

本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 应用程序负载均衡器的安全策略
<a name="describe-ssl-policies"></a>

Elastic Load Balancing 使用一个安全套接字层 (SSL) 协商配置（称为安全策略）在客户端与负载均衡器之间协商 SSL 连接。安全策略是协议和密码的组合。协议在客户端与服务器之间建立安全连接，确保在客户端与负载均衡器之间传递的所有数据都是私密数据。密码是使用加密密钥创建编码消息的加密算法。协议使用多种密码对 Internet 上的数据进行加密。在 连接协商过程中，客户端和负载均衡器会按首选项顺序提供各自支持的密码和协议的列表。默认情况下，会为安全连接选择服务器列表中与任何一个客户端的密码匹配的第一个密码。

**注意事项**
+ HTTPS 侦听器需要有安全策略。如果您在创建侦听器时未指定安全策略，我们将使用默认安全策略。默认安全策略取决于您创建 HTTPS 侦听器的方式：
  + **控制台**：默认安全策略为 `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`。
  + **其他方法**（例如 Amazon CLI Amazon CloudFormation、和 Amazon CDK）-默认安全策略是`ELBSecurityPolicy-2016-08`。
  + 要查看负载均衡器连接请求的 TLS 协议版本（日志字段位置 5）和密钥交换（日志字段位置 13），请启用连接日志并检查相应的日志条目。有关更多信息，请参阅[连接日志](https://docs.amazonaws.cn/elasticloadbalancing/latest/application/load-balancer-connection-logs.html)。
  + 以 PQ 命名的安全策略提供混合后量子密钥交换。出于兼容性考虑，它们支持经典和后量子 ML-KEM 密钥交换算法。客户端必须支持 ML-KEM 密钥交换，才能使用混合后量子 TLS 进行密钥交换。混合后量子策略支持 secp256r1mlkem768、secp384r1mlkem1024 和 X25519MLKEM768 算法。有关更多信息，请参阅[Post-quantum 密码学](https://www.amazonaws.cn/security/post-quantum-cryptography/)。
  + AWS 建议实施新的基于后量子 TLS (PQ-TLS) 的安全策略`ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`或`ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09`。该策略通过支持能够协商混合 PQ-TLS、仅限 TLS 1.3 或仅限 TLS 1.2 的客户端，从而最大限度地减少向后量子加密过渡期间的服务中断，从而最大限度地减少向后量子密码学过渡期间的服务中断。随着您的客户端应用程序开发出协商 PQ-TLS 密钥交换操作的能力，您可以逐步迁移到更严格的安全策略。
  + 名称中带有 RFC 9151 的安全策略可帮助您遵守 RFC 9151，该协议定义了美国国家安全局 (NSA) 规定的商业国家安全算法 (CNSA) 1.0 套件的 TLS 要求。为了帮助过渡，它们分为两类：强制执行完整 RFC 9151 要求的严格策略，以及支持符合 RFC 9151 和非 RFC 9151 密码以帮助逐步过渡的互操作策略（名称中包含 “INTEROP”）。 Amazon 建议从最大限度`ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07`地减少中断开始，然后随着客户支持 RFC 9151，逐渐转向更严格的策略。您可以使用 ALB 连接日志中的`tls_protocol``tls_cipher`、和`tls_keyexchange`字段来监控客户端连接。有关 RFC 9151 的更多信息，请参阅 [IETF 网站上的 RFC 9151](https://datatracker.ietf.org/doc/html/rfc9151)。
+ 为了满足需要禁用某些 TLS 协议版本的合规性和安全性标准，或者为了支持需要已弃用密码的旧客户端，您可以使用其中一种 `ELBSecurityPolicy-TLS-` 安全策略。要查看针对应用程序负载均衡器的请求的 TLS 协议版本，请为负载均衡器启用访问日志记录并检查相应的访问日志条目。有关更多信息，请参阅[访问日志](load-balancer-access-logs.md)。
+ 您可以分别使用您 Amazon Web Services 账户 的 IAM 中的 [Elastic Load Balancing 条件密钥](https://docs.amazonaws.cn/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html)和服务控制策略 (SCP) 来限制用户可以使用哪些安全策略。 Amazon Organizations 有关更多信息，请参阅《Amazon Organizations 用户指南》**中的[服务控制策略（SCP）](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_scps.html)。
+ 仅支持 TLS 1.3 的策略支持向前保密（FS）。支持 TLS 1.3 和 TLS 1.2 且仅包含 TLS\_\* 和 ECDHE\_\* 格式密码的策略也提供 FS。
+ 应用程序负载均衡器支持使用 PSK (TLS 1.3) 和会话 IDs/session 票证（TLS 1.2 及更早版本）恢复 TLS。只有连接到相同的应用程序负载均衡器 IP 地址时才支持恢复。未实现 0-RTT 数据功能和 early\_data 扩展。
+ Application Load Balancer 不支持自定义安全策略。
+ 应用程序负载均衡器仅支持目标连接的 SSL 重新协商。

