Supported protocols and ciphers between viewers and CloudFront
When you require HTTPS between viewers and your CloudFront distribution, you must choose a security policy, which determines the following settings.
-
The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.
-
The ciphers that CloudFront can use to encrypt the communication with viewers.
To choose a security policy, specify the applicable value for Security Policy. The following table lists the protocols and ciphers that CloudFront can use for each security policy.
A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. If you’re using an SSL/TLS certificate in AWS Certificate Manager, a viewer must support one of the *-RSA-* ciphers. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL, s2n, and RFC cipher names.
| Security policy | ||||||
|---|---|---|---|---|---|---|
| SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | |
| SSL/TLS protocols supported | ||||||
| TLSv1.3¹ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLSv1.1 | ♦ | ♦ | ♦ | ♦ | ||
| TLSv1 | ♦ | ♦ | ♦ | |||
| SSLv3 | ♦ | |||||
| Ciphers supported | ||||||
| TLS_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | ||
| ECDHE-RSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
| ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | ||
| AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | |
| AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | |
| AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | |
| AES256-SHA | ♦ | ♦ | ♦ | ♦ | ||
| AES128-SHA | ♦ | ♦ | ♦ | ♦ | ||
| DES-CBC3-SHA | ♦ | ♦ | ||||
| RC4-MD5 | ♦ | |||||
¹CloudFront supports one round trip time (1-RTT) handshakes for TLSv1.3, but does not support zero round trip time (0-RTT) handshakes.
OpenSSL, s2n, and RFC cipher names
OpenSSL and s2n
For all elliptic curve ciphers, CloudFront supports the following elliptic curves:
-
prime256v1
-
secp384r1
-
X25519
| OpenSSL and s2n cipher name | RFC cipher name |
|---|---|
|
TLS_AES_128_GCM_SHA256 |
TLS_AES_128_GCM_SHA256 |
|
TLS_AES_256_GCM_SHA384 |
TLS_AES_256_GCM_SHA384 |
|
TLS_CHACHA20_POLY1305_SHA256 |
TLS_CHACHA20_POLY1305_SHA256 |
|
ECDHE-RSA-AES128-GCM-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
ECDHE-RSA-AES128-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
ECDHE-RSA-AES128-SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
ECDHE-RSA-AES256-GCM-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
ECDHE-RSA-CHACHA20-POLY1305 |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
|
ECDHE-RSA-AES256-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
ECDHE-RSA-AES256-SHA |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
AES128-GCM-SHA256 |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
|
AES256-GCM-SHA384 |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
|
AES128-SHA256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
AES256-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
|
AES128-SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
|
DES-CBC3-SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
|
RC4-MD5 |
TLS_RSA_WITH_RC4_128_MD5 |
Supported signature schemes between viewers and CloudFront
CloudFront supports the following signature schemes for connections between viewers and CloudFront.
-
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256
-
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384
-
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1
