经典负载均衡器的预定义SSL安全策略 - Elastic Load Balancing

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

经典负载均衡器的预定义SSL安全策略

您可以为HTTPS/SSL监听器选择一种预定义的安全策略。您可以使用其中一个ELBSecurityPolicy-TLS策略来满足要求禁用某些TLS协议版本的合规性和安全标准。或者,您也可以创建自定义安全策略。有关更多信息,请参阅 更新SSL协商配置

DSA基于 RSA-和的密码特定于用于创建SSL证书的签名算法。确保使用基于为安全策略启用的密码的签名算法创建SSL证书。

如果选择为“服务器顺序首选项”启用的策略,则负载均衡器会按密码在这里的指定顺序使用密码,以协商客户端与负载均衡器之间的连接。否则,负载均衡器会按客户端提供的密码的顺序使用密码。

以下各节介绍经典负载均衡器的最新预定义安全策略,包括其启用的SSL协议和SSL密码。您也可以使用describe-load-balancer-policies命令描述预定义的策略。

提示

此信息仅适用于传统负载均衡器。有关适用于其他负载均衡器的信息,请参阅应用程序负载均衡器的安全策略和网络负载均衡器的安全策略

按政策划分的协议

下表描述了每种安全策略支持的TLS协议。

安全策略 TLS1.2 TLS1.1 TLS 1.0
ELBSecurityPolicy--1-2-2017 TLS -01 没有 没有
ELBSecurityPolicy--1-1-2017 TLS -01 没有
ELBSecurityPolicy-2016-08
ELBSecurityPolicy-2015-05
ELBSecurityPolicy-2015-03
ELBSecurityPolicy-2015-02

按策略划分的密码

下表描述了每种安全策略支持的密码。

安全策略 密码
ELBSecurityPolicy--1-2-2017 TLS -01
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy--1-1-2017 TLS -01
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-2016-08
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-2015-05
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DES-CBC3-SHA

ELBSecurityPolicy-2015-03
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DHE-RSA-AES128-SHA

  • DHE-DSS-AES128-SHA

  • DES-CBC3-SHA

ELBSecurityPolicy-2015-02
  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DHE-RSA-AES128-SHA

  • DHE-DSS-AES128-SHA

按密码划分的策略

下表描述了支持每种密码的安全策略。

密码名 安全策略 密码套件

打开 SSL — ECDHE-ECDSA-AES 128-GCM-SHA256

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02b

打开 SSL — ECDHE-RSA-AES 128-GCM-SHA256

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02f

打开 SSL — ECDHE-ECDSA-AES 128-SHA256

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c023

打开 SSL — ECDHE-RSA-AES 128-SHA256

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c027

打开 SSL — ECDHE-ECDSA-AES 128-SHA

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c009

打开 SSL — ECDHE-RSA-AES 128-SHA

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c013

打开 SSL — ECDHE-ECDSA-AES 256-GCM-SHA384

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 GCM _ SHA384

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02c

打开 SSL — ECDHE-RSA-AES 256-GCM-SHA384

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 GCM _ SHA384

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c030

打开 SSL — ECDHE-ECDSA-AES 256-SHA384

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 CBC _ SHA384

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c024

打开 SSL — ECDHE-RSA-AES 256-SHA384

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 CBC _ SHA384

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c028

打开 SSL — ECDHE-ECDSA-AES 256-SHA

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 CBC _ SHA

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c014

打开 SSL — ECDHE-RSA-AES 256-SHA

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 CBC _ SHA

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c00a

打开 SSL — AES128-GCM-SHA256

IANA— TLS _ _ RSA WITH _ AES _128 GCM _ _ SHA256

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

9c

打开 SSL — AES128-SHA256

IANA— TLS _ _ RSA WITH _ AES _128 CBC _ _ SHA256

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

3c

打开 SSL — AES128-SHA

IANA— TLS _ _ RSA WITH _ AES _128 CBC _ _ SHA

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

2f

打开 SSL — AES256-GCM-SHA384

IANA— TLS _ _ RSA WITH _ AES _256 GCM _ _ SHA384

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

9d

打开 SSL — AES256-SHA256

IANA— TLS _ _ RSA WITH _ AES _256 CBC _ _ SHA256

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

3D

打开 SSL — AES256-SHA

IANA— TLS _ _ RSA WITH _ AES _256 CBC _ _ SHA

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

35

打开 SSL — DHE-RSA-AES 128-SHA

IANA— TLS _ _ DHE _ RSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

33

打开 SSL — DHE-DSS-AES 128-SHA

IANA— TLS _ _ DHE _ DSS WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

32

打开 SSL — DES-CBC3-SHA

IANA— TLS _ RSA _ WITH _3 DES _ _ EDE _ CBC SHA

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

0a