**后端连接**
+ 您可以选择用于前端连接但不能选择用于后端连接的安全策略。后端连接的安全策略取决于侦听器安全策略。如果有听众在使用：
  + **RFC 9151 策略（包括任何互操作策略）**-后端连接使用 `ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07`
  + **FIPS 后量子 TLS 策略**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09`
  + **FIPS 策略**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04`
  + **Post-quantum TLS 策略**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-PQ-2025-09`
  + **TLS 1.3 政策**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-2021-06`
  + **其他 TLS 策略**-后端连接使用 `ELBSecurityPolicy-2016-08`

**Contents**
+ [示例 describe-ssl-policies 命令](#describe-ssl-policies-examples)
+ [TLS 安全策略](#tls-security-policies)
  + [按策略划分的协议](#tls-protocols)
  + [按策略划分的密码](#tls-policy-ciphers)
  + [按密码划分的策略](#tls-cipher-policies)
+ [FIPS 安全策略](#fips-security-policies)
  + [按策略划分的协议](#fips-protocols)
  + [按策略划分的密码](#fips-policy-ciphers)
  + [按密码划分的策略](#fips-cipher-policies)
+ [RFC 9151 (CNSA 1.0) 安全政策](#rfc9151-security-policies)
  + [按策略划分的协议](#rfc9151-protocols)
  + [按策略划分的密码](#rfc9151-policy-ciphers)
  + [按密码划分的策略](#rfc9151-cipher-policies)
+ [FS 支持的策略](#fs-supported-policies)
  + [按策略划分的协议](#fs-protocols)
  + [按策略划分的密码](#fs-policy-ciphers)
  + [按密码划分的策略](#fs-cipher-policies)

## 示例 describe-ssl-policies 命令
<a name="describe-ssl-policies-examples"></a>

您可以使用 [describe-ssl-policies](https://docs.amazonaws.cn/cli/latest/reference/elbv2/describe-ssl-policies.html) Amazon CLI 命令描述安全策略的协议和密码，或者找到满足您需求的策略。

以下示例描述了指定的策略。

```
aws elbv2 describe-ssl-policies \
    --names "{{ELBSecurityPolicy-TLS13-1-2-Res-2021-06}}"
```

以下示例列出了策略名称中包含指定字符串的策略。

```
aws elbv2 describe-ssl-policies \
    --query "SslPolicies[?contains(Name,'{{FIPS}}')].Name"
```

以下示例列出了支持指定协议的策略。

```
aws elbv2 describe-ssl-policies \
    --query "SslPolicies[?contains(SslProtocols,'{{TLSv1.3}}')].Name"
```

以下示例列出了支持指定密码的策略。

```
aws elbv2 describe-ssl-policies \
    --query "SslPolicies[?Ciphers[?contains(Name,'{{TLS_AES_128_GCM_SHA256}}')]].Name"
```

