Setting Transport Layer Security (TLS) options
The Transport Layer Security (TLS) options let you control whether visitors can browse your website over a secure connection, and when they do, how IBM Cloud® Internet Services connects to your origin server.
Use the latest version of the TLS protocol (TLS 1.3) for improved security and performance by switching from Off to On.
TLS encryption modes
Set the TLS mode by selecting one of the following options from the Mode list.
These options are listed in the order from the least secure (Off) to the most secure (End-to-End CA signed).
- Off (not recommended)
- Client-to-Edge (edge to origin not encrypted, self-signed certificates are not supported)
- End-to-End flexible (edge to origin certificates can be self-signed)
- End-to-End CA signed (default and recommended)
- HTTPS only origin pull (Enterprise only)
Off
No secure connection between your visitor and CIS, and no secure connection between CIS and your web server. Visitors can only view your website over HTTP, and any visitor attempting to connect using HTTPS receives an HTTP 301 Redirect to the plain HTTP version of your website.
Client-to-Edge
A secure connection between your visitor and CIS, but no secure connection between CIS and your web server. You don't need to have a TLS certificate on your web server, but your visitors still see the site as being HTTPS-enabled. This option is not recommended if you have any sensitive information on your website. This setting only works for port 443->80. It should only be used as a last resort if you are not able to set up TLS on your own web server. It is less secure than any other option (even "Off"), and could cause you trouble when you decide to switch away from it.
End-to-End flexible
A secure connection between your visitor and CIS, and secure connection (but not authenticated) between CIS and your web server. You must have your server configured to answer HTTPS connections, with a self-signed certificate at least. The authenticity of the certificate is not verified: from CIS’s point of view (when we connect to your origin webserver), it’s the equivalent of bypassing this error message. As long as the address of your origin webserver is correct in your DNS settings, you know that we’re connecting to your webserver, and not someone else’s.
End-to-End CA signed
Default and recommended. A secure connection between the visitor and CIS, and secure and authenticated connection between CIS and your web server. You must have your server configured to answer HTTPS connections, with a valid TLS certificate. This certificate must be signed by a certificate authority, have an expiration date in the future, and respond for the request domain name (hostname). It is recommended that you keep using this TLS mode for best security practices, unless you understand the potential security threats of changing to one of the less strict modes.
HTTPS Only Origin Pull
Enterprise only. This mode has the same certificate requirements as End-to-End CA Signed and also upgrades all connections between CIS and your origin webserver from HTTP to HTTPS, even if the original content requested is over HTTP.
Traffic encryption - Minimum TLS version
Set the minimum TLS version for traffic trying to connect to your site by selecting one of the versions from the list.
By default, this is set to 1.2. Higher TLS versions provide additional security, but might not be supported by all browsers. This could result in some customers being unable to connect to your site.