经典负载均衡器的预定义 SSL 安全策略 - Elastic Load Balancing
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

经典负载均衡器的预定义 SSL 安全策略

您可以为 HTTPS/SSL 侦听器选择预定义的安全策略之一。您可以使用 ELBSecurityPolicy-TLS 策略之一来满足要求禁用某些 TLS 协议版本的合规性和安全标准。或者,您也可以创建自定义安全策略。有关更多信息,请参阅 更新 SSL 协商配置

基于 RSA 和 DSA 的密码特定于用于创建 SSL 证书的签名算法。请确保使用基于为安全策略启用的密码的签名算法来创建 SSL 证书。

如果选择为“服务器顺序首选项”启用的策略,则负载均衡器会按密码在这里的指定顺序使用密码,以协商客户端与负载均衡器之间的连接。否则,负载均衡器会按客户端提供的密码的顺序使用密码。

以下章节介绍了经典负载均衡器的最新预定义安全策略,包括其启用的 SSL 协议和 SSL 密码。您还可以使用 describe-load-balancer-policies 命令描述预定义的策略。

提示

这些信息仅适用于经典负载均衡器。有关适用于其他负载均衡器的信息,请参阅适用于应用程序负载均衡器的安全策略适用于网络负载均衡器的安全策略

按策略列出的协议

下表描述了每个安全策略支持的 TLS 协议。

安全策略 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS-1-2-2017-01
ELBSecurityPolicy-TLS-1-1-2017-01
ELBSecurityPolicy-2016-08
ELBSecurityPolicy-2015-05
ELBSecurityPolicy-2015-03
ELBSecurityPolicy-2015-02

按策略列出的密码

下表描述了每个安全策略支持的密码。

安全策略 密码
ELBSecurityPolicy-TLS-1-2-2017-01
  • ECDHE-ECDSA-AES128- GCM-SHA256

  • ECDHE-RSA-AES128- GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256- GCM-SHA384

  • ECDHE-RSA-AES256- GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS-1-1-2017-01
  • ECDHE-ECDSA-AES128- GCM-SHA256

  • ECDHE-RSA-AES128- GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256- GCM-SHA384

  • ECDHE-RSA-AES256- GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-2016-08
  • ECDHE-ECDSA-AES128- GCM-SHA256

  • ECDHE-RSA-AES128- GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256- GCM-SHA384

  • ECDHE-RSA-AES256- GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-2015-05
  • ECDHE-ECDSA-AES128- GCM-SHA256

  • ECDHE-RSA-AES128- GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256- GCM-SHA384

  • ECDHE-RSA-AES256- GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DES-CBC3-SHA

ELBSecurityPolicy-2015-03
  • ECDHE-ECDSA-AES128- GCM-SHA256

  • ECDHE-RSA-AES128- GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256- GCM-SHA384

  • ECDHE-RSA-AES256- GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DHE-RSA-AES128-SHA

  • DHE-DSS-AES128-SHA

  • DES-CBC3-SHA

ELBSecurityPolicy-2015-02
  • ECDHE-ECDSA-AES128- GCM-SHA256

  • ECDHE-RSA-AES128- GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256- GCM-SHA384

  • ECDHE-RSA-AES256- GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DHE-RSA-AES128-SHA

  • DHE-DSS-AES128-SHA

按密码列出的策略

下表描述了支持每个密码的安全策略。

密码名称 安全策略 密码套件

OpenSSL:ECDHE-ECDSA-AES128-GCM-SHA256

IANA:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02b

OpenSSL:ECDHE-RSA-AES128-GCM-SHA256

IANA:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02f

OpenSSL:ECDHE-ECDSA-AES128-SHA256

IANA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c023

OpenSSL:ECDHE-RSA-AES128-SHA256

IANA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c027

OpenSSL:ECDHE-ECDSA-AES128-SHA

IANA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c009

OpenSSL:ECDHE-RSA-AES128-SHA

IANA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c013

OpenSSL:ECDHE-ECDSA-AES256-GCM-SHA384

IANA:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02c

OpenSSL:ECDHE-RSA-AES256-GCM-SHA384

IANA:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c030

OpenSSL:ECDHE-ECDSA-AES256-SHA384

IANA:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c024

OpenSSL:ECDHE-RSA-AES256-SHA384

IANA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c028

OpenSSL:ECDHE-ECDSA-AES256-SHA

IANA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c014

OpenSSL:ECDHE-RSA-AES256-SHA

IANA:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c00a

OpenSSL:AES128-GCM-SHA256

IANA:TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

9c

OpenSSL:AES128-SHA256

IANA:TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

3c

OpenSSL:AES128-SHA

IANA:TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

2f

OpenSSL:AES256-GCM-SHA384

IANA:TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

9d

OpenSSL:AES256-SHA256

IANA:TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

3d

OpenSSL:AES256-SHA

IANA:TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

35

OpenSSL:DHE-RSA-AES128-SHA

IANA:TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

33

OpenSSL:DHE-DSS-AES128-SHA

IANA:TLS_DHE_DSS_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

32

OpenSSL:DES-CBC3-SHA

IANA:TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

0a