Supported protocols and ciphers between viewers and CloudFront - Amazon CloudFront

Supported protocols and ciphers between viewers and CloudFront

When you require HTTPS between viewers and your CloudFront distribution, you must choose a security policy, which determines the following settings.

  • The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.

  • The ciphers that CloudFront can use to encrypt the communication with viewers.

To choose a security policy, specify the applicable value for Security Policy. The following table lists the protocols and ciphers that CloudFront can use for each security policy.

A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. If you’re using an SSL/TLS certificate in AWS Certificate Manager, a viewer must support one of the *-RSA-* ciphers. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL, s2n, and RFC cipher names.

Security policy
SSLv3 TLSv1 TLSv1_2016 TLSv1.1_2016 TLSv1.2_2018 TLSv1.2_2019
SSL/TLS protocols supported
TLSv1.3¹
TLSv1.2
TLSv1.1
TLSv1
SSLv3
Ciphers supported
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA
AES128-SHA
DES-CBC3-SHA
RC4-MD5

¹CloudFront supports one round trip time (1-RTT) handshakes for TLSv1.3, but does not support zero round trip time (0-RTT) handshakes.

OpenSSL, s2n, and RFC cipher names

OpenSSL and s2n use different names for ciphers than the TLS standards use (RFC 2246, RFC 4346, RFC 5246, and RFC 8446). The following table maps the OpenSSL and s2n names to the RFC name for each cipher.

For all elliptic curve ciphers, CloudFront supports the following elliptic curves:

  • prime256v1

  • secp384r1

  • X25519

OpenSSL and s2n cipher name RFC cipher name

TLS_AES_128_GCM_SHA256

TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

TLS_CHACHA20_POLY1305_SHA256

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-CHACHA20-POLY1305

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

AES128-GCM-SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

AES256-GCM-SHA384

TLS_RSA_WITH_AES_256_GCM_SHA384

AES128-SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

DES-CBC3-SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

RC4-MD5

TLS_RSA_WITH_RC4_128_MD5

Supported signature schemes between viewers and CloudFront

CloudFront supports the following signature schemes for connections between viewers and CloudFront.

  • TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256

  • TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384

  • TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224

  • TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1