以下示例列出了不支持指定密码的策略。

```
aws elbv2 describe-ssl-policies \
    --query 'SslPolicies[?length(Ciphers[?starts_with(Name,`{{AES128-GCM-SHA256}}`)]) == `0`].Name'
```

## TLS 安全策略
<a name="tls-security-policies"></a>

您可以使用 TLS 安全策略来满足需要禁用某些 TLS 协议版本的合规性和安全标准，或者支持需要已弃用密码的旧客户端。

仅支持 TLS 1.3 的策略支持向前保密 (FS)。支持 TLS 1.3 和 TLS 1.2 且仅包含 TLS\_\* 和 ECDHE\_\* 格式密码的策略也提供 FS。

**Topics**
+ [按策略划分的协议](#tls-protocols)
+ [按策略划分的密码](#tls-policy-ciphers)
+ [按密码划分的策略](#tls-cipher-policies)

### 按策略划分的协议
<a name="tls-protocols"></a>

下表描述了每个 TLS 安全策略支持的协议。


| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurityPolicy-TLS13-1-3-2021-06 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-2021-06 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Res-2021-06 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-1-2021-06 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-0-2021-06 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 
| ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS-1-2-2017-01 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS-1-1-2017-01 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-2016-08 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 

### 按策略划分的密码
<a name="tls-policy-ciphers"></a>

下表描述了每个 TLS 安全策略支持的密码。


| 安全策略 | 密码 | 
| --- | --- | 
| ELBSecurityPolicy-TLS13-1-3-2021-06<br />ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-2021-06<br />ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-Res-2021-06<br />ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06<br />ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06<br />ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-1-2021-06 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-0-2021-06<br />ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS-1-2-2017-01 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS-1-1-2017-01 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-2016-08 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 

### 按密码划分的策略
<a name="tls-cipher-policies"></a>

下表描述了支持每个密码的 TLS 安全策略。


| 密码名称 | 安全策略 | 密码套件 | 
| --- | --- | --- | 
| **OpenSSL** – TLS\_AES\_128\_GCM\_SHA256<br />**IANA** – TLS\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1301 | 
| **OpenSSL** – TLS\_AES\_256\_GCM\_SHA384<br />**IANA** – TLS\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1302 | 
| **OpenSSL** – TLS\_CHACHA20\_POLY1305\_SHA256<br />**IANA** – TLS\_CHACHA20\_POLY1305\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1303 | 
| **OpenSSL —** ECDHE-ECDSA-AES128-GCM-SHA256<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02b | 
| **OpenSSL —** ECDHE-RSA-AES128-GCM-SHA256<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02f | 
| **OpenSSL —** ECDHE-ECDSA-AES128-SHA256<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c023 | 
| **OpenSSL —** ECDHE-RSA-AES128-SHA256<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c027 | 
| **OpenSSL —** ECDHE-ECDSA-AES128-SHA<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c009 | 
| **OpenSSL —** ECDHE-RSA-AES128-SHA<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c013 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-GCM-SHA384<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02c | 
| **OpenSSL —** ECDHE-RSA-AES256-GCM-SHA384<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c030 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-SHA384<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c024 | 
| **OpenSSL —** ECDHE-RSA-AES256-SHA384<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c028 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-SHA<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c00a | 
| **OpenSSL —** ECDHE-RSA-AES256-SHA<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c014 | 
| **OpenSSL —** AES128-GCM-SHA256<br />**IANA**：TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9c | 
| **OpenSSL —** AES128-SHA256<br />**IANA**：TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3c | 
| **OpenSSL —** AES128-SHA<br />**IANA**：TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 2f | 
| **OpenSSL —** AES256-GCM-SHA384<br />**IANA**：TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9d | 
| **OpenSSL —** AES256-SHA256<br />**IANA**：TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3d | 
| **OpenSSL —** AES256-SHA<br />**IANA**：TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 35 | 

