OpenSSL, s2n, and RFC cipher names Supported signature schemes between viewers and CloudFront

Supported protocols and ciphers between viewers and CloudFront

When you require HTTPS between viewers and your CloudFront distribution, you must choose a security policy, which determines the following settings:

The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.
The ciphers that CloudFront can use to encrypt the communication with viewers.

To choose a security policy, specify the applicable value for Security policy. The following table lists the protocols and ciphers that CloudFront can use for each security policy.

A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL, s2n, and RFC cipher names.

	Security policy
	SSLv3	TLSv1	TLSv1_2016	TLSv1.1_2016	TLSv1.2_2018	TLSv1.2_2019	TLSv1.2_2021
Supported SSL/TLS protocols
TLSv1.3	♦	♦	♦	♦	♦	♦	♦
TLSv1.2	♦	♦	♦	♦	♦	♦	♦
TLSv1.1	♦	♦	♦	♦
TLSv1	♦	♦	♦
SSLv3	♦
Supported TLSv1.3 ciphers
TLS_AES_128_GCM_SHA256	♦	♦	♦	♦	♦	♦	♦
TLS_AES_256_GCM_SHA384	♦	♦	♦	♦	♦	♦	♦
TLS_CHACHA20_POLY1305_SHA256	♦	♦	♦	♦	♦	♦	♦
Supported ECDSA ciphers
ECDHE-ECDSA-AES128-GCM-SHA256	♦	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES128-SHA256	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES128-SHA	♦	♦	♦	♦
ECDHE-ECDSA-AES256-GCM-SHA384	♦	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-CHACHA20-POLY1305	♦	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES256-SHA384	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES256-SHA	♦	♦	♦	♦
Supported RSA ciphers
ECDHE-RSA-AES128-GCM-SHA256	♦	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES128-SHA256	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES128-SHA	♦	♦	♦	♦
ECDHE-RSA-AES256-GCM-SHA384	♦	♦	♦	♦	♦	♦	♦
ECDHE-RSA-CHACHA20-POLY1305	♦	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES256-SHA384	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES256-SHA	♦	♦	♦	♦
AES128-GCM-SHA256	♦	♦	♦	♦	♦
AES256-GCM-SHA384	♦	♦	♦	♦	♦
AES128-SHA256	♦	♦	♦	♦	♦
AES256-SHA	♦	♦	♦	♦
AES128-SHA	♦	♦	♦	♦
DES-CBC3-SHA	♦	♦
RC4-MD5	♦

OpenSSL, s2n, and RFC cipher names

OpenSSL and s2n use different names for ciphers than the TLS standards use (RFC 2246, RFC 4346, RFC 5246, and RFC 8446). The following table maps the OpenSSL and s2n names to the RFC name for each cipher.

For ciphers with elliptic curve key exchange algorithms, CloudFront supports the following elliptic curvers:

prime256v1
secp384r1
X25519

OpenSSL and s2n cipher name	RFC cipher name
Supported TLSv1.3 ciphers
TLS_AES_128_GCM_SHA256	TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384	TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256	TLS_CHACHA20_POLY1305_SHA256
Supported ECDSA ciphers
ECDHE-ECDSA-AES128-GCM-SHA256	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-ECDSA-AES128-SHA256	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE-ECDSA-AES128-SHA	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE-ECDSA-AES256-GCM-SHA384	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-ECDSA-CHACHA20-POLY1305	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES256-SHA384	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ECDHE-ECDSA-AES256-SHA	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Supported RSA ciphers
ECDHE-RSA-AES128-GCM-SHA256	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-SHA256	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDHE-RSA-AES128-SHA	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-GCM-SHA384	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-CHACHA20-POLY1305	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-RSA-AES256-SHA384	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES256-SHA	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES128-GCM-SHA256	TLS_RSA_WITH_AES_128_GCM_SHA256
AES256-GCM-SHA384	TLS_RSA_WITH_AES_256_GCM_SHA384
AES128-SHA256	TLS_RSA_WITH_AES_128_CBC_SHA256
AES256-SHA	TLS_RSA_WITH_AES_256_CBC_SHA
AES128-SHA	TLS_RSA_WITH_AES_128_CBC_SHA
DES-CBC3-SHA	TLS_RSA_WITH_3DES_EDE_CBC_SHA
RC4-MD5	TLS_RSA_WITH_RC4_128_MD5

Supported signature schemes between viewers and CloudFront

CloudFront supports the following signature schemes for connections between viewers and CloudFront.

TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224
TLS_SIGNATURE_SCHEME_ECDSA_SHA256
TLS_SIGNATURE_SCHEME_ECDSA_SHA384
TLS_SIGNATURE_SCHEME_ECDSA_SHA512
TLS_SIGNATURE_SCHEME_ECDSA_SHA224
TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256
TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1
TLS_SIGNATURE_SCHEME_ECDSA_SHA1

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Requiring HTTPS to an Amazon S3 origin

Supported protocols and ciphers between CloudFront and the origin