Protocols by policy Ciphers by policy Policies by cipher

Predefined SSL security policies for Classic Load Balancers

You can choose one of the predefined security policies for your HTTPS/SSL listeners. You can use one of the ELBSecurityPolicy-TLS policies to meet compliance and security standards that require disabling certain TLS protocol versions. Alternatively, you can create a custom security policy. For more information, see Update the SSL negotiation configuration.

The RSA- and DSA-based ciphers are specific to the signing algorithm used to create SSL certificate. Make sure to create an SSL certificate using the signing algorithm that is based on the ciphers that are enabled for your security policy.

If you select a policy that is enabled for Server Order Preference, the load balancer uses the ciphers in the order that they are specified here to negotiate connections between the client and load balancer. Otherwise, the load balancer uses the ciphers in the order that they are presented by the client.

The following sections describe the most recent predefined security policies for Classic Load Balancers, including their enabled SSL protocols and SSL ciphers. You can also describe the predefined policies using the describe-load-balancer-policies command.

Tip

This information applies only to Classic Load Balancers. For information that applies to other load balancers, see Security policies for your Application Load Balancer and Security policies for your Network Load Balancer.

Protocols by policy
Ciphers by policy
Policies by cipher

Protocols by policy

The following table describes the TLS protocols that each security policy supports.

Security policies	TLS 1.2	TLS 1.1	TLS 1.0
ELBSecurityPolicy-TLS-1-2-2017-01	Yes	No	No
ELBSecurityPolicy-TLS-1-1-2017-01	Yes	Yes	No
ELBSecurityPolicy-2016-08	Yes	Yes	Yes
ELBSecurityPolicy-2015-05	Yes	Yes	Yes
ELBSecurityPolicy-2015-03	Yes	Yes	Yes
ELBSecurityPolicy-2015-02	Yes	Yes	Yes

Ciphers by policy

The following table describes the ciphers that each security policy supports.

Security policy	Ciphers
ELBSecurityPolicy-TLS-1-2-2017-01	ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA
ELBSecurityPolicy-TLS-1-1-2017-01	ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA
ELBSecurityPolicy-2016-08	ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA
ELBSecurityPolicy-2015-05	ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DES-CBC3-SHA
ELBSecurityPolicy-2015-03	ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA DES-CBC3-SHA
ELBSecurityPolicy-2015-02	ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA

Policies by cipher

The following table describes the security policies that support each cipher.

Cipher name	Security policies	Cipher suite
OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c02b
OpenSSL – ECDHE-RSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c02f
OpenSSL – ECDHE-ECDSA-AES128-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c023
OpenSSL – ECDHE-RSA-AES128-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c027
OpenSSL – ECDHE-ECDSA-AES128-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c009
OpenSSL – ECDHE-RSA-AES128-SHA IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c013
OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c02c
OpenSSL – ECDHE-RSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c030
OpenSSL – ECDHE-ECDSA-AES256-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c024
OpenSSL – ECDHE-RSA-AES256-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c028
OpenSSL – ECDHE-ECDSA-AES256-SHA IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c014
OpenSSL – ECDHE-RSA-AES256-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	c00a
OpenSSL – AES128-GCM-SHA256 IANA – TLS_RSA_WITH_AES_128_GCM_SHA256	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	9c
OpenSSL – AES128-SHA256 IANA – TLS_RSA_WITH_AES_128_CBC_SHA256	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	3c
OpenSSL – AES128-SHA IANA – TLS_RSA_WITH_AES_128_CBC_SHA	ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	2f
OpenSSL – AES256-GCM-SHA384 IANA – TLS_RSA_WITH_AES_256_GCM_SHA384	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	9d
OpenSSL – AES256-SHA256 IANA – TLS_RSA_WITH_AES_256_CBC_SHA256	ELBSecurityPolicy-TLS-1-2-2017-01 ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	3d
OpenSSL – AES256-SHA IANA – TLS_RSA_WITH_AES_256_CBC_SHA	ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-2016-08 ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	35
OpenSSL – DHE-RSA-AES128-SHA IANA – TLS_DHE_RSA_WITH_AES_128_CBC_SHA	ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	33
OpenSSL – DHE-DSS-AES128-SHA IANA – TLS_DHE_DSS_WITH_AES_128_CBC_SHA	ELBSecurityPolicy-2015-03 ELBSecurityPolicy-2015-02	32
OpenSSL – DES-CBC3-SHA IANA – TLS_RSA_WITH_3DES_EDE_CBC_SHA	ELBSecurityPolicy-2015-05 ELBSecurityPolicy-2015-03	0a

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

SSL negotiation configurations

Create an HTTPS load balancer

Predefined SSL security policies for Classic Load Balancers

Tip

Contents

Protocols by policy

Ciphers by policy

Policies by cipher