Secure HTTPS encryption by configuring TLS versions and cipher suites-CDN(CDN)-阿里云帮助中心

When a client sends a request to a node, the node initiates a TLS handshake using the configured TLS version to secure the connection. If the client does not support this version, the connection fails. You can adjust TLS versions to balance security with compatibility for older browsers. Lower TLS versions offer broader support but weaker security. Higher versions enhance security but may block access from legacy browsers.

Background

Transport Layer Security (TLS) provides confidentiality and data integrity between two communicating applications. Its most common application is HTTPS. HTTPS, or HTTP over TLS, is a more secure version of HTTP that runs between the HTTP and TCP layers.

Protocol	Description	Supported major browsers
TLSv1.0	Released in 1999 (RFC 2246) and based on SSLv3.0. This version is vulnerable to attacks such as BEAST and POODLE. It also supports weak encryption, is no longer considered secure for modern web connections, and does not meet PCI DSS compliance standards.	IE6+ Chrome 1+ Firefox 2+
TLSv1.1	Released in 2006 (RFC 4346). It addresses several vulnerabilities found in TLSv1.0.	IE 11+ Chrome 22+ Firefox 24+ Safari 7+
TLSv1.2	Released in 2008 (RFC 5246). This is the most widely used version today.	IE 11+ Chrome 30+ Firefox 27+ Safari 7+
TLSv1.3	Released in 2018 (RFC 8446). This is the latest TLS version. It supports 0-RTT mode for faster connections and uses only key exchange algorithms that provide perfect forward secrecy.	Chrome 70+ Firefox 63+

Procedure

Before you begin, make sure you have configured an SSL certificate. For more information, see Configure an SSL certificate.

Note

By default, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 are enabled.

Log on to the CDN console.
In the left navigation pane, click Domain Names.
On the Domain Names page, find the target domain name and click Manage in the Actions column.
In the domain's navigation pane, click HTTPS.
In the Configure TLS Cipher Suite and Version section, select a cipher suite and enable the desired TLS versions.
You can configure the following TLS versions: TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3. Enable or disable the versions as needed.

The following cipher suites are supported. Select one based on your requirements:
- All Cipher Suite Groups (Default): Offers lower security but higher compatibility. For a list of supported encryption algorithms, see Default TLS encryption algorithms for CDN and .
- Enhanced Cipher Suite: Offers higher security but lower compatibility. The supported encryption algorithms are:
  - TLS_AES_256_GCM_SHA384
  - TLS_AES_128_GCM_SHA256
  - TLS_CHACHA20_POLY1305_SHA256
  - ECDHE-ECDSA-CHACHA20-POLY1305
  - ECDHE-RSA-CHACHA20-POLY1305
  - ECDHE-ECDSA-AES128-GCM-SHA256
  - ECDHE-RSA-AES128-GCM-SHA256
  - ECDHE-ECDSA-AES128-CCM8
  - ECDHE-ECDSA-AES128-CCM
  - ECDHE-ECDSA-AES256-GCM-SHA384
  - ECDHE-RSA-AES256-GCM-SHA384
  - ECDHE-ECDSA-AES256-CCM8
  - ECDHE-ECDSA-AES256-CCM
  - ECDHE-ECDSA-ARIA256-GCM-SHA384
  - ECDHE-ARIA256-GCM-SHA384
  - ECDHE-ECDSA-ARIA128-GCM-SHA256
  - ECDHE-ARIA128-GCM-SHA256
- Custom Cipher Suite: Select the specific cipher suites you require.
For descriptions of the TLS protocol versions, see the Background section.