Most websites or applications deployed on Alibaba Cloud use HTTPS to encrypt data transmission. ALB provides commonly used TLS security policies to enhance the security of services that use HTTPS. ALB also lets you configure custom TLS security policies. For example, you can specify which TLS versions to use or disable specific TLS cipher suites.
System TLS security policies
System TLS security policies
A TLS security policy consists of TLS versions and cipher suites. Later versions provide higher protection but lower compatibility with browsers.
Security policy | Supported TLS version | Supported cipher suite |
tls_cipher_policy_1_0 |
|
|
tls_cipher_policy_1_1 |
|
|
tls_cipher_policy_1_2 | TLSv1.2 |
|
tls_cipher_policy_1_2_strict | TLSv1.2 |
|
tls_cipher_policy_1_2_strict_with_1_3 |
|
|
Differences between system TLS security policies
The following table lists TLS protocol versions and cipher suites supported by each system policy. A check mark (✔) indicates that the item is supported, while a hyphen (-) indicates that it is not.
TLS version or cipher suite | Default policy | |||||
tls_cipher_policy_1_0 | tls_cipher_policy_1_1 | tls_cipher_policy_1_2 | tls_cipher_policy_1_2_strict | tls_cipher_policy_1_2_strict_with_1_3 | ||
TLS | v1.0 | ✔ | - | - | - | - |
v1.1 | ✔ | ✔ | - | - | - | |
v1.2 | ✔ | ✔ | ✔ | ✔ | ✔ | |
v1.3 | - | - | - | - | ✔ | |
CIPHER | ECDHE-ECDSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ |
ECDHE-ECDSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA256 | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA384 | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-GCM-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-GCM-SHA384 | ✔ | ✔ | ✔ | - | - | |
AES128-SHA256 | ✔ | ✔ | ✔ | - | - | |
AES256-SHA256 | ✔ | ✔ | ✔ | - | - | |
ECDHE-ECDSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-ECDSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES128-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
ECDHE-RSA-AES256-SHA | ✔ | ✔ | ✔ | ✔ | ✔ | |
AES128-SHA | ✔ | ✔ | ✔ | - | - | |
AES256-SHA | ✔ | ✔ | ✔ | - | - | |
DES-CBC3-SHA | ✔ | ✔ | ✔ | - | - | |
TLS_AES_128_GCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_256_GCM_SHA384 | - | - | - | - | ✔ | |
TLS_CHACHA20_POLY1305_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_SHA256 | - | - | - | - | ✔ | |
TLS_AES_128_CCM_8_SHA256 | - | - | - | - | ✔ | |
ECDHE-ECDSA-CHACHA20-POLY1305 | - | - | - | - | - | |
ECDHE-RSA-CHACHA20-POLY1305 | - | - | - | - | - | |
Custom TLS security policies
Applicable scenarios
ALB provides commonly used TLS security policies to enhance service security. ALB also lets you configure custom TLS security policies. For example, you can specify which TLS versions to use or disable specific TLS cipher suites.
Limitations
Basic ALB instances do not support custom TLS security policies.
For standard and WAF-enabled ALB instances, only HTTPS listeners support custom TLS security policies.
How to configure a custom policy
To create a custom TLS security policy, perform the following steps:
Log on to the ALB console.
In the navigation pane on the left, choose .
On the TLS Security Policies page, click Create Custom Policy on the Custom Policy tab.
In the Create TLS Security Policy dialog box, set the parameters. The following table describes only the parameters relevant to this topic. You can set the other parameters as needed or use the default values. After setting these parameters, click Create.
Parameter
Description
Name
Enter a name for the custom policy.
Minimal Version
Select the versions of the TLS security policy that you want to create:
TLS 1.0 Or Later
TLS 1.1 Or Later
TLS 1.2 Or Later
Enable TLS 1.3
Select whether to enable TLS 1.3.
ImportantTo enable TLS 1.3, you must select a cipher suite that is supported by TLS 1.3. If you do not select the supported cipher suite, the system may fail to create the connection.
Cipher Suite
Select cipher suites that are supported by the specified TLS version.
After creating the custom TLS security policy, you must create an HTTPS listener and an SSL certificate. For more information, see Add an HTTPS listener.
References
For more information about how to configure an HTTPS listener for ALB, see Add an HTTPS listener.
For more information about how to use custom TLS security policies to enhance security, see Use custom TLS security policies to improve website security.
For more information about how to configure HTTPS for different scenarios, see Configure end-to-end HTTPS encryption for data transfers, Configure an ALB instance to serve multiple domain names over HTTPS, Configure mutual authentication on an HTTPS listener, and Redirect HTTP requests to an HTTPS listener.