本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 应用程序负载均衡器的安全策略
<a name="describe-ssl-policies"></a>

Elastic Load Balancing 使用一个安全套接字层 (SSL) 协商配置（称为安全策略）在客户端与负载均衡器之间协商 SSL 连接。安全策略是协议和密码的组合。协议在客户端与服务器之间建立安全连接，确保在客户端与负载均衡器之间传递的所有数据都是私密数据。密码是使用加密密钥创建编码消息的加密算法。协议使用多种密码对 Internet 上的数据进行加密。在 连接协商过程中，客户端和负载均衡器会按首选项顺序提供各自支持的密码和协议的列表。默认情况下，会为安全连接选择服务器列表中与任何一个客户端的密码匹配的第一个密码。

**注意事项**
+ HTTPS 侦听器需要有安全策略。如果您在创建侦听器时未指定安全策略，我们将使用默认安全策略。默认安全策略取决于您创建 HTTPS 侦听器的方式：
  + **控制台**：默认安全策略为 `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`。
  + **其他方法**（例如 Amazon CLI Amazon CloudFormation、和 Amazon CDK）-默认安全策略是`ELBSecurityPolicy-2016-08`。
  + 要查看负载均衡器连接请求的 TLS 协议版本（日志字段位置 5）和密钥交换（日志字段位置 13），请启用连接日志并检查相应的日志条目。有关更多信息，请参阅[连接日志](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/load-balancer-connection-logs.html)。
  + 以 PQ 命名的安全策略提供混合后量子密钥交换。出于兼容性考虑，它们支持经典和后量子 ML-KEM 密钥交换算法。客户端必须支持 ML-KEM 密钥交换，才能使用混合后量子 TLS 进行密钥交换。混合后量子策略支持 secp256r1、secp384r1 和 X25519 算法MLKEM768。MLKEM1024 MLKEM768 有关更多信息，请参阅[后量子密码学](https://www.amazonaws.cn/security/post-quantum-cryptography/)。
  + AWS 建议实施新的基于后量子 TLS (PQ-TLS) 的安全策略或。`ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09` `ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09`该策略通过支持能够协商混合 PQ-TLS、仅限 TLS 1.3 或仅限 TLS 1.2 的客户端来确保向后兼容性，从而最大限度地减少向后量子加密过渡期间的服务中断。随着您的客户端应用程序开发出针对密钥交换操作协商 PQ-TLS 的能力，您可以逐步迁移到更严格的安全策略。
+ 为了满足需要禁用某些 TLS 协议版本的合规性和安全性标准，或者为了支持需要已弃用密码的旧客户端，您可以使用其中一种 `ELBSecurityPolicy-TLS-` 安全策略。要查看针对应用程序负载均衡器的请求的 TLS 协议版本，请为负载均衡器启用访问日志记录并检查相应的访问日志条目。有关更多信息，请参阅[访问日志](load-balancer-access-logs.md)。
+ 您可以分别使用您 Amazon Web Services 账户 的 IAM 中的 [Elastic Load Balancing 条件密钥](https://docs.amazonaws.cn/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html)和服务控制策略 (SCPs) 来限制用户可以使用哪些安全策略。 Amazon Organizations 有关更多信息，请参阅《*Amazon Organizations 用户指南》*中的[服务控制策略 (SCPs)](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_scps.html)。
+ 仅支持 TLS 1.3 的策略支持向前保密 (FS)。支持 TLS 1.3 和 TLS 1.2 且仅包含 TLS\$1\$1 和 ECDHE\$1\$1 格式密码的策略也提供 FS。
+ 应用程序负载均衡器支持使用 PSK (TLS 1.3) 和会话 IDs/session 票证（TLS 1.2 及更早版本）恢复 TLS。只有连接到相同的应用程序负载均衡器 IP 地址时才支持恢复。未实现 0-RTT 数据功能和 early\$1data 扩展。
+ Application Load Balancer 不支持自定义安全策略。
+ 应用程序负载均衡器仅支持目标连接的 SSL 重新协商。

