Supported protocols and ciphers between CloudFront and the origin - Amazon CloudFront

Supported protocols and ciphers between CloudFront and the origin

If you choose to require HTTPS between CloudFront and your origin, you can decide which SSL/TLS protocol to allow for the secure connection, and then pick any supported cipher for CloudFront (see the following tables) to establish an HTTPS connection to your origin.

CloudFront can forward HTTPS requests to the origin server by using the ECDSA or RSA ciphers listed in the following tables. Your origin server must support at least one of these ciphers for CloudFront to establish an HTTPS connection to your origin. To learn more about the two types of ciphers that CloudFront supports, see About RSA and ECDSA Ciphers.

OpenSSL and s2n use different names for ciphers than the TLS standards use (RFC 2246, RFC 4346, RFC 5246, and RFC 8446). The following tables map the OpenSSL and s2n names to the RFC name for each cipher.

Supported RSA ciphers

CloudFront supports the following RSA ciphers for connections with an origin.

For all elliptic curve ciphers, CloudFront supports the following elliptic curves:

  • prime256v1

  • secp384r1

  • X25519

OpenSSL and s2n cipher name RFC cipher name

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

DES-CBC3-SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

RC4-MD5

TLS_RSA_WITH_RC4_128_MD5

Supported ECDSA ciphers

CloudFront supports the following ECDSA ciphers for connections with an origin.

For all elliptic curve ciphers, CloudFront supports the following elliptic curves:

  • prime256v1

  • secp384r1

  • X25519

OpenSSL and s2n cipher name RFC cipher name

ECDHE-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE-ECDSA-AES256-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE-ECDSA-AES256-SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE-ECDSA-AES128-GCM-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE-ECDSA-AES128-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE-ECDSA-AES128-SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

Supported signature schemes between CloudFront and the origin

CloudFront supports the following signature schemes for connections between CloudFront and the origin.

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224

  • TLS_SIGNATURE_SCHEME_ECDSA_SHA256

  • TLS_SIGNATURE_SCHEME_ECDSA_SHA384

  • TLS_SIGNATURE_SCHEME_ECDSA_SHA512

  • TLS_SIGNATURE_SCHEME_ECDSA_SHA224

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1

  • TLS_SIGNATURE_SCHEME_ECDSA_SHA1