CLB HTTPS currently supports the following SSL protocols: TLSv1, TLSv1.1, and TLSv1.2.
There is no mandatory requirement for this. Port 443 is recommended.
Some users such as financial service providers have higher requirements for data security. They require HTTPS authentication on both the server and client. To meet their needs, HTTPS mutual authentication is provided.
If the HTTPS protocol is used, it actually generates more traffic than the billed traffic as some of the traffic is used for protocol handshake.
Yes. After an HTTPS listener is added, the requests from the client to the CLB instance will be encrypted over HTTPS, but the requests from the CLB instance to the real server will still be transferred over HTTP. Therefore, there is no need to configure SSL on the real server.
It currently supports the upload of server certificates and CA certificates. For server certificates, both certificate content and private key are required to be uploaded. For CA certificates, only certificate content is required to be uploaded. Both types of certificates only support upload in PEM encoding format.
If HTTPS one-way authentication is used, only one server certificate can be bound to a listener. If HTTPS mutual authentication is used, one server certificate and one CA certificate need to be bound to a listener.
A certificate can be applied to one or multiple CLB instances or listeners.
You can upload certificates by calling an API or through the CLB console.
Yes. If a user's certificate needs to be used in multiple regions, it is necessary to upload the certificate in multiple regions to ensure the security and performance.
No. CLB HTTPS provides a certificate management system to manage and store user certificates. Certificates do not need to be uploaded to backend CVM instances, and all the private keys uploaded to the certificate management system are stored in an encrypted manner.
If the current certificate expires, you need to update the certificate manually.
This may be caused by the wrong content of the private key. In this case, you need to replace it with a new certificate that meets the requirements.