TLS Security Policy
Scenarios
HTTPS encryption is commonly used for applications that require secure transmission of data, such as banks and finance. When you add HTTPS listeners, you can select appropriate default security policies to improve security. A security policy is a combination of TLS protocols of different versions and supported cipher suites.
You can only select the default security policies for HTTPS listeners added to a shared load balancer.
Adding a Default Security Policy
- Log in to the management console.
- In the upper left corner of the page, click
and select the desired region and project. - Click
in the upper left corner to display Service List and choose Network > Elastic Load Balance. - On the displayed page, locate the load balancer and click its name.
- Under Listeners, click Add Listener.
- On the Add Listener page, set Frontend Protocol to HTTPS.
- Expand Advanced Settings and select a default security policy.
Table 1 lists the default security policies supported by shared load balancers.
Table 1 Default security policies Name
TLS Versions
Cipher Suites
tls-1-0
TLS 1.2
TLS 1.1
TLS 1.0
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- AES128-SHA256
- AES256-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES256-SHA
- AES128-SHA
- AES256-SHA
tls-1-1
TLS 1.2
TLS 1.1
tls-1-2
TLS 1.2
tls-1-2-strict
TLS 1.2
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- AES128-SHA256
- AES256-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
tls-1-2-fs
TLS 1.2
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
Note- Shared load balancers support TLS 1.2 or earlier versions.
- The above table lists the cipher suites supported by ELB. Generally, clients also support multiple cipher suites. In actual use, the cipher suites supported by ELB and clients are used, and the cipher suites supported by ELB take precedence.
- Confirm the configurations and go to the next step.
Differences Between Security Policies
Security Policy | tls-1-0 | tls-1-1 | tls-1-2 | tls-1-2-strict | tls-1-2-fs |
|---|---|---|---|---|---|
TLS version | |||||
Protocol-TLS 1.3 | N/A | N/A | N/A | N/A | Supported |
Protocol-TLS 1.2 | Supported | Supported | Supported | Supported | Supported |
Protocol-TLS 1.1 | Supported | Supported | N/A | N/A | N/A |
Protocol-TLS 1.0 | Supported | N/A | N/A | N/A | N/A |
Cipher suite | |||||
EDHE-RSA-AES128-GCM-SHA256 | Supported | Supported | Supported | Supported | N/A |
ECDHE-RSA-AES256-GCM-SHA384 | Supported | Supported | Supported | Supported | Supported |
ECDHE-RSA-AES128-SHA256 | Supported | Supported | Supported | Supported | Supported |
ECDHE-RSA-AES256-SHA384 | Supported | Supported | Supported | Supported | Supported |
AES128-GCM-SHA256 | Supported | Supported | Supported | Supported | N/A |
AES256-GCM-SHA384 | Supported | Supported | Supported | Supported | N/A |
AES128-SHA256 | Supported | Supported | Supported | Supported | N/A |
AES256-SHA256 | Supported | Supported | Supported | Supported | N/A |
ECDHE-RSA-AES128-SHA | Supported | Supported | Supported | N/A | N/A |
ECDHE-RSA-AES256-SHA | Supported | Supported | Supported | N/A | N/A |
AES128-SHA | Supported | Supported | Supported | N/A | N/A |
AES256-SHA | Supported | Supported | Supported | N/A | N/A |
ECDHE-ECDSA-AES128-GCM-SHA256 | Supported | Supported | Supported | Supported | Supported |
ECDHE-ECDSA-AES128-SHA256 | Supported | Supported | Supported | Supported | Supported |
ECDHE-ECDSA-AES128-SHA | Supported | Supported | Supported | N/A | N/A |
ECDHE-ECDSA-AES256-GCM-SHA384 | Supported | Supported | Supported | Supported | Supported |
ECDHE-ECDSA-AES256-SHA384 | Supported | Supported | Supported | Supported | Supported |
ECDHE-ECDSA-AES256-SHA | Supported | Supported | Supported | N/A | N/A |
ECDHE-RSA-AES128-GCM-SHA256 | N/A | N/A | N/A | N/A | Supported |
TLS_AES_256_GCM_SHA384 | N/A | N/A | N/A | N/A | Supported |
TLS_CHACHA20_POLY1305_SHA256 | N/A | N/A | N/A | N/A | Supported |
TLS_AES_128_GCM_SHA256 | N/A | N/A | N/A | N/A | Supported |
TLS_AES_128_CCM_8_SHA256 | N/A | N/A | N/A | N/A | Supported |
TLS_AES_128_CCM_SHA256 | N/A | N/A | N/A | N/A | Supported |
Changing a Security Policy
When you change a security policy, ensure that the security group rules configured for backend servers allow traffic from 100.125.0.0/16 to backend servers and allows ICMP packets for UDP health checks. Otherwise, backend servers will be considered unhealthy, resulting in service interruptions.
- Log in to the management console.
- In the upper left corner of the page, click and select the desired region and project.
- Click in the upper left corner to display Service List and choose Network > Elastic Load Balance.
- On the displayed page, locate the load balancer and click its name.
- Click Listeners, locate the listener, and click its name.
- On the Summary tab, click Edit on the top right.
- In the Edit dialog box, expand Advanced Settings and change the security policy.
- Click OK.
- Scenarios
- Adding a Default Security Policy
- Differences Between Security Policies
- Changing a Security Policy