HTTPS encryption is commonly used for applications that require secure data transmission, such as banks and finance. ELB allows you to use common TLS security policies to secure data transmission.
When you add HTTPS listeners, you can select the default security policies or create a custom policy by referring to Creating a Custom Security Policy to improve security.
A security policy is a combination of TLS protocols of different versions and supported cipher suites.
Default Security Policies
A later TLS version ensures higher HTTPS communication security, but is less compatible with some browsers.
You can use later TLS versions for applications that require enhanced security, and earlier TLS versions for applications that need wider compatibility.
Security Policy | TLS Versions | Cipher Suites |
|---|---|---|
tls-1-0 | TLS 1.2 TLS 1.1 TLS 1.0 |
|
tls-1-1 | TLS 1.2 TLS 1.1 | |
tls-1-2 | TLS 1.2 | |
tls-1-0-inherit | TLS 1.2 TLS 1.1 TLS 1.0 |
|
tls-1-2-strict | TLS 1.2 |
|
tls-1-0-with-1-3 | TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0 |
|
tls-1-2-fs-with-1-3 | TLS 1.3 TLS 1.2 |
|
tls-1-2-fs | TLS 1.2 |
|
tls-1-2-strict-no-cbc | TLS 1.2 |
|
The above table lists the cipher suites supported by ELB. Generally, clients also support multiple cipher suites. In actual use, the cipher suites supported both by ELB and clients are used, and the cipher suites supported by ELB take precedence.
Differences Among Default Security Policies
√ indicates the item is supported, and x indicates the item is not supported.
Security Policy | tls-1-0 | tls-1-1 | tls-1-2 | tls-1-0-inherit | tls-1-2-strict | tls-1-0-with-1-3 | tls-1-2-fs-with-1-3 | tls-1-2-fs | tls-1-2-strict-no-cbc |
|---|---|---|---|---|---|---|---|---|---|
Protocol-TLS 1.3 | × | × | × | × | × | √ | √ | √ | × |
Protocol-TLS 1.2 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Protocol-TLS 1.1 | √ | √ | × | √ | × | √ | × | × | × |
Protocol-TLS 1.0 | √ | × | × | √ | × | √ | × | × | × |
Security Policy | tls-1-0 | tls-1-1 | tls-1-2 | tls-1-0-inherit | tls-1-2-strict | tls-1-0-with-1-3 | tls-1-2-fs-with-1-3 | tls-1-2-fs | tls-1-2-strict-no-cbc |
|---|---|---|---|---|---|---|---|---|---|
ECDHE-RSA-AES128-GCM-SHA256 | √ | √ | √ | × | √ | × | × | × | √ |
ECDHE-RSA-AES256-GCM-SHA384 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
ECDHE-RSA-AES128-SHA256 | √ | √ | √ | √ | √ | √ | √ | √ | × |
ECDHE-RSA-AES256-SHA384 | √ | √ | √ | √ | √ | √ | √ | √ | × |
AES128-GCM-SHA256 | √ | √ | √ | √ | √ | √ | × | × | × |
AES256-GCM-SHA384 | √ | √ | √ | √ | √ | √ | × | × | × |
AES128-SHA256 | √ | √ | √ | √ | √ | √ | × | × | × |
AES256-SHA256 | √ | √ | √ | √ | √ | √ | × | × | × |
ECDHE-RSA-AES128-SHA | √ | √ | √ | √ | × | √ | × | × | × |
ECDHE-RSA-AES256-SHA | √ | √ | √ | √ | × | √ | × | × | × |
AES128-SHA | √ | √ | √ | √ | × | √ | × | × | × |
AES256-SHA | √ | √ | √ | √ | × | √ | × | × | × |
ECDHE-ECDSA-AES128-GCM-SHA256 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
ECDHE-ECDSA-AES128-SHA256 | √ | √ | √ | √ | √ | √ | √ | √ | × |
ECDHE-ECDSA-AES128-SHA | √ | √ | √ | √ | × | √ | × | × | × |
ECDHE-ECDSA-AES256-GCM-SHA384 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
ECDHE-ECDSA-AES256-SHA384 | √ | √ | √ | √ | √ | √ | √ | √ | × |
ECDHE-ECDSA-AES256-SHA | √ | √ | √ | √ | × | √ | × | × | × |
ECDHE-RSA-AES128-GCM-SHA256 | × | × | × | √ | × | √ | √ | √ | × |
TLS_AES_256_GCM_SHA384 | × | × | × | × | × | √ | √ | √ | × |
TLS_CHACHA20_POLY1305_SHA256 | × | × | × | × | × | √ | √ | √ | × |
TLS_AES_128_GCM_SHA256 | × | × | × | × | × | √ | √ | √ | × |
TLS_AES_128_CCM_8_SHA256 | × | × | × | × | × | √ | √ | √ | × |
TLS_AES_128_CCM_SHA256 | × | × | × | × | × | √ | √ | √ | × |
DHE-RSA-AES128-SHA | × | × | × | √ | × | × | × | × | × |
DHE-DSS-AES128-SHA | × | × | × | √ | × | × | × | × | × |
CAMELLIA128-SHA | × | × | × | √ | × | × | × | × | × |
EDH-RSA-DES-CBC3-SHA | × | × | × | √ | × | × | × | × | × |
DES-CBC3-SHA | × | × | × | √ | × | × | × | × | × |
ECDHE-RSA-RC4-SHA | × | × | × | √ | × | × | × | × | × |
RC4-SHA | × | × | × | √ | × | × | × | × | × |
DHE-RSA-AES256-SHA | × | × | × | √ | × | × | × | × | × |
DHE-DSS-AES256-SHA | × | × | × | √ | × | × | × | × | × |
DHE-RSA-CAMELLIA256-SHA | × | × | × | √ | × | × | × | × | × |
Security Policy | tls-1-0 | tls-1-1 | tls-1-2 | tls-1-0-inherit | tls-1-2-strict | tls-1-0-with-1-3 | tls-1-2-fs-with-1-3 | tls-1-2-fs | tls-1-2-strict-no-cbc |
|---|---|---|---|---|---|---|---|---|---|
Android 8.0 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Android 9.0 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Chrome 70 / Win 10 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Chrome 80 / Win 10 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Firefox 62 / Win 7 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Firefox 73 / Win 10 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
