Supported protocols and ciphers between CloudFront and the origin
If you choose to require HTTPS between CloudFront and your origin, you can decide which SSL/TLS protocol to allow for the secure connection, and then pick any supported cipher for CloudFront (see the following tables) to establish an HTTPS connection to your origin.
CloudFront can forward HTTPS requests to the origin server by using the ECDSA or RSA ciphers listed in the following tables. Your origin server must support at least one of these ciphers for CloudFront to establish an HTTPS connection to your origin. To learn more about the two types of ciphers that CloudFront supports, see About RSA and ECDSA Ciphers.
OpenSSL and s2n
Supported RSA ciphers
CloudFront supports the following RSA ciphers for connections with an origin.
For all elliptic curve ciphers, CloudFront supports the following elliptic curves:
-
prime256v1
-
secp384r1
-
X25519
OpenSSL and s2n cipher name | RFC cipher name |
---|---|
ECDHE-RSA-AES256-GCM-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE-RSA-AES256-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
ECDHE-RSA-AES256-SHA |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
ECDHE-RSA-AES128-GCM-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDHE-RSA-AES128-SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
AES256-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
AES128-SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
DES-CBC3-SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
RC4-MD5 |
TLS_RSA_WITH_RC4_128_MD5 |
Supported ECDSA ciphers
CloudFront supports the following ECDSA ciphers for connections with an origin.
For all elliptic curve ciphers, CloudFront supports the following elliptic curves:
-
prime256v1
-
secp384r1
-
X25519
OpenSSL and s2n cipher name | RFC cipher name |
---|---|
ECDHE-ECDSA-AES256-GCM-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-AES256-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDHE-ECDSA-AES256-SHA |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
ECDHE-ECDSA-AES128-GCM-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE-ECDSA-AES128-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE-ECDSA-AES128-SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
Supported signature schemes between CloudFront and the origin
CloudFront supports the following signature schemes for connections between CloudFront and the origin.
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA256
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA384
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA512
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA224
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA1