Supported protocols and ciphers between viewers and CloudFront - Amazon CloudFront
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Supported protocols and ciphers between viewers and CloudFront

When you require HTTPS between viewers and your CloudFront distribution, you must choose a security policy, which determines the following settings:

  • The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.

  • The ciphers that CloudFront can use to encrypt the communication with viewers.

To choose a security policy, specify the applicable value for Security policy (minimum SSL/TLS version). The following table lists the protocols and ciphers that CloudFront can use for each security policy.

A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL, s2n, and RFC cipher names.

Security policy
SSLv3 TLSv1 TLSv1_2016 TLSv1.1_2016 TLSv1.2_2018 TLSv1.2_2019 TLSv1.2_2021
Supported SSL/TLS protocols
TLSv1.3
TLSv1.2
TLSv1.1
TLSv1
SSLv3
Supported TLSv1.3 ciphers
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
Supported ECDSA ciphers
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
Supported RSA ciphers
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA
AES128-SHA
DES-CBC3-SHA
RC4-MD5

OpenSSL, s2n, and RFC cipher names

OpenSSL and s2n use different names for ciphers than the TLS standards use (RFC 2246, RFC 4346, RFC 5246, and RFC 8446). The following table maps the OpenSSL and s2n names to the RFC name for each cipher.

For ciphers with elliptic curve key exchange algorithms, CloudFront supports the following elliptic curves:

  • prime256v1

  • X25519

For more information about certificate requirements for CloudFront, see Requirements for using SSL/TLS certificates with CloudFront.

OpenSSL and s2n cipher name RFC cipher name
Supported TLSv1.3 ciphers
TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256
Supported ECDSA ciphers
ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
ECDHE-ECDSA-AES128-SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE-ECDSA-CHACHA20-POLY1305 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
ECDHE-ECDSA-AES256-SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Supported RSA ciphers
ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE-RSA-CHACHA20-POLY1305 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
AES128-GCM-SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256
AES256-GCM-SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384
AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA
AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA
DES-CBC3-SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA
RC4-MD5 TLS_RSA_WITH_RC4_128_MD5

Supported signature schemes between viewers and CloudFront

CloudFront supports the following signature schemes for connections between viewers and CloudFront.

Security policy
Signature schemes SSLv3 TLSv1 TLSv1_2016 TLSv1.1_2016 TLSv1.2_2018 TLSv1.2_2019 and TLSv1.2_2021
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224
TLS_SIGNATURE_SCHEME_ECDSA_SHA256
TLS_SIGNATURE_SCHEME_ECDSA_SHA384
TLS_SIGNATURE_SCHEME_ECDSA_SHA512
TLS_SIGNATURE_SCHEME_ECDSA_SHA224
TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256
TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1
TLS_SIGNATURE_SCHEME_ECDSA_SHA1