Configure TLS cipher suites and protocol versions for ESA-Edge Security Acceleration(ESA)-阿里云帮助中心

When a client sends an HTTPS request to an Edge Security Acceleration (ESA) POP, the client and POP negotiate a TLS cipher suite and protocol version through a TLS handshake. Configure these settings to balance security and compatibility.

TLS protocol versions

TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are cryptographic protocols that encrypt data exchanged between endpoints over computer networks.

Supported TLS versions: 1.0, 1.1, 1.2, and 1.3. TLS 1.3 offers the strongest security and performance.

TLS cipher suite groups

A TLS cipher suite combines authentication, encryption, and message authentication algorithms. During the TLS handshake, the client and server negotiate a compatible cipher suite for secure communication. Different cipher suites provide varying levels of security.

A TLS cipher suite group is a collection of cipher suites.

Choose a cipher suite group and TLS version

Use case	Cipher suite group	Supported TLS protocols	Features
High compatibility, moderate security	All cipher suites (default)	TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3 (optional)	Broadest compatibility with older browsers and endpoint devices, but includes some lower-security cipher suites.
High security	Strong cipher suites	TLS 1.2, TLS 1.3	All included cipher suites and protocols are secure. Higher security than the default group, but lower compatibility.
Custom requirements	Custom cipher suites	TLS 1.2, TLS 1.3	Select specific encryption algorithms. Security and compatibility depend on your selection.

Each group supports different algorithms, listed in Algorithms Supported by Cipher Suite Groups.

Configure TLS cipher suites and protocol versions

In the ESA console, select Site Management. Then, in the Website column, click the target site.
In the navigation pane on the left, choose Edge Certificates.
In the TLS Cipher Suite and Version area, click Configure. Then, choose cipher suite groups and TLS protocols as needed.
Note
- Enhanced Cipher Suite and Custom Cipher Suite support only TLS 1.2 and TLS 1.3 by default and cannot be modified.
- TLS versions must be enabled consecutively. If a gap exists, only the consecutive higher versions take effect.
  - Example 1: If you enable TLS 1.0, TLS 1.1, and TLS 1.3 but disable TLS 1.2, only TLS 1.3 is active.
  - Example 2: If you enable TLS 1.0, TLS 1.2, and TLS 1.3 but disable TLS 1.1, only TLS 1.2 and TLS 1.3 are active.
Click OK.

Site-level and rule-based configuration

Site-level configurations apply to all requests. To target specific requests, use rule-based configurations with match conditions. The corresponding rule feature is TLS Cipher Suites and Protocol Versions Configuration.