## FIPS 安全策略
<a name="fips-security-policies"></a>

联邦信息处理标准（FIPS）是美国和加拿大政府标准，其中规定了对保护敏感信息的加密模块的安全要求。要了解更多信息，请参阅 *Amazon Cloud 安全性合规性*页面上的[美国联邦信息处理标准（FIPS）140](https://www.amazonaws.cn/compliance/fips/)。

所有 FIPS 策略都使用 AWS-LC FIPS 验证的加密模块。要了解更多信息，请参阅 *NIST [ AWS-LC 加密模块](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631)验证计划网站上的加密模块*页面。

**重要**  
策略 `ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04` 和 `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` 只是为了与旧版兼容而提供。虽然他们使用 FIPS140 模块使用 FIPS 加密，但它们可能不符合 NIST 最新的 TLS 配置指南。

**Topics**
+ [按策略划分的协议](#fips-protocols)
+ [按策略划分的密码](#fips-policy-ciphers)
+ [按密码划分的策略](#fips-cipher-policies)

### 按策略划分的协议
<a name="fips-protocols"></a>

下表描述了每个 FIPS 安全策略支持的协议。


| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 
| ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 

### 按策略划分的密码
<a name="fips-policy-ciphers"></a>

下表描述了每个 FIPS 安全策略支持的密码。


| 安全策略 | 密码 | 
| --- | --- | 
| ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04<br />ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04<br />ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04<br />ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04<br />ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04<br />ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04<br />ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04<br />ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 

### 按密码划分的策略
<a name="fips-cipher-policies"></a>

下表描述了支持每个密码的 FIPS 安全策略。


| 密码名称 | 安全策略 | 密码套件 | 
| --- | --- | --- | 
| **OpenSSL** – TLS\_AES\_128\_GCM\_SHA256<br />**IANA** – TLS\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1301 | 
| **OpenSSL** – TLS\_AES\_256\_GCM\_SHA384<br />**IANA** – TLS\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1302 | 
| **OpenSSL —** ECDHE-ECDSA-AES128-GCM-SHA256<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02b | 
| **OpenSSL —** ECDHE-RSA-AES128-GCM-SHA256<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02f | 
| **OpenSSL —** ECDHE-ECDSA-AES128-SHA256<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c023 | 
| **OpenSSL —** ECDHE-RSA-AES128-SHA256<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c027 | 
| **OpenSSL —** ECDHE-ECDSA-AES128-SHA<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c009 | 
| **OpenSSL —** ECDHE-RSA-AES128-SHA<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c013 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-GCM-SHA384<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02c | 
| **OpenSSL —** ECDHE-RSA-AES256-GCM-SHA384<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c030 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-SHA384<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c024 | 
| **OpenSSL —** ECDHE-RSA-AES256-SHA384<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c028 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-SHA<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c00a | 
| **OpenSSL —** ECDHE-RSA-AES256-SHA<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c014 | 
| **OpenSSL —** AES128-GCM-SHA256<br />**IANA**：TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9c | 
| **OpenSSL —** AES128-SHA256<br />**IANA**：TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3c | 
| **OpenSSL —** AES128-SHA<br />**IANA**：TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 2f | 
| **OpenSSL —** AES256-GCM-SHA384<br />**IANA**：TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9d | 
| **OpenSSL —** AES256-SHA256<br />**IANA**：TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3d | 
| **OpenSSL —** AES256-SHA<br />**IANA**：TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 35 | 

## RFC 9151 (CNSA 1.0) 安全政策
<a name="rfc9151-security-policies"></a>

Application Load Balancer 支持可帮助您遵守 RFC 9151 的安全策略，该策略定义了美国国家安全局 (NSA) 规定的商业国家安全算法 (CNSA) 1.0 套件的 TLS 要求。RFC 9151 规定了如何使用带有 TLS 1.2 和 TLS 1.3 协议的 CNSA 套件，定义了符合政府安全标准的安全通信的加密要求。要了解有关 RFC 9151 的更多信息，请参阅 [R](https://datatracker.ietf.org/doc/html/rfc9151) FC 9151。