**后端连接**
+ 您可以选择用于前端连接但不能选择用于后端连接的安全策略。后端连接的安全策略取决于侦听器安全策略。如果你的听众中有人在使用：
  + **FIPS 后量子 TLS 策略**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09`
  + **FIPS 策略**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04`
  + **后量子 TLS 策略**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-PQ-2025-09`
  + **TLS 1.3 政策**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-2021-06`
  + **其他 TLS 策略**-后端连接使用 `ELBSecurityPolicy-2016-08`

**Contents**
+ [describe-ssl-policies命令示例](#describe-ssl-policies-examples)
+ [TLS 安全策略](#tls-security-policies)
  + [按策略划分的协议](#tls-protocols)
  + [按策略划分的密码](#tls-policy-ciphers)
  + [按密码划分的策略](#tls-cipher-policies)
+ [FIPS 安全策略](#fips-security-policies)
  + [按策略划分的协议](#fips-protocols)
  + [按策略划分的密码](#fips-policy-ciphers)
  + [按密码划分的策略](#fips-cipher-policies)
+ [FS 支持的策略](#fs-supported-policies)
  + [按策略划分的协议](#fs-protocols)
  + [按策略划分的密码](#fs-policy-ciphers)
  + [按密码划分的策略](#fs-cipher-policies)

## describe-ssl-policies命令示例
<a name="describe-ssl-policies-examples"></a>

您可以使用命令描述安全策略的协议和密码，或者找到满足您需求的[describe-ssl-policies](https://docs.amazonaws.cn/cli/latest/reference/elbv2/describe-ssl-policies.html) Amazon CLI 策略。

以下示例描述了指定的策略。

```
aws elbv2 describe-ssl-policies \
    --names "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
```

以下示例列出了策略名称中包含指定字符串的策略。

```
aws elbv2 describe-ssl-policies \
    --query "SslPolicies[?contains(Name,'FIPS')].Name"
```

以下示例列出了支持指定协议的策略。

```
aws elbv2 describe-ssl-policies \
    --query "SslPolicies[?contains(SslProtocols,'TLSv1.3')].Name"
```

以下示例列出了支持指定密码的策略。

```
aws elbv2 describe-ssl-policies \
    --query "SslPolicies[?Ciphers[?contains(Name,'TLS_AES_128_GCM_SHA256')]].Name"
```

以下示例列出了不支持指定密码的策略。

```
aws elbv2 describe-ssl-policies \
    --query 'SslPolicies[?length(Ciphers[?starts_with(Name,`AES128-GCM-SHA256`)]) == `0`].Name'
```

## TLS 安全策略
<a name="tls-security-policies"></a>

您可以使用 TLS 安全策略来满足需要禁用某些 TLS 协议版本的合规性和安全标准，或者支持需要已弃用密码的旧客户端。

仅支持 TLS 1.3 的策略支持向前保密 (FS)。支持 TLS 1.3 和 TLS 1.2 且仅包含 TLS\$1\$1 和 ECDHE\$1\$1 格式密码的策略也提供 FS。

**Topics**
+ [按策略划分的协议](#tls-protocols)
+ [按策略划分的密码](#tls-policy-ciphers)
+ [按密码划分的策略](#tls-cipher-policies)

### 按策略划分的协议
<a name="tls-protocols"></a>

下表描述了每个 TLS 安全策略支持的协议。


| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurity政策-TLS13 -1-3-2021-06 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策 TLS13 -1-3-PQ-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-TLS13 -1-2-2021-06 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策 TLS13 -1-2-PQ-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策 TLS13 -1-2-Res-2021-06 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-res TLS13-pq-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策 TLS13 -1-2-Ext2-2021-06 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-ext2-TLS13 pq-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策 TLS13 -1-2-Ext1-2021-06 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-ext1-TLS13 pq-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-TLS13 -1-1-2021-06 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-0 TLS13 -2021-06 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 
| ELBSecurity政策-1-0 TLS13-PQ-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 
| ELBSecurityPolicy-tls-1-2-ext-2018-06 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-tls-1-2-2017-01 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-tls-1-1-2017-01 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-2016-08 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 

### 按策略划分的密码
<a name="tls-policy-ciphers"></a>

下表描述了每个 TLS 安全策略支持的密码。


| 安全策略 | 密码 | 
| --- | --- | 
|  ELBSecurity政策-TLS13 -1-3-2021-06 ELBSecurity政策 TLS13 -1-3-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策-TLS13 -1-2-2021-06 ELBSecurity政策 TLS13 -1-2-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策 TLS13 -1-2-Res-2021-06 ELBSecurity政策-1-2-res TLS13-pq-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策 TLS13 -1-2-Ext2-2021-06 ELBSecurity政策-1-2-ext2-TLS13 pq-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策 TLS13 -1-2-Ext1-2021-06 ELBSecurity政策-1-2-ext1-TLS13 pq-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurity政策-TLS13 -1-1-2021-06 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策-1-0 TLS13 -2021-06 ELBSecurity政策-1-0 TLS13-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-tls-1-2-ext-2018-06 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-tls-1-2-2017-01 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurity政策-tls-1-1-2017-01 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurity政策-2016-08 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 

### 按密码划分的策略
<a name="tls-cipher-policies"></a>

下表描述了支持每个密码的 TLS 安全策略。


| 密码名称 | 安全策略 | 密码套件 | 
| --- | --- | --- | 
|  **OpenSSL** — TLS\$1AES\$1128\$1GCM\$1 SHA256 **IANA** — TLS\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1301 | 
|  **OpenSSL** — TLS\$1AES\$1256\$1GCM\$1 SHA384 **IANA** — TLS\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1302 | 
|  **OpenSSL** — TLS\$1 \$1 \$1 CHACHA20 POLY1305 SHA256 **IANA** — TLS\$1 \$1 \$1 CHACHA20 POLY1305 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1303 | 
|  **OpenSSL** — ECDHE-ECDSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02b | 
|  **OpenSSL** — ECDHE-RSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02f | 
|  **OpenSSL — 12** 8- ECDHE-ECDSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c023 | 
|  **OpenSSL — 12** 8- ECDHE-RSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c027 | 
|  **OpenSSL — 128**-SHA ECDHE-ECDSA-AES **IANA**：TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c009 | 
|  **OpenSSL — 128**-SHA ECDHE-RSA-AES **IANA**：TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c013 | 
|  **OpenSSL** — ECDHE-ECDSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02c | 
|  **OpenSSL** — ECDHE-RSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c030 | 
|  **OpenSSL — 25** 6- ECDHE-ECDSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c024 | 
|  **OpenSSL — 25** 6- ECDHE-RSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c028 | 
|  **OpenSSL — 256-SHA** ECDHE-ECDSA-AES **IANA**：TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c00a | 
|  **OpenSSL — 256-SHA** ECDHE-RSA-AES **IANA**：TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c014 | 
|  **OpenSSL —- AES128 G** CM-SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9c | 
|  **OpenSSL —**- AES128 SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3c | 
|  **OpenSSL —**-SHA AES128 **IANA**：TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 2f | 
|  **OpenSSL —- AES256 G** CM-SHA384 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9d | 
|  **OpenSSL —**- AES256 SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3d | 
|  **OpenSSL —**-SHA AES256 **IANA**：TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 35 | 

## FIPS 安全策略
<a name="fips-security-policies"></a>

联邦信息处理标准（FIPS）是美国和加拿大政府标准，其中规定了对保护敏感信息的加密模块的安全要求。要了解更多信息，请参阅 *Amazon Cloud 安全性合规性*页面上的[美国联邦信息处理标准（FIPS）140](https://www.amazonaws.cn/compliance/fips/)。

所有 FIPS 策略均利用 AWS-LC FIPS 验证的加密模块。要了解更多信息，请参阅 *NIST Cryptographic Module Validation Program* 网站上的 [AWS-LC Cryptographic Module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) 页面。

**重要**  
策略 `ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04` 和 `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` 只是为了与旧版兼容而提供。虽然他们使用该 FIPS140 模块使用 FIPS 加密，但它们可能不符合最新的 NIST TLS 配置指南。

**Topics**
+ [按策略划分的协议](#fips-protocols)
+ [按策略划分的密码](#fips-policy-ciphers)
+ [按密码划分的策略](#fips-cipher-policies)

### 按策略划分的协议
<a name="fips-protocols"></a>

下表描述了每个 FIPS 安全策略支持的协议。


| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurity政策 TLS13 -1-3-FIPS-2023-04 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-3-FIP TLS13 S-PQ-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策 TLS13 -1-2-FIPS-2023-04 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-FIP TLS13 S-PQ-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-res TLS13-fips-2023-04 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-res-f TLS13 ips-pq-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-ext2-f TLS13 ips-2023-04 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-ext2-f TLS13 ips-pq-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-ext1-f TLS13 ips-2023-04 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-ext1-f TLS13 ips-pq-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-ext0 TLS13-fips-2023-04 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-2-ext0-f TLS13 ips-pq-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策 TLS13 -1-1-FIPS-2023-04 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-1-0 TLS13-FIPS-2023-04 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 
| ELBSecurity政策-1-0-FIP TLS13 S-PQ-2025-09 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 

### 按策略划分的密码
<a name="fips-policy-ciphers"></a>

下表描述了每个 FIPS 安全策略支持的密码。


| 安全策略 | 密码 | 
| --- | --- | 
|  ELBSecurity政策 TLS13 -1-3-FIPS-2023-04 ELBSecurity政策-1-3-FIP TLS13 S-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策 TLS13 -1-2-FIPS-2023-04 ELBSecurity政策-1-2-FIP TLS13 S-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策-1-2-res TLS13-fips-2023-04 ELBSecurity政策-1-2-res-f TLS13 ips-pq-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策-1-2-ext2-f TLS13 ips-2023-04 ELBSecurity政策-1-2-ext2-f TLS13 ips-pq-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策-1-2-ext1-f TLS13 ips-2023-04 ELBSecurity政策-1-2-ext1-f TLS13 ips-pq-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策-1-2-ext0 TLS13-fips-2023-04 ELBSecurity政策-1-2-ext0-f TLS13 ips-pq-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurity政策 TLS13 -1-1-FIPS-2023-04 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
|  ELBSecurity政策-1-0 TLS13-FIPS-2023-04 ELBSecurity政策-1-0-FIP TLS13 S-PQ-2025-09  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 

