Supported protocols and ciphers between viewers and CloudFront
When you require HTTPS between viewers and your CloudFront distribution, you must choose a security policy, which determines the following settings:
-
The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.
-
The ciphers that CloudFront can use to encrypt the communication with viewers.
To choose a security policy, specify the applicable value for Security policy (minimum SSL/TLS version). The following table lists the protocols and ciphers that CloudFront can use for each security policy.
A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL, s2n, and RFC cipher names.
Security policy | ||||||||
---|---|---|---|---|---|---|---|---|
SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | TLSv1.3_2025 | |
Supported SSL/TLS protocols | ||||||||
TLSv1.3 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
TLSv1.1 | ♦ | ♦ | ♦ | ♦ | ||||
TLSv1 | ♦ | ♦ | ♦ | |||||
SSLv3 | ♦ | |||||||
Supported TLSv1.3 ciphers | ||||||||
TLS_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
Supported ECDSA ciphers | ||||||||
ECDHE-ECDSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-ECDSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ||
ECDHE-ECDSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | ||||
ECDHE-ECDSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-ECDSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-ECDSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ||
ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | ||||
Supported RSA ciphers | ||||||||
ECDHE-RSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ||
ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | ||||
ECDHE-RSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-RSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ||
ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | ||||
AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | |||
AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | |||
AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | |||
AES256-SHA | ♦ | ♦ | ♦ | ♦ | ||||
AES128-SHA | ♦ | ♦ | ♦ | ♦ | ||||
DES-CBC3-SHA | ♦ | ♦ | ||||||
RC4-MD5 | ♦ |
OpenSSL, s2n, and RFC cipher names
OpenSSL and s2n
For ciphers with elliptic curve key exchange algorithms, CloudFront supports the following elliptic curves:
-
prime256v1
-
X25519
-
secp384r1
For more information about certificate requirements for CloudFront, see Requirements for using SSL/TLS certificates with CloudFront.
OpenSSL and s2n cipher name | RFC cipher name |
---|---|
Supported TLSv1.3 ciphers | |
TLS_AES_128_GCM_SHA256 | TLS_AES_128_GCM_SHA256 |
TLS_AES_256_GCM_SHA384 | TLS_AES_256_GCM_SHA384 |
TLS_CHACHA20_POLY1305_SHA256 | TLS_CHACHA20_POLY1305_SHA256 |
Supported ECDSA ciphers | |
ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE-ECDSA-AES128-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE-ECDSA-AES128-SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-CHACHA20-POLY1305 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-ECDSA-AES256-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDHE-ECDSA-AES256-SHA | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
Supported RSA ciphers | |
ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDHE-RSA-AES128-SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE-RSA-CHACHA20-POLY1305 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-RSA-AES256-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
ECDHE-RSA-AES256-SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
AES128-GCM-SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 |
AES256-GCM-SHA384 | TLS_RSA_WITH_AES_256_GCM_SHA384 |
AES128-SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
AES256-SHA | TLS_RSA_WITH_AES_256_CBC_SHA |
AES128-SHA | TLS_RSA_WITH_AES_128_CBC_SHA |
DES-CBC3-SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
RC4-MD5 | TLS_RSA_WITH_RC4_128_MD5 |
Supported signature schemes between viewers and CloudFront
CloudFront supports the following signature schemes for connections between viewers and CloudFront.
Security policy | ||||||||
---|---|---|---|---|---|---|---|---|
Signature schemes | SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | TLSv1.3_2025 |
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
TLS_SIGNATURE_SCHEME_ECDSA_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1 | ♦ | ♦ | ♦ | ♦ | ||||
TLS_SIGNATURE_SCHEME_ECDSA_SHA1 | ♦ | ♦ | ♦ | ♦ |