Sign In to the Console
Amazon CloudFront
Developer Guide (API Version 2016-09-29)

AWS Documentation » Amazon CloudFront » Developer Guide » Configuring Secure Access and Limiting Access to Content » Using HTTPS with CloudFront » Supported Protocols and Ciphers

Supported Protocols and Ciphers

You can choose HTTPS settings both for communication between viewers and CloudFront, and between CloudFront and your origin:

  • Between viewers and CloudFront – If you require HTTPS between viewers and CloudFront, you also choose a security policy, which determines the protocols that viewers and CloudFront can use to communicate. In addition, a security policy determines which ciphers CloudFront can use to encrypt the content that it returns to viewers.

  • Between CloudFront and your origin – If you require HTTPS between CloudFront and your origin, you also choose the protocols that CloudFront and your origin use to communicate. The protocols that you choose determine which ciphers your origin can use to encrypt content that it returns to CloudFront.

Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront

To choose whether to require HTTPS between viewers and CloudFront, specify the applicable value for Viewer Protocol Policy.

If you choose to require HTTPS, you also choose the security policy that you want CloudFront to use for HTTPS connections. A security policy determines two settings:

  • The SSL/TLS protocol that CloudFront uses to communicate with viewers

  • The cipher that CloudFront uses to encrypt the content that it returns to viewers

We recommend that you specify TLSv1.1_2016 unless your users are using browsers or devices that don't support TLSv1.1 or later. When you use a custom SSL certificate and SNI, you must use TLSv1 or later.

To choose a security policy, specify the applicable value for Security Policy. The following table lists the protocols and ciphers that CloudFront can use for each security policy.

A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. If you're using an SSL/TLS certificate in AWS Certificate Manager, a viewer must support one of the *-RSA-* ciphers. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL and RFC Cipher Names.

Security Policy
SSLv3 TLSv1.0 TLSv1_2016 TLSv1.1_2016 TLSv1.2_2018
SSL/TLS Protocols Supported
TLSv1.2
TLSv1.1
TLSv1 ♦¹
SSLv3
Ciphers Supported
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA
AES128-SHA
DES-CBC3-SHA
RC4-MD5

¹ For distributions that use a custom SSL certificate and support legacy clients, you can configure the distribution to support only TLS version 1.1 and higher, refusing connections from clients that use TLS version 1.0. To do so, choose the TLSv1 security policy, and then create a case in the AWS Support Center to request this support.

OpenSSL and RFC Cipher Names

OpenSSL and IETF RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2, use different names for the same ciphers. The following table maps the OpenSSL name to the RFC name for each cipher.

OpenSSL Cipher Name RFC Cipher Name

ECDHE-RSA-AES128-GCM-SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

AES128-GCM-SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

AES256-GCM-SHA384

TLS_RSA_WITH_AES_256_GCM_SHA384

AES128-SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

DES-CBC3-SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

RC4-MD5

TLS_RSA_WITH_RC4_128_MD5

Supported SSL/TLS Protocols and Ciphers for Communication Between CloudFront and Your Origin

If you choose to require HTTPS between CloudFront and your origin, you can decide which SSL/TLS protocol to allow for the secure connection, and then pick any supported cipher for CloudFront (see the following tables) to establish an HTTPS connection to your origin.

CloudFront can forward HTTPS requests to the origin server by using the ECDSA or RSA ciphers listed in this section. Your origin server must support at least one of these ciphers for CloudFront to establish an HTTPS connection to your origin. To learn more about the two types of ciphers that CloudFront supports, see About RSA and ECDSA Ciphers.

Note

The following curves are supported for elliptic-curve-based ciphers:

  • prime256v1

  • secp384r1

OpenSSL and IETF RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2, use different names for the same ciphers. The following tables map the OpenSSL name to the RFC name for each cipher.

Supported RSA Ciphers

CloudFront supports the following RSA ciphers for connections with an origin:

OpenSSL Cipher Name RFC Cipher Name

ECDHE-RSA-AES128-SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES256-SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

AES128-SHA

TLS_RSA_WITH_AES_128_CBC_SHA

DES-CBC3-SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

RC4-MD5

TLS_RSA_WITH_RC4_128_MD5

Supported ECDSA Ciphers

CloudFront supports the following ECDSA ciphers for connections with an origin:

OpenSSL Cipher Name RFC Cipher Name

ECDHE-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE-ECDSA-AES256-SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE-ECDSA-AES256-SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE-ECDSA-AES128-GCM-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE-ECDSA-AES128-SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE-ECDSA-AES128-SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA