Edge Acceleration
  • Site Acceleration
    • Overview
    • Access Control
      • Token authentication
        • Token Authentication
        • Authentication Method A
        • Authentication Method B
        • Authentication Method C
        • Authentication Method D
        • Authentication Method V
    • Smart Acceleration
    • Cache configuration
      • Overview
      • EdgeOne caching rules introduction
        • Content Cache Rules
        • Cache Key Introduction
        • Vary Feature
      • Cache Configuration
        • Custom Cache Key
        • Node Cache TTL
        • Status Code Cache TTL
        • Browser Cache TTL
        • Offline Caching
        • Cache Prefresh
      • Clear and Preheat Cach
        • Cache Purge
        • URL Pre-Warming
        • Prefetch M3U8
      • How to improve the Cache Hit Rate of EdgeOne
    • File Optimization
      • Content Compression
      • Smart Compression
    • Network Optimization
      • HTTP/2
      • HTTP/3(QUIC)
        • Overview
        • Enable HTTP/3
        • QUIC SDK
          • SDK Overview
          • SDK Download and Integration
          • Sample Code
            • Android
            • iOS
          • API Documentation
            • Android
            • iOS
      • IPv6 Access
      • Maximum Upload Size
      • WebSocket
      • Client IP Geolocation Header
      • Client IP Geographical Location
      • gRPC
      • Network Error Logging
    • URL Rewrite
      • Access URL Redirection
      • Origin-Pull URL Rewrite
    • Modifying Header
      • Modifying HTTP Response Headers
      • Modifying HTTP Request Headers
    • Modify response content
      • HTTP Response
      • Custom Error Page
    • Rules Engine
      • Overview
      • Rule Management
      • variables
      • Supported Matching Types and Actions
    • Image and video processing
      • Audio and Video Pre-pulling
      • Just-in-Time Image Processing
      • Video Just-In-Time Processing
      • VOD Media Origin
    • Speed limit for single connection download
    • Request and Response Actions
      • HTTP Response
      • Processing order
      • Default HTTP Headers of Origin-Pull Requests
      • Default HTTP Response Headers
      • HTTP Restrictions
    • Media Services
      • Audio and Video Pre-pulling
      • Just-in-Time Image Processing
      • Just-in-Time Media Processing
      • VOD Media Origin
  • L4 Proxy
    • Overview
    • Creating an L4 Proxy Instance
    • Modifying an L4 Proxy Instance
    • Disabling or Deleting an L4 Proxy Instance
    • Batch Configuring Forwarding Rules
    • Obtaining Real Client IPs
      • Obtaining Real TCP Client IPs via TOA
      • Obtaining Real Client IPs Through Protocol V1/V2
        • Overview
        • Method 1: Obtaining Real Client IPs Through Nginx
        • Method 2: Parsing Real Client IPs on Application Server
        • Format of Real Client IPs Obtained Through Proxy Protocol V1/V2
      • Transmitting Client Real IP via SPP Protocol
  • Domain name service and origin server configuration
    • Domain Name Services
      • Overview
      • DNS resolution for managed domains
        • Modifying DNS Servers
        • Configuring DNS Records
        • Batch Importing DNS Records
        • Advanced DNS Configuration
      • Access accelerated domains
        • Adding A Domain Name for Acceleration
        • Ownership Verification
        • Modifying CNAME Records
        • Verify Business Access
      • Traffic scheduling
        • Traffic Scheduling Management
    • HTTPS Certificate
      • Overview
      • Edge HTTPS Certificate
        • Overview
        • Deploying/Updating SSL Certificate for A Domain Name
        • Configuring A Free Certificate for A Domain Name
        • Using Keyless Certificate
      • Edge mTLS Authentication
      • Origin Certificate Validation
      • HTTPS configuration
        • Forced HTTPS Access
        • Enabling HSTS
        • SSL/TLS security configuration
          • Configuring SSL/TLS Security
          • TLS Versions and Cipher Suites
        • Enabling OCSP Stapling
      • Related References
        • Using OpenSSL to Generate Self-Signed Certificates
        • Certificate Format Requirements
        • The Difference Between one-way authentication and Mutual authentication
    • Origin Configuration
      • Load Balancing
        • Overview
        • Quickly Create Load Balancers
        • Health Check Policies
        • Viewing the Health Status of Origin Server
        • Related References
          • Load Balancing-Related Concepts
          • Introduction to Request Retry Strategy
      • Origin Group Configuration
      • Origin configuration
        • Origin-Pull Timeout
        • Configuring Origin-Pull HTTPS
        • Host Header Rewrite
        • Controlling Origin-pull Requests
        • Redirect Following During Origin-Pull
        • HTTP/2 Origin-Pull
        • Range GETs
        • Modify Origin
        • Origin-pull Rate Limiting Policy
      • Origin Protection(Obtaining/Updating Origin IP Address Range)
      • Related References
        • ld Version Origin Group Compatible Related Issues
Docs Overview/
Edge Acceleration/
Domain name service and origin server configuration/
HTTPS Certificate/
HTTPS configuration/
SSL/TLS security configuration/
TLS Versions and Cipher Suites/

TLS Versions and Cipher Suites

This article introduces EdgeOne's support for protocol versions and cipher suites allowed during TLS handshakes.

