Supported protocols and ciphers between viewers and CloudFront
When you require HTTPS between viewers and your CloudFront distribution, you must choose a security policy, which determines the following settings:
-
The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.
-
The ciphers that CloudFront can use to encrypt the communication with viewers.
To choose a security policy, specify the applicable value for Security policy (minimum SSL/TLS version). The following table lists the protocols and ciphers that CloudFront can use for each security policy.
A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL, s2n, and RFC cipher names.
Security policy | |||||||
---|---|---|---|---|---|---|---|
SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | |
Supported SSL/TLS protocols | |||||||
TLSv1.3 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLSv1.1 | ♦ | ♦ | ♦ | ♦ | |||
TLSv1 | ♦ | ♦ | ♦ | ||||
SSLv3 | ♦ | ||||||
Supported TLSv1.3 ciphers | |||||||
TLS_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
Supported ECDSA ciphers | |||||||
ECDHE-ECDSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-ECDSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-ECDSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | |||
ECDHE-ECDSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-ECDSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-ECDSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | |||
Supported RSA ciphers | |||||||
ECDHE-RSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | |||
ECDHE-RSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-RSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | |||
AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ||
AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ||
AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ||
AES256-SHA | ♦ | ♦ | ♦ | ♦ | |||
AES128-SHA | ♦ | ♦ | ♦ | ♦ | |||
DES-CBC3-SHA | ♦ | ♦ | |||||
RC4-MD5 | ♦ |
OpenSSL, s2n, and RFC cipher names
OpenSSL and s2n
For ciphers with elliptic curve key exchange algorithms, CloudFront supports the following elliptic curves:
-
prime256v1
-
X25519
For more information about certificate requirements for CloudFront, see Requirements for using SSL/TLS certificates with CloudFront.
OpenSSL and s2n cipher name | RFC cipher name |
---|---|
Supported TLSv1.3 ciphers | |
TLS_AES_128_GCM_SHA256 | TLS_AES_128_GCM_SHA256 |
TLS_AES_256_GCM_SHA384 | TLS_AES_256_GCM_SHA384 |
TLS_CHACHA20_POLY1305_SHA256 | TLS_CHACHA20_POLY1305_SHA256 |
Supported ECDSA ciphers | |
ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE-ECDSA-AES128-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE-ECDSA-AES128-SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-CHACHA20-POLY1305 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-ECDSA-AES256-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDHE-ECDSA-AES256-SHA | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
Supported RSA ciphers | |
ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDHE-RSA-AES128-SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE-RSA-CHACHA20-POLY1305 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-RSA-AES256-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
ECDHE-RSA-AES256-SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
AES128-GCM-SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 |
AES256-GCM-SHA384 | TLS_RSA_WITH_AES_256_GCM_SHA384 |
AES128-SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
AES256-SHA | TLS_RSA_WITH_AES_256_CBC_SHA |
AES128-SHA | TLS_RSA_WITH_AES_128_CBC_SHA |
DES-CBC3-SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
RC4-MD5 | TLS_RSA_WITH_RC4_128_MD5 |
Supported signature schemes between viewers and CloudFront
CloudFront supports the following signature schemes for connections between viewers and CloudFront.
Security policy | |||||||
---|---|---|---|---|---|---|---|
Signature schemes | SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | and TLSv1.2_2021 |
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1 | ♦ | ♦ | ♦ | ♦ | |||
TLS_SIGNATURE_SCHEME_ECDSA_SHA1 | ♦ | ♦ | ♦ | ♦ |