RFC 9151 策略分为两类：
+ **严格的政策** — 强制执行严格的 RFC 9151 密码和签名方案要求。当您的所有客户端都支持 RFC 9151 时，请使用这些选项。
+ **互操作策略** — 支持兼容 RFC 9151 和非 RFC 9151 的密码和签名方案，以帮助逐步过渡到 RFC 9151 合规性。如果您不确定是否所有客户端都支持 RFC 9151，或者您想避免在过渡期间中断客户端，请使用这些选项。所有互操作策略的策略名称中都包含 “INTEROP”。

Amazon 建议从互操作策略开始`ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07`，该策略支持可以协商经典 TLS 1.3、TLS 1.2 或严格的 RFC 9151 算法的客户端，从而最大限度地减少中断。您可以逐渐转向更严格的政策，因为您的客户可以协商严格的RFC 9151。您可以使用 ALB 连接日志中的`tls_protocol``tls_cipher`、和`tls_keyexchange`字段来监控客户端的连接情况。

**重要**  
当您为侦听器选择 RFC 9151 安全策略时，负载均衡器将`ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07`用于与目标和其他服务的后端连接。但是，负载均衡器无法保证或强制执行出口连接（包括与目标的连接）或客户配置的外部服务（例如第三方身份提供商或身份验证端点）的 RFC 9151 合规性。  
您有责任确保以下几点：  
您的目标和您配置的任何外部服务都可以支持后端连接策略中的协议和密码。
为了在负载均衡器和您的目标之间严格遵守 RFC 9151，您的目标必须实施符合 RFC 9151 的证书和密码。
如果您的后端目标仅支持 TLS 1.0 或 TLS 1.1，则连接将失败。您必须更新目标上的协议和密码，使其与策略支持的密码保持一致。`ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07`

**Topics**
+ [按策略划分的协议](#rfc9151-protocols)
+ [按策略划分的密码](#rfc9151-policy-ciphers)
+ [按密码划分的策略](#rfc9151-cipher-policies)

### 按策略划分的协议
<a name="rfc9151-protocols"></a>

下表描述了每个 RFC 9151 安全策略支持的协议。


| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurityPolicy-TLS13-1-3-RFC9151-FIPS-2023-07 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-FIPS-2023-07 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 

### 按策略划分的密码
<a name="rfc9151-policy-ciphers"></a>

下表描述了每个 RFC 9151 安全策略支持的密码。


| 安全策略 | 密码 | 
| --- | --- | 
| ELBSecurityPolicy-TLS13-1-3-RFC9151-FIPS-2023-07 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-FIPS-2023-07 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 

### 按密码划分的策略
<a name="rfc9151-cipher-policies"></a>

下表描述了支持每种密码的 RFC 9151 安全策略。


| 密码名称 | 安全策略 | 密码套件 | 
| --- | --- | --- | 
| **OpenSSL** – TLS\_AES\_256\_GCM\_SHA384<br />**IANA** – TLS\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1302 | 
| **OpenSSL** – TLS\_AES\_128\_GCM\_SHA256<br />**IANA** – TLS\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 1301 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-GCM-SHA384<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02c | 
| **OpenSSL —** ECDHE-RSA-AES256-GCM-SHA384<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c030 | 
| **OpenSSL —** AES256-GCM-SHA384<br />**IANA**：TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9d | 
| **OpenSSL —** ECDHE-ECDSA-AES128-GCM-SHA256<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02b | 
| **OpenSSL —** ECDHE-RSA-AES128-GCM-SHA256<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02f | 
| **OpenSSL —** ECDHE-ECDSA-AES256-SHA384<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c024 | 
| **OpenSSL —** ECDHE-RSA-AES256-SHA384<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c028 | 
| **OpenSSL —** ECDHE-ECDSA-AES128-SHA256<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c023 | 
| **OpenSSL —** ECDHE-RSA-AES128-SHA256<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c027 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-SHA<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c00a | 
| **OpenSSL —** ECDHE-RSA-AES256-SHA<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c014 | 
| **OpenSSL —** ECDHE-ECDSA-AES128-SHA<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c009 | 
| **OpenSSL —** ECDHE-RSA-AES128-SHA<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c013 | 
| **OpenSSL —** AES256-SHA256<br />**IANA**：TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3d | 
| **OpenSSL —** AES256-SHA<br />**IANA**：TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 35 | 
| **OpenSSL —** AES128-GCM-SHA256<br />**IANA**：TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 9c | 
| **OpenSSL —** AES128-SHA256<br />**IANA**：TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 3c | 
| **OpenSSL —** AES128-SHA<br />**IANA**：TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 2f | 

