Menu
Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Supported Protocols and Ciphers

You can choose HTTPS settings both for communication between viewers and CloudFront, and between CloudFront and your origin:

  • Between viewers and CloudFront – If you require HTTPS between viewers and CloudFront, you also choose a security policy, which determines the protocols that viewers and CloudFront can use to communicate. In addition, a security policy determines which ciphers CloudFront can use to encrypt the content that it returns to viewers.

  • Between CloudFront and your origin – If you require HTTPS between CloudFront and your origin, you also choose the protocols that CloudFront and your origin use to communicate. The protocols that you choose determine which ciphers your origin can use to encrypt content that it returns to CloudFront

See the applicable topic.

Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront

To choose whether to require HTTPS between viewers and CloudFront, specify the applicable value for Viewer Protocol Policy.

If you choose to require HTTPS, you also choose the security policy that you want CloudFront to use for HTTPS connections. A security policy determines two settings:

  • The SSL/TLS protocol that CloudFront uses to communicate with viewers

  • The cipher that CloudFront uses to encrypt the content that it returns to viewers

We recommend that you specify TLSv1.1_2016 unless your users are using browsers or devices that don't support TLSv1.1 or later. When you use a custom SSL certificate and SNI, you must use TLSv1 or later.

To choose a security policy, specify the applicable value for Security Policy. The following table lists the protocols and ciphers that CloudFront can use for each security policy.

A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. If you're using an SSL/TLS certificate in AWS Certificate Manager, a viewer must support one of the *-RSA-* ciphers. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL and RFC Cipher Names.

Security Policy
SSLv3 TLSv1.0 TLSv1_2016 TLSv1.1_2016 TLSv1.2_2018
SSL/TLS Protocols Supported
TLSv1.2
TLSv1.1
TLSv1
SSLv3
Ciphers Supported
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA
AES128-SHA
DES-CBC3-SHA
RC4-MD5

OpenSSL and RFC Cipher Names

OpenSSL and IETF RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2, use different names for the same ciphers. The following table maps the OpenSSL name to the RFC name for each cipher that CloudFront supports.

OpenSSL Cipher Name RFC Cipher Name

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

AES128-GCM-SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

AES256-GCM-SHA384

TLS_RSA_WITH_AES_256_GCM_SHA384

AES128-SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

DES-CBC3-SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

RC4-MD5

TLS_RSA_WITH_RC4_128_MD5

Supported SSL/TLS Protocols and Ciphers for Communication Between CloudFront and Your Origin

You can choose whether to require HTTPS between CloudFront and your origin and, if so, which protocols to allow:

CloudFront forwards HTTPS requests to the origin server by using the following ciphers. Your origin server must support at least one of these ciphers for CloudFront to establish an HTTPS connection to your origin.

OpenSSL Cipher Name RFC Cipher Name

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

DES-CBC3-SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

RC4-MD5

TLS_RSA_WITH_RC4_128_MD5