为全球加速实例配置HTTPS监听时,支持选择TLS安全策略。系统默认选择tls_cipher_policy_1_0安全策略,若您有更高的安全要求,可以根据需要选择更高等级的TLS安全策略。

TLS安全策略

TLS安全策略包含HTTPS可选的TLS协议版本和配套的加密算法套件。TLS协议版本越高,HTTPS通信的安全性越高,但是相较于低版本TLS协议,高版本TLS协议对浏览器的兼容性较差。TLS安全策略对应的TLS协议版本和配套的加密算法套件如下:
安全策略 支持TLS版本 支持加密算法套件
tls_cipher_policy_1_0 TLSv1.0、TLSv1.1和TLSv1.2
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DES-CBC3-SHA
tls_cipher_policy_1_1 TLSv1.1和TLSv1.2
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DES-CBC3-SHA
tls_cipher_policy_1_2 TLSv1.2
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256
  • AES256-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
  • AES128-SHA
  • AES256-SHA
  • DES-CBC3-SHA
tls_cipher_policy_1_2_strict TLSv1.2
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA
tls_cipher_policy_1_2_strict_with_1_3 TLSv1.2及TLSv1.3
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA

TLS安全策略支持的加密算法套件

安全策略 tls_cipher_policy_1_0 tls_cipher_policy_1_1 tls_cipher_policy_1_2 tls_cipher_policy_1_2_strict tls_cipher_policy_1_2_strict_with_1_3
TLS 1.2、1.1及1.0 1.1及1.2 1.2 1.2 1.2及1.3
CIPHER ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
AES128-GCM-SHA256 - -
AES256-GCM-SHA384 - -
AES128-SHA256 - -
AES256-SHA256 - -
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
AES128-SHA - -
AES256-SHA - -
DES-CBC3-SHA - -
TLS_AES_128_GCM_SHA256 - - - -
TLS_AES_256_GCM_SHA384 - - - -
TLS_CHACHA20_POLY1305_SHA256 - - - -
TLS_AES_128_CCM_SHA256 - - - -
TLS_AES_128_CCM_8_SHA256 - - - -
ECDHE-ECDSA-AES128-GCM-SHA256 - - - -
ECDHE-ECDSA-AES256-GCM-SHA384 - - - -
ECDHE-ECDSA-AES128-SHA256 - - - -
ECDHE-ECDSA-AES256-SHA384 - - - -
ECDHE-ECDSA-AES128-SHA - - - -
ECDHE-ECDSA-AES256-SHA - - - -
说明 上表中的✔表示支持,-表示不支持。

选择TLS安全策略

在您添加或者配置HTTPS监听时,系统默认选择tls_cipher_policy_1_0安全策略。您可以通过修改高级配置选择TLS安全策略。具体操作,请参见添加HTTP或HTTPS协议监听选择TLS安全策略