IE 8 / XP | √ | √ | √ | √ | × | √ | × | × | × |
IE 8-10 / Win 7 | √ | √ | √ | √ | × | √ | × | × | × |
IE 11 / Win 7 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
IE 11 / Win 10 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Edge 15 / Win 10 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Edge 16 / Win 10 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Edge 18 / Win 10 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Java 8u161 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Java 11.0.3 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Java 12.0.1 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
OpenSSL 1.0.2s | √ | √ | √ | √ | √ | √ | √ | √ | √ |
OpenSSL 1.1.0k | √ | √ | √ | √ | √ | √ | √ | √ | √ |
OpenSSL 1.1.1c | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Safari 10 / iOS 10 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Safari 10 / OS X 10.12 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Safari 12.1.1 / iOS 12.3.1 | √ | √ | √ | √ | √ | √ | √ | √ | √ |
Creating a Custom Security Policy
ELB allows you to use common TLS security policies to secure data transmission. If you need to use a certain TLS version and disable some cipher suites, you can create a custom security policy and add it to an HTTPS listener to improve service security.
- Log in to the management console.
- Click
in the upper left corner of the console and select a desired region and project. - Click
in the upper left corner to display Service List and choose Network > Elastic Load Balance. - In the navigation pane on the left, choose TLS Security Policies.
- On the displayed page, click Create Custom Security Policy in the upper right corner.
- Configure the parameters based on Table 5.
Table 5 Custom security policy parameters Parameter
Description
Name
Specifies the name of the custom security policy.
TLS Version
Specifies the TLS version supported by the custom security policy.
You can select multiple versions:
- TLS 1.0
- TLS 1.1
- TLS 1.2
- TLS 1.3
Cipher Suite
Specifies the cipher suites that match the selected TLS versions.
Description (Optional)
Provides supplementary information about the custom security policy.
- Click OK.
Managing a Custom Security Policy
After a custom security policy is created, you can modify or delete it.
Modifying a Custom Security Policy
You can modify the name, TLS versions, cipher suites, and description of a custom security policy as required.
- Log in to the management console.
- Click in the upper left corner of the console and select a desired region and project.
- Click in the upper left corner to display Service List and choose Network > Elastic Load Balance.
- In the navigation pane on the left, choose TLS Security Policies.
- On displayed page, locate the custom security policy, and click Modify in the Operation column.
- In displayed dialog box, modify the custom security policy based on Table 5.
- Click OK.
Deleting a Custom Security Policy
You can delete a custom security policy as you need.
If a custom security policy is used by a listener, it cannot be deleted. Delete the security policy from the listener first.
- Log in to the management console.
- Click in the upper left corner of the console and select a desired region and project.
- Click in the upper left corner to display Service List and choose Network > Elastic Load Balance.
- In the navigation pane on the left, choose TLS Security Policies.
- On displayed page, locate the custom security policy, and click Delete in the Operation column.
- In the displayed dialog box, click OK.
Selecting a Security Policy for an HTTPS Listener
- Log in to the management console.
- Click in the upper left corner of the console and select a desired region and project.
- Click in the upper left corner to display Service List and choose Network > Elastic Load Balance.
- On the displayed page, locate the load balancer and click its name.
- On the Listeners tab, click Add Listener.
- On the Add Listener page, set Frontend Protocol to HTTPS.
- Expand Advanced Settings (Optional) and select a security policy.
You can select a default security policy or custom security policy.
If there is no custom security policy, you can create one by referring to Creating a Custom Security Policy.
- Confirm the configurations and go to the next step.
Changing a Security Policy for an HTTPS Listener
- Log in to the management console.
- Click in the upper left corner of the console and select a desired region and project.
- Click in the upper left corner to display Service List and choose Network > Elastic Load Balance.
- On the displayed page, locate the load balancer and click its name.
- On the Listeners tab, locate the listener, and click its name.
- On the Summary tab, click Edit on the top right.
- In the Edit dialog box, expand Advanced Settings (Optional) and change the security policy.
- Click OK.