Security Policy

The security policy function provides the capability to configure the minimum version of the TLS protocol and encryption algorithm suite. When creating and configuring HTTPS listening, it supports binding a specific security policy to achieve necessary security requirements.

Security policies are categorized into native policies, predefined policies, and custom policies.

The security policy function is currently only in public beta in some regions. If the CLB instance has not been beta yet, it is impossible to bind and use the created security policy. If you need it, please contact technical support.

Native Policy

If no security policy is bound to the VServer, the system will use its own native policy. The current system’s native policy is: the minimum version of the TLS protocol is TLSv1, the highest possible support for TLSv1.2 or TLSv1.3 (limited by the OpenSSL version used by the CLB bottom layer), and the encryption algorithm suite is the OpenSSL syntax format ALL:!NULL:!aNULL:!DSS:!RC4:!RC2:!EXP:!LOW.

Predefined Policy

Predefined policies cannot be edited or deleted. Currently, eight predefined policies are supported, and the specific differences are shown in the table below:

	security-tls12s	security-tls11s	security-tls10s	security-tls12m	security-tls11m	security-tls10m
	Minimum TLS version 1.2, high security	Minimum TLS version 1.1, high security	Minimum TLS version 1.0, high security	Minimum TLS version 1.2, medium security	Minimum TLS version 1.1, medium security	Minimum TLS version 1.0, medium security
ECDHE-ECDSA-AES128-CCM	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-AES128-CCM8	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-AES128-GCM-SHA256	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-AES128-SHA	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-AES128-SHA256	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-AES256-CCM	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-AES256-CCM8	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-AES256-GCM-SHA384	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-AES256-SHA	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-AES256-SHA384	✔	✔	✔	✔	✔	✔
ECDHE-ECDSA-CHACHA20-POLY1305	✔	✔	✔	✔	✔	✔
ECDHE-RSA-AES128-GCM-SHA256	✔	✔	✔	✔	✔	✔
ECDHE-RSA-AES128-SHA	✔	✔	✔	✔	✔	✔
ECDHE-RSA-AES128-SHA256	✔	✔	✔	✔	✔	✔
ECDHE-RSA-AES256-GCM-SHA384	✔	✔	✔	✔	✔	✔
ECDHE-RSA-AES256-SHA	✔	✔	✔	✔	✔	✔
ECDHE-RSA-AES256-SHA384	✔	✔	✔	✔	✔	✔
ECDHE-RSA-CHACHA20-POLY1305	✔	✔	✔	✔	✔	✔
AES128-CCM				✔	✔	✔
AES128-CCM8				✔	✔	✔
AES128-GCM-SHA256				✔	✔	✔
AES128-SHA256				✔	✔	✔
AES256-CCM				✔	✔	✔
AES256-CCM8				✔	✔	✔
AES256-GCM-SHA384				✔	✔	✔
AES256-SHA256				✔	✔	✔

Note:

The TLS protocol version can support up to TLSv1.3. If it is negotiated to use TLSv1.3, the corresponding default encryption suite is as follows:

TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

In addition to the six predefined policies in the table above, there are two others with the encryption algorithm suite consistent with the native policy:

security-tls12o, only the TLS version has been changed, with a minimum version of 1.2

security-tls11o, only the TLS version has been changed, with a minimum version of 1.1

The high-security strategy in the predefined policy supports an encryption suite that is equivalent to the syntax ALL:!NULL:!aNULL:!DSS:!RC4:!RC2:!EXP:!LOW:!SSLv3:!CAMELLIA:!ARIA:!3DES:!DH:!DHE:!RSA in the CLB environment.

The medium-security strategy in the predefined policy supports an encryption suite that is equivalent to the syntax ALL:!NULL:!aNULL:!DSS:!RC4:!RC2:!EXP:!LOW:!SSLv3:!CAMELLIA:!ARIA:!3DES:!DH:!DHE in the CLB environment.

Custom Policy

You can define your own required policy by combining the minimum version of the TLS protocol and encryption algorithm suite.

The minimum version of the TLS protocol that can be configured ranges from TLSv1, TLSv1.1, TLSv1.2.

The encryption algorithm suite that can be configured refers to the first column in the table of predefined policies.