## FS 支持的策略
<a name="fs-supported-policies"></a>

FS（向前保密）支持的安全策略通过使用唯一的随机会话密钥，提供了防止加密数据被窃听的额外保障。即使秘密的长期密钥被泄露，这也可以防止对捕获的数据进行解码。

本节中的策略支持 FS，且其名称中包含“FS”字样。但是，这些并不是唯一支持 FS 的策略。仅支持 TLS 1.3 的策略支持向前保密 (FS)。支持 TLS 1.3 和 TLS 1.2 且仅包含 TLS\_\* 和 ECDHE\_\* 格式密码的策略也提供 FS。

**Topics**
+ [按策略划分的协议](#fs-protocols)
+ [按策略划分的密码](#fs-policy-ciphers)
+ [按密码划分的策略](#fs-cipher-policies)

### 按策略划分的协议
<a name="fs-protocols"></a>

下表描述了每个 FS 支持的安全策略支持的协议。


| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 | 
| --- | --- | --- | --- | --- | 
| ELBSecurityPolicy-FS-1-2-Res-2020-10 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-FS-1-2-Res-2019-08 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-FS-1-2-2019-08 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-FS-1-1-2019-08 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | 
| ELBSecurityPolicy-FS-2018-06 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/negative_icon.png)没有 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | ![](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/images/success_icon.png) 是 | 

### 按策略划分的密码
<a name="fs-policy-ciphers"></a>

下表描述了每个 FS 支持的安全策略支持的密码。


| 安全策略 | 密码 | 
| --- | --- | 
| ELBSecurityPolicy-FS-1-2-Res-2020-10 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-FS-1-2-Res-2019-08 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-FS-1-2-2019-08 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-FS-1-1-2019-08 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 
| ELBSecurityPolicy-FS-2018-06 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | 

### 按密码划分的策略
<a name="fs-cipher-policies"></a>

下表描述了支持每个密码的 FS 支持的安全策略。


| 密码名称 | 安全策略 | 密码套件 | 
| --- | --- | --- | 
| **OpenSSL —** ECDHE-ECDSA-AES128-GCM-SHA256<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02b | 
| **OpenSSL —** ECDHE-RSA-AES128-GCM-SHA256<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02f | 
| **OpenSSL —** ECDHE-ECDSA-AES128-SHA256<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c023 | 
| **OpenSSL —** ECDHE-RSA-AES128-SHA256<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c027 | 
| **OpenSSL —** ECDHE-ECDSA-AES128-SHA<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c009 | 
| **OpenSSL —** ECDHE-RSA-AES128-SHA<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c013 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-GCM-SHA384<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c02c | 
| **OpenSSL —** ECDHE-RSA-AES256-GCM-SHA384<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c030 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-SHA384<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c024 | 
| **OpenSSL —** ECDHE-RSA-AES256-SHA384<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c028 | 
| **OpenSSL —** ECDHE-ECDSA-AES256-SHA<br />**IANA**：TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c00a | 
| **OpenSSL —** ECDHE-RSA-AES256-SHA<br />**IANA**：TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA |  [See the AWS documentation website for more details](http://docs.amazonaws.cn/elasticloadbalancing/latest/application/describe-ssl-policies.html)  | c014 | 