### 按密码划分的策略
<a name="fips-cipher-policies"></a>

下表描述了支持每个密码的 FIPS 安全策略。


| 密码名称 | 安全策略 | 密码套件 | 
| --- | --- | --- | 
|  **OpenSSL** — TLS\$1AES\$1128\$1GCM\$1 SHA256 **IANA** — TLS\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1301 | 
|  **OpenSSL** — TLS\$1AES\$1256\$1GCM\$1 SHA384 **IANA** — TLS\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1302 | 
|  **OpenSSL** — ECDHE-ECDSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02b | 
|  **OpenSSL** — ECDHE-RSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02f | 
|  **OpenSSL — 12** 8- ECDHE-ECDSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c023 | 
|  **OpenSSL — 12** 8- ECDHE-RSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c027 | 
|  **OpenSSL — 128**-SHA ECDHE-ECDSA-AES **IANA**：TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c009 | 
|  **OpenSSL — 128**-SHA ECDHE-RSA-AES **IANA**：TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c013 | 
|  **OpenSSL** — ECDHE-ECDSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02c | 
|  **OpenSSL** — ECDHE-RSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c030 | 
|  **OpenSSL — 25** 6- ECDHE-ECDSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c024 | 
|  **OpenSSL — 25** 6- ECDHE-RSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c028 | 
|  **OpenSSL — 256-SHA** ECDHE-ECDSA-AES **IANA**：TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c00a | 
|  **OpenSSL — 256-SHA** ECDHE-RSA-AES **IANA**：TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c014 | 
|  **OpenSSL —- AES128 G** CM-SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9c | 
|  **OpenSSL —**- AES128 SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3c | 
|  **OpenSSL —**-SHA AES128 **IANA**：TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 2f | 
|  **OpenSSL —- AES256 G** CM-SHA384 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9d | 
|  **OpenSSL —**- AES256 SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3d | 
|  **OpenSSL —**-SHA AES256 **IANA**：TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 35 | 

## FS 支持的策略
<a name="fs-supported-policies"></a>

FS（向前保密）支持的安全策略通过使用唯一的随机会话密钥，提供了防止加密数据被窃听的额外保障。即使秘密的长期密钥被泄露，这也可以防止对捕获的数据进行解码。

本节中的策略支持 FS，且其名称中包含“FS”字样。但是，这些并不是唯一支持 FS 的策略。仅支持 TLS 1.3 的策略支持向前保密 (FS)。支持 TLS 1.3 和 TLS 1.2 且仅包含 TLS\$1\$1 和 ECDHE\$1\$1 格式密码的策略也提供 FS。

**Topics**
+ [按策略划分的协议](#fs-protocols)
+ [按策略划分的密码](#fs-policy-ciphers)
+ [按密码划分的策略](#fs-cipher-policies)

### 按策略划分的协议
<a name="fs-protocols"></a>

下表描述了每个 FS 支持的安全策略支持的协议。


| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurityPolicy-fs-1-2-res-2020-10 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-fs-1-2-res-2019-08 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-fs-1-2-2019-08 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-fs-1-2019-08 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurity政策-fs-2018-06 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![\[alt text not found\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 

### 按策略划分的密码
<a name="fs-policy-ciphers"></a>

下表描述了每个 FS 支持的安全策略支持的密码。


| 安全策略 | 密码 | 
| --- | --- | 
| ELBSecurityPolicy-fs-1-2-res-2020-10 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-fs-1-2-res-2019-08 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-fs-1-2-2019-08 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-fs-1-2019-08 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurity政策-fs-2018-06 |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 

### 按密码划分的策略
<a name="fs-cipher-policies"></a>

下表描述了支持每个密码的 FS 支持的安全策略。


| 密码名称 | 安全策略 | 密码套件 | 
| --- | --- | --- | 
|  **OpenSSL** — ECDHE-ECDSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02b | 
|  **OpenSSL** — ECDHE-RSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02f | 
|  **OpenSSL — 12** 8- ECDHE-ECDSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c023 | 
|  **OpenSSL — 12** 8- ECDHE-RSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c027 | 
|  **OpenSSL — 128**-SHA ECDHE-ECDSA-AES **IANA**：TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c009 | 
|  **OpenSSL — 128**-SHA ECDHE-RSA-AES **IANA**：TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c013 | 
|  **OpenSSL** — ECDHE-ECDSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02c | 
|  **OpenSSL** — ECDHE-RSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c030 | 
|  **OpenSSL — 25** 6- ECDHE-ECDSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c024 | 
|  **OpenSSL — 25** 6- ECDHE-RSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c028 | 
|  **OpenSSL — 256-SHA** ECDHE-ECDSA-AES **IANA**：TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c00a | 
|  **OpenSSL — 256-SHA** ECDHE-RSA-AES **IANA**：TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA  |  [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c014 |