What are TLS protocol versions?

The TLS (Transport Layer Security) protocol is a security protocol used for encrypting network communications. As the successor to the SSL (Secure Sockets Layer) protocol, it enables encrypted communication between client/server applications. The TLS protocol has multiple versions, including TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. TLS 1.3 is the latest version, offering more secure and efficient encryption mechanisms.

What is a cipher suite?

A cipher suite is a set of cryptographic algorithms used for secure connections in the Transport Layer Security (TLS) protocol. A TLS cipher suite comprises three components: authentication, encryption, and Message Authentication Code (MAC), which collectively ensure security and reliability by protecting transmitted data from third-party interception. During the TLS handshake process, the client and server negotiate a mutually supported cipher suite (based on their respective lists of supported cipher suites) to enable encrypted communication between them.

Use Cases

EdgeOne enables all TLS versions by default, with the cipher suite set to eo-loose-v2023, which meets the requirements of most customers. If you have higher security requirements, you can customize the settings:
Business Scenario
TLS version
cipher suite
Focus on compatibility with older browser versions, where security requirements can be appropriately relaxed.
1.0,1.1,1.2
eo-loose-v2023
Browser compatibility and security need to be balanced, with both achieving a moderate level.
1.2,1.3
eo-general-v2023
High security requirements allow for reduced browser compatibility. All TLS versions and cipher suites that may pose security vulnerabilities need to be disabled.
1.2,1.3
eo-strict-v2023

Supported TLS Protocol Versions and Cipher Suites in EdgeOne

EdgeOne supported TLS versions are as follows:
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
OpenSSL cipher suites
TLS 1.3
TLS 1.2
TLS 1.1
TLS 1.0
TLS_AES_256_GCM_SHA384
-
-
-
TLS_CHACHA20_POLY1305_SHA256
-
-
-
TLS_AES_128_GCM_SHA256
-
-
-
TLS_AES_128_CCM_SHA256
-
-
-
TLS_AES_128_CCM_8_SHA256
-
-
-
ECDHE-ECDSA-AES256-GCM-SHA384
-
-
-
ECDHE-ECDSA-AES128-GCM-SHA256
-
-
-
ECDHE-RSA-AES256-GCM-SHA384
-
-
-
ECDHE-RSA-AES128-GCM-SHA256
-
-
-
ECDHE-ECDSA-CHACHA20-POLY1305
-
-
-
ECDHE-RSA-CHACHA20-POLY1305
-
-
-
ECDHE-ECDSA-AES256-SHA384
-
-
-
ECDHE-ECDSA-AES128-SHA256
-
-
-
ECDHE-RSA-AES256-SHA384
-
-
-
ECDHE-RSA-AES128-SHA256
-
-
-
ECDHE-RSA-AES256-SHA
-
-
ECDHE-RSA-AES128-SHA
-
-
AES256-GCM-SHA384
-
-
-
AES128-GCM-SHA256
-
-
-
AES256-SHA256
-
-
-
AES128-SHA256
-
-
-
AES256-SHA
-
-
AES128-SHA
-
-
EdgeOne supports providing cipher suites of varying strengths based on TLS protocol versions:
eo-strict-v2023: High security requirements, disabling all insecure cipher suites.
eo-general-v2023: Browser compatibility and security need to be balanced, with both achieving a moderate level.
eo-loose-v2023 (default): Focus on compatibility with older browser versions, where security requirements can be appropriately relaxed.
OpenSSL cipher suites
eo-strict-v2023
eo-general-v2023
eo-loose-v2023
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_128_CCM_SHA256
-
TLS_AES_128_CCM_8_SHA256
-
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-SHA384
-
ECDHE-ECDSA-AES128-SHA256
-
ECDHE-RSA-AES256-SHA384
-
ECDHE-RSA-AES128-SHA256
-
ECDHE-RSA-AES256-SHA
-
-
ECDHE-RSA-AES128-SHA
-
-
AES256-GCM-SHA384
-
-
AES128-GCM-SHA256
-
-
AES256-SHA256
-
-
AES128-SHA256
-
-
AES256-SHA
-
-
AES128-SHA
-
-
You can configure TLS versions and cipher suites based on the security and compatibility requirements of your business. The ultimately supported OpenSSL cipher suites are determined by the intersection of the TLS version and cipher suite options. For example:
TLS version TLS 1.3 is enabled, and the cipher suite option eo-strict-v2023 is selected. The ultimately supported OpenSSL cipher suites will be the intersection of TLS 1.3 and eo-strict-v2023: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256.
Note:
If the edge HTTPS configuration includes a Chinese cryptographic certificate, EdgeOne will additionally support the ECC-SM2-WITH-SM4-SM3 and ECDHE-SM2-WITH-SM4-SM3 cipher suite algorithms.

Learn More