查看器和 CloudFront 之间支持的协议和密码
当您需要在查看器和 CloudFront 分配之间使用 HTTPS 时,必须选择一项安全策略来确定以下设置。
-
CloudFront 与查看器通信时使用的最低 SSL/TLS 协议。
-
CloudFront 可用于加密与查看器之间的通信的密码。
要选择安全策略,请为 安全策略(最低 SSL/TLS 版本) 指定合适的值。下表列出了每个安全策略中,CloudFront 可用的协议和密码。
查看器至少必须支持这些受支持的密码中的一个,才能与 CloudFront 建立 HTTPS 连接。CloudFront 按列出的顺序从查看器支持的密码中选择一种密码。另请参阅 OpenSSL、s2n 和 RFC 密码名称。
安全策略 | |||||||
---|---|---|---|---|---|---|---|
SSLv3 | TLSv1 | TLSv1_2016 | TLSv1.1_2016 | TLSv1.2_2018 | TLSv1.2_2019 | TLSv1.2_2021 | |
支持的 SSL/TLS 协议 | |||||||
TLSv1.3 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLSv1.1 | ♦ | ♦ | ♦ | ♦ | |||
TLSv1 | ♦ | ♦ | ♦ | ||||
SSLv3 | ♦ | ||||||
支持的 TLSv1.3 密码 | |||||||
TLS_AES_128_GCM_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_AES_256_GCM_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
TLS_CHACHA20_POLY1305_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
支持的 ECDSA 密码 | |||||||
ECDHE-ECDSA-AES128- GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-ECDSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-ECDSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | |||
ECDHE-ECDSA-AES256- GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-ECDSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-ECDSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | |||
支持的 RSA 密码 | |||||||
ECDHE-RSA-AES128- GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ | |||
ECDHE-RSA-AES256- GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-RSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |
ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | |
ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ | |||
AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ||
AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ||
AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ||
AES256-SHA | ♦ | ♦ | ♦ | ♦ | |||
AES128-SHA | ♦ | ♦ | ♦ | ♦ | |||
DES-CBC3-SHA | ♦ | ♦ | |||||
RC4-MD5 | ♦ |
OpenSSL、s2n 和 RFC 密码名称
OpenSSL 和 s2n
对于使用椭圆曲线密钥交换算法的密码,CloudFront 支持以下椭圆曲线:
-
prime256v1
-
secp384r1
-
X25519
OpenSSL 和 s2n 密码名称 | RFC 密码名称 |
---|---|
支持的 TLSv1.3 密码 | |
TLS_AES_128_GCM_SHA256 | TLS_AES_128_GCM_SHA256 |
TLS_AES_256_GCM_SHA384 | TLS_AES_256_GCM_SHA384 |
TLS_CHACHA20_POLY1305_SHA256 | TLS_CHACHA20_POLY1305_SHA256 |
支持的 ECDSA 密码 | |
ECDHE-ECDSA-AES128- GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
ECDHE-ECDSA-AES128-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE-ECDSA-AES128-SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
ECDHE-ECDSA-AES256- GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-CHACHA20-POLY1305 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-ECDSA-AES256-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDHE-ECDSA-AES256-SHA | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
支持的 RSA 密码 | |
ECDHE-RSA-AES128- GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDHE-RSA-AES128-SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
ECDHE-RSA-AES256- GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHE-RSA-CHACHA20-POLY1305 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
ECDHE-RSA-AES256-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
ECDHE-RSA-AES256-SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
AES128-GCM-SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 |
AES256-GCM-SHA384 | TLS_RSA_WITH_AES_256_GCM_SHA384 |
AES128-SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
AES256-SHA | TLS_RSA_WITH_AES_256_CBC_SHA |
AES128-SHA | TLS_RSA_WITH_AES_128_CBC_SHA |
DES-CBC3-SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA |
RC4-MD5 | TLS_RSA_WITH_RC4_128_MD5 |
查看器和 CloudFront 之间受支持的签名方案
CloudFront 支持以下用于查看器和 CloudFront 之间的连接的签名方案。
-
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256
-
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384
-
TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512
-
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256
-
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384
-
TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA256
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA384
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA512
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA224
-
TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256
-
TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384
-
TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1
-
TLS_SIGNATURE_SCHEME_ECDSA_SHA1