM8 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-ECDSA-CHACHA20-POLY1305 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| ECDHE-RSA-CHACHA20-POLY1305 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| AES128-CCM | ✔ | ✔ | ✔ | |||
| AES128-CCM8 | ✔ | ✔ | ✔ | |||
| AES128-GCM-SHA256 | ✔ | ✔ | ✔ | |||
| AES128-SHA256 | ✔ | ✔ | ✔ | |||
| AES256-CCM | ✔ | ✔ | ✔ | |||
| AES256-CCM8 | ✔ | ✔ | ✔ | |||
| AES256-GCM-SHA384 | ✔ | ✔ | ✔ | |||
| AES256-SHA256 | ✔ | ✔ | ✔ |
Explanation:
- The maximum protocol version of TLS can support up to TLSv1.3. If using TLSv1.3 for negotiation, the corresponding default encryption suite is:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- In addition to the six predefined policies in the table above, there are the following two. Their encryption algorithm suite is consistent with the native policy:
- security-tls12o, only TLS version change, minimum version 1.2
- security-tls11o, only TLS version change, minimum version 1.1
- The high-security policy in the predefined policy supports the encryption suite in the ALB environment, which is equivalent to the syntax
ALL:!NULL:!aNULL:!DSS:!RC4:!RC2:!EXP:!LOW:!SSLv3:!CAMELLIA:!ARIA:!3DES:!DH:!DHE:!RSA
- The medium-security policy in the predefined policy supports the encryption suite in the ALB environment, which is equivalent to the syntax
ALL:!NULL:!aNULL:!DSS:!RC4:!RC2:!EXP:!LOW:!SSLv3:!CAMELLIA:!ARIA:!3DES:!DH:!DHE
Custom Policy
You can define the policy you need by combining the minimum version of the TLS protocol and the encryption algorithm suite.
Create Custom Policy
- Log in to the Application Load Balancer (ALB) Console.
- Select Security Policy Management.
-
On the Security Policy List page, click Create Security Group Policy.
-
In the Create Security Policy dialog, complete the following parameter configuration, and click Create after the configuration is complete.
| Configuration Item | Description |
|---|---|
| Name | Enter a custom policy name. |
| Minimum TLS Protocol Version | The minimum version of the TLS protocol, a required item, the optional TLS versions are TLSv1, TLSv1.1, TLSv1.2 |
| Encryption Algorithm Suite | Select the encryption algorithm suite supported by the TLS version. |
- Once the custom policy is created, you can select the custom policy in the advanced settings when creating HTTPS listening.
Delete Single Custom Security Policy
- Log in to the Application Load Balancer (ALB) Console.
- Select Security Policy Management.
-
On the Security Policy List page, select the custom security policy you want to delete and click Delete.
-
In the second confirmation pop-up window, confirm whether it is the security policy you want to delete.
-
Click OK to complete the deletion operation.
Bulk Delete Custom Security Policies
- Log in to the Application Load Balancer (ALB) Console.
- Select Security Policy Management.
-
On the Security Policy List page, batch select the checkboxes on the left of the security policies you want to delete, and click delete above.
-
In the second confirmation pop-up window, confirm whether it is the security policy you want to delete.
-
Click OK to complete the deletion operation.
If you want to delete a custom policy, you must first unbind VServer before you can delete it.
Edit Custom Security Policy
You can update custom security group policies as needed.
-
Log in to the Application Load Balancer (ALB) Console.
-
Select Security Policy Management.
-
On the Security Policy List page, select the custom policy you want to edit and click edit in the operation bar.
- Set the following information in the Edit Security Group Policy dialog box:
| Configuration Item | Description |
|---|---|
| Name | Enter a custom policy name. |
| Minimum TLS Protocol Version | The minimum version of the TLS protocol, a required item, the optional TLS versions are TLSv1, TLSv1.1, TLSv1.2 |
| Encryption Algorithm Suite | Select the encryption algorithm suite supported by the TLS version. |
- Click OK after the modification to complete the editing operation.