TLS Versions and Cipher Suites
This article introduces EdgeOne's support for protocol versions and cipher suites allowed during TLS handshakes.
What are TLS protocol versions?
The TLS (Transport Layer Security) protocol is a security protocol used for encrypting network communications. As the successor to the SSL (Secure Sockets Layer) protocol, it enables encrypted communication between client/server applications. The TLS protocol has multiple versions, including TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. TLS 1.3 is the latest version, offering more secure and efficient encryption mechanisms.
What is a cipher suite?
A cipher suite is a set of cryptographic algorithms used for secure connections in the Transport Layer Security (TLS) protocol. A TLS cipher suite comprises three components: authentication, encryption, and Message Authentication Code (MAC), which collectively ensure security and reliability by protecting transmitted data from third-party interception. During the TLS handshake process, the client and server negotiate a mutually supported cipher suite (based on their respective lists of supported cipher suites) to enable encrypted communication between them.
Use Cases
EdgeOne enables all TLS versions by default, with the cipher suite set to
eo-loose-v2023, which meets the requirements of most customers. If you have higher security requirements, you can customize the settings:Business Scenario | TLS version | cipher suite |
Focus on compatibility with older browser versions, where security requirements can be appropriately relaxed. | 1.0,1.1,1.2 | eo-loose-v2023 |
Browser compatibility and security need to be balanced, with both achieving a moderate level. | 1.2,1.3 | eo-general-v2023 |
High security requirements allow for reduced browser compatibility. All TLS versions and cipher suites that may pose security vulnerabilities need to be disabled. | 1.2,1.3 | eo-strict-v2023 |
Supported TLS Protocol Versions and Cipher Suites in EdgeOne
EdgeOne supported TLS versions are as follows:
TLS 1.0
TLS 1.1
TLS 1.2
TLS 1.3
OpenSSL cipher suites | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
TLS_AES_256_GCM_SHA384 | ✓ | - | - | - |
TLS_CHACHA20_POLY1305_SHA256 | ✓ | - | - | - |
TLS_AES_128_GCM_SHA256 | ✓ | - | - | - |
TLS_AES_128_CCM_SHA256 | ✓ | - | - | - |
TLS_AES_128_CCM_8_SHA256 | ✓ | - | - | - |
ECDHE-ECDSA-AES256-GCM-SHA384 | - | ✓ | - | - |
ECDHE-ECDSA-AES128-GCM-SHA256 | - | ✓ | - | - |
ECDHE-RSA-AES256-GCM-SHA384 | - | ✓ | - | - |
ECDHE-RSA-AES128-GCM-SHA256 | - | ✓ | - | - |
ECDHE-ECDSA-CHACHA20-POLY1305 | - | ✓ | - | - |
ECDHE-RSA-CHACHA20-POLY1305 | - | ✓ | - | - |
ECDHE-ECDSA-AES256-SHA384 | - | ✓ | - | - |
ECDHE-ECDSA-AES128-SHA256 | - | ✓ | - | - |
ECDHE-RSA-AES256-SHA384 | - | ✓ | - | - |
ECDHE-RSA-AES128-SHA256 | - | ✓ | - | - |
ECDHE-RSA-AES256-SHA | - | - | ✓ | ✓ |
ECDHE-RSA-AES128-SHA | - | - | ✓ | ✓ |
AES256-GCM-SHA384 | - | ✓ | - | - |
AES128-GCM-SHA256 | - | ✓ | - | - |
AES256-SHA256 | - | ✓ | - | - |
AES128-SHA256 | - | ✓ | - | - |
AES256-SHA | - | - | ✓ | ✓ |
AES128-SHA | - | - | ✓ | ✓ |
EdgeOne supports providing cipher suites of varying strengths based on TLS protocol versions:
eo-strict-v2023: High security requirements, disabling all insecure cipher suites.eo-general-v2023: Browser compatibility and security need to be balanced, with both achieving a moderate level.eo-loose-v2023 (default): Focus on compatibility with older browser versions, where security requirements can be appropriately relaxed.OpenSSL cipher suites | eo-strict-v2023 | eo-general-v2023 | eo-loose-v2023 |
TLS_AES_256_GCM_SHA384 | ✓ | ✓ | ✓ |
TLS_CHACHA20_POLY1305_SHA256 | ✓ | ✓ | ✓ |
TLS_AES_128_GCM_SHA256 | ✓ | ✓ | ✓ |
TLS_AES_128_CCM_SHA256 | - | ✓ | ✓ |
TLS_AES_128_CCM_8_SHA256 | - | ✓ | ✓ |
ECDHE-ECDSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ |
ECDHE-RSA-AES256-GCM-SHA384 | ✓ | ✓ | ✓ |
ECDHE-RSA-AES128-GCM-SHA256 | ✓ | ✓ | ✓ |
ECDHE-ECDSA-CHACHA20-POLY1305 | ✓ | ✓ | ✓ |
ECDHE-RSA-CHACHA20-POLY1305 | ✓ | ✓ | ✓ |
ECDHE-ECDSA-AES256-SHA384 | - | ✓ | ✓ |
ECDHE-ECDSA-AES128-SHA256 | - | ✓ | ✓ |
ECDHE-RSA-AES256-SHA384 | - | ✓ | ✓ |
ECDHE-RSA-AES128-SHA256 | - | ✓ | ✓ |
ECDHE-RSA-AES256-SHA | - | - | ✓ |
ECDHE-RSA-AES128-SHA | - | - | ✓ |
AES256-GCM-SHA384 | - | - | ✓ |
AES128-GCM-SHA256 | - | - | ✓ |
AES256-SHA256 | - | - | ✓ |
AES128-SHA256 | - | - | ✓ |
AES256-SHA | - | - | ✓ |
AES128-SHA | - | - | ✓ |
You can configure TLS versions and cipher suites based on the security and compatibility requirements of your business. The ultimately supported OpenSSL cipher suites are determined by the intersection of the TLS version and cipher suite options. For example:
TLS version
TLS 1.3 is enabled, and the cipher suite option eo-strict-v2023 is selected. The ultimately supported OpenSSL cipher suites will be the intersection of TLS 1.3 and eo-strict-v2023: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256.Note:
If the edge HTTPS configuration includes a Chinese cryptographic certificate, EdgeOne will additionally support the
ECC-SM2-WITH-SM4-SM3 and ECDHE-SM2-WITH-SM4-SM3 cipher suite algorithms.Learn More