TLS Versions and Cipher Suites
This document describes the TLS protocols and cipher suites that are supported by EdgeOne during a Transport Layer Security (TLS) handshake.
TLS Protocol Versions
TLS is the successor protocol to Secure Sockets Layer (SSL) and is used to encrypt network communication between client and server applications. TLS has several versions, including TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. TLS 1.3 is the latest version that offers the most secure and efficient encryption mechanism.
Cipher Suites
A cipher suite is a set of encryption algorithms used for secure connections via TLS. A cipher suite consists of an authentication algorithm, an encryption algorithm, and a message authentication code (MAC) algorithm. These algorithms protect data in transit from being stolen by third parties. During a TLS handshake, the client and server negotiate a cipher suite based on their lists of supported cipher suites. The cipher suite will encrypt communication between the client and server.
Use Cases
By default, EdgeOne enables all TLS versions and uses the cipher suite
eo-loose-v2023, which can meet the needs of most customers. If you require a higher level of security, you can adjust the settings accordingly.Business Scenario | TLS Version | Cipher Suite |
Compatibility with earlier browser versions is prioritized while security requirements can be relaxed accordingly. | TLS 1.0, TLS 1.1, and TLS 1.2 | eo-loose-v2023 |
A balanced approach is needed to ensure a moderate level of security and browser version compatibility. | TLS 1.2 and TLS 1.3 | eo-general-v2023 |
A high level of security is required while browser version compatibility may be sacrificed accordingly. All TLS versions and cipher suites that may have security vulnerabilities must be blocked. | TLS 1.2 and TLS 1.3 | eo-strict-v2023 |
TLS Protocols and Cipher Suites Supported by EdgeOne
EdgeOne supports the following versions of TLS:
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
OpenSSL Cipher Suite | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
TLS_AES_256_GCM_SHA384 | ✓ | - | - | - |
TLS_CHACHA20_POLY1305_SHA256 | ✓ | - | - | - |
TLS_AES_128_GCM_SHA256 | ✓ | - | - | - |
TLS_AES_128_CCM_SHA256 | ✓ | - | - | - |
TLS_AES_128_CCM_8_SHA256 | ✓ | - | - | - |
ECDHE-ECDSA-AES256-GCM-SHA384 | - | ✓ | - | - |
ECDHE-ECDSA-AES128-GCM-SHA256 | - | ✓ | - | - |
ECDHE-RSA-AES256-GCM-SHA384 | - | ✓ | - | - |
ECDHE-RSA-AES128-GCM-SHA256 | - | ✓ | - | - |
ECDHE-ECDSA-CHACHA20-POLY1305 | - | ✓ | - | - |
ECDHE-RSA-CHACHA20-POLY1305 | - | ✓ | - | - |
ECDHE-ECDSA-AES256-SHA384 | - | ✓ | - | - |
ECDHE-ECDSA-AES128-SHA256 | - | ✓ | - | - |
ECDHE-RSA-AES256-SHA384 | - | ✓ | - | - |
ECDHE-RSA-AES128-SHA256 | - | ✓ | - | - |
ECDHE-RSA-AES256-SHA | - | - | ✓ | ✓ |
ECDHE-RSA-AES128-SHA | - | - | ✓ | ✓ |
AES256-GCM-SHA384 | - | ✓ | - | - |
AES128-GCM-SHA256 | - | ✓ | - | - |
AES256-SHA256 | - | ✓ | - | - |
AES128-SHA256 | - | ✓ | - | - |
AES256-SHA | - | - | ✓ | ✓ |
AES128-SHA | - | - | ✓ | ✓ |
EdgeOne offers users several cipher suite strength options based on the TLS protocol version.
eo-strict-v2023: Offers the highest level of security by disabling all insecure cipher suites.eo-general-v2023: Keeps a balance between browser version compatibility and security.eo-loose-v2023 (default): Offers the highest compatibility by relaxing security requirements accordingly.OpenSSL Cipher Suite | eo-strict-v2023 | eo-general-v2023 | eo-loose-v2023 |
TLS_AES_256_GCM_SHA384 | ✓ | ✓ | ✓ |
TLS_CHACHA20_POLY1305_SHA256 | ✓ | ✓ | ✓ |
TLS_AES_128_GCM_SHA256 | ✓ | ✓ | ✓ |
TLS_AES_128_CCM_SHA256 | - | ✓ | ✓ |
TLS_AES_128_CCM_8_SHA256 | - | ✓ | ✓ |
ECDHE-ECDSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ |
ECDHE-RSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ |
ECDHE-RSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ |
ECDHE-ECDSA-CHACHA20-POLY1305 | ✓ | ✓ | ✓ |
ECDHE-RSA-CHACHA20-POLY1305 | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES256-SHA384 | - | ✓ | ✓ |
ECDHE-ECDSA-AES128-SHA256 | - | ✓ | ✓ |
ECDHE-RSA-AES256-SHA384 | - | ✓ | ✓ |
ECDHE-RSA-AES128-SHA256 | - | ✓ | ✓ |
ECDHE-RSA-AES256-SHA | - | - | ✓ |
ECDHE-RSA-AES128-SHA | - | - | ✓ |
AES256-GCM-SHA384 | - | - | ✓ |
AES128-GCM-SHA256 | - | - | ✓ |
AES256-SHA256 | - | - | ✓ |
AES128-SHA256 | - | - | ✓ |
AES256-SHA | - | - | ✓ |
AES128-SHA | - | - | ✓ |
You can choose a TLS version and cipher suite strength. The final supported OpenSSL cipher suites are determined by the selected options in combination.
For instance, if you enable
TLS 1.3 and select eo-strict-v2023, the OpenSSL cipher suites supported are TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, and TLS_AES_128_GCM_SHA256.