Menu
Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Supported Protocols and Ciphers

See the applicable topic for information about the protocols and ciphers that CloudFront support for HTTPS communication between viewers and CloudFront and between CloudFront and your origins.

Supported Protocols

You can choose whether to require viewers to use HTTPS to communicate with CloudFront and whether CloudFront uses HTTPS to communicate with your custom origin. If you require HTTPS, you can also choose the protocols that viewers, CloudFront, and your origin use to communicate.

Protocol between viewers and CloudFront

To choose whether to require HTTPS between viewers and CloudFront, specify the applicable value for Viewer Protocol Policy.

To choose whether you want viewers and CloudFront to communicate by using TLSv1.0 or later, or by using the less secure SSLv3 protocol, specify the applicable value for Minimum SSL Protocol Version.

Important

CloudFront only supports viewer requests using SSLv3 and TLSv1.0, 1.1, and 1.2.

Protocol between CloudFront and your origin

To choose whether to require HTTPS between CloudFront and your origin, specify the applicable value for Origin Protocol Policy (Amazon EC2 and Other Custom Origins Only).

To choose the SSL/TLS protocols that you want CloudFront and your origin to use to communicate, specify the applicable values for Origin SSL Protocols (Amazon EC2 and Other Custom Origins Only).

Supported Ciphers

Viewers can send HTTPS requests to CloudFront using the following ciphers. With the exception of RC4-MD5, all ciphers are supported whether you selected SSLv3 or TLSv1.0 as the value for Minimum SSL Protocol Version. A viewer must support at least one of these ciphers to establish an HTTPS connection with CloudFront. If you're using an SSL/TLS certificate in AWS Certificate Manager, a viewer must support one of the *-RSA-* ciphers. CloudFront chooses a cipher in the following order from among the ciphers that the viewer supports:

OpenSSL Cipher NameRFC Cipher Name

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

AES128-GCM-SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

AES256-GCM-SHA384

TLS_RSA_WITH_AES_256_GCM_SHA384

AES128-SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

DES-CBC3-SHA

(supported only when the value of Minimum SSL Protocol Version is SSLv3)

TLS_RSA_WITH_3DES_EDE_CBC_SHA

(supported only when the value of Minimum SSL Protocol Version is SSLv3)

RC4-MD5 (supported only when the value of Minimum SSL Protocol Version is SSLv3)

TLS_RSA_WITH_RC4_128_MD5 (supported only when the value of Minimum SSL Protocol Version is SSLv3)

CloudFront forwards HTTPS requests to the origin server by using the following ciphers. Your origin server must support at least one of these ciphers for CloudFront to establish an HTTPS connection to your origin.

OpenSSL Cipher NameRFC Cipher Name

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

DES-CBC3-SHA

(supported only when the value of Minimum SSL Protocol Version is SSLv3)

TLS_RSA_WITH_3DES_EDE_CBC_SHA

(supported only when the value of Minimum SSL Protocol Version is SSLv3)

RC4-MD5

(supported only when the value of Minimum SSL Protocol Version is SSLv3)

TLS_RSA_WITH_RC4_128_MD5

(supported only when the value of Minimum SSL Protocol Version is SSLv3)