Setting Transport Layer Security (TLS) options

The Transport Layer Security (TLS) options let you control whether visitors can browse your website over a secure connection, and when they do, how IBM Cloud® Internet Services connects to your origin server.

Use the latest version of the TLS protocol (TLS 1.3) for improved security and performance by switching from Off to On.

TLS encryption modes

Set the TLS mode by selecting one of the following options from the Mode list.

These options are listed in the order from the most secure to the least secure (Off):

Authenticated origin pull: (Enterprise only)
HTTPS only origin pull (Enterprise only)
End-to-end CA signed (default and recommended)
End-to-end flexible (edge to origin certificates can be self-signed)
Client-to-edge (edge to origin not encrypted, self-signed certificates are not supported)
Off (not recommended)

Authenticated origin pull

Enterprise only. In this mode, the TLS client certificate is presented for authentication on origin pull. For more information, see Authenticated origin pull.

HTTPS only origin pull

Enterprise only. This mode has the same certificate requirements as End-to-End CA Signed. It also upgrades all connections between CIS and your origin webserver from HTTP to HTTPS, even if the original content requested is over HTTP.

End-to-end CA signed

This mode is the default and recommended setup. A secure connection exists between the visitor and CIS, and a secure and authenticated connection between CIS and your web server. Your server must be set up to handle HTTPS connections, with a valid TLS certificate. This certificate must be signed by a certificate authority, have an expiration date in the future, and respond for the request domain name (hostname). It is recommended that you keep using this TLS mode for best security practices, unless you understand the potential security threats of changing to one of the less strict modes.

End-to-end flexible

In this mode, a secure connection exists between your visitor and CIS, and a secure but non-authenticated connection between CIS and your web server. Your server must be set up to handle HTTPS connections, at a minimum with a self-signed certificate. The authenticity of this certificate is not verified; For example, when we connect to your origin webserver, from CIS perspective, it is considered similar to bypassing an error message. As long as the address of your origin webserver is correct in your DNS settings, you know that we’re connecting to your webserver, and not someone else’s.

Client-to-edge

In this mode, a secure connection exists between your visitor and CIS, but no secure connection between CIS and your web server. You don't need to have a TLS certificate on your web server, but your visitors still see the site as being HTTPS-enabled. This option is not recommended if you have any sensitive information on your website. This setting works only for port 443->80. It must be used only as a last resort if you are not able to set up TLS on your own web server. It is less secure than any other option (even "Off"), and might cause trouble when you decide to switch away from it.

Off

In this mode, no secure connection exists between your visitor and CIS, and between CIS and your web server. Visitors can view your website only over HTTP, and any visitor who attempts to connect by using HTTPS receives an HTTP 301 Redirect to the plain HTTP version of your website.

Diagram of TLS Off — A diagram of TLS Off

Traffic encryption - Minimum TLS version

Set the minimum TLS version for traffic that tries to connect to your site by selecting one of the versions from the list.

By default, this version is set to 1.2. Higher TLS versions provide additional security, but might not be supported by all browsers, which might prevent some customers from connecting to your site.