应用程序负载均衡器的安全策略 - Elastic Load Balancing
TLS安全策略FIPS安全策略FS 支持的策略

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

应用程序负载均衡器的安全策略

Elastic Load Balancing 使用安全套接字层 (SSL) 协商配置(称为安全策略)来协商客户端和负载均衡器之间的SSL连接。安全策略是协议和密码的组合。协议在客户端与服务器之间建立安全连接,确保在客户端与负载均衡器之间传递的所有数据都是私密数据。密码是使用加密密钥创建编码消息的加密算法。协议使用多种密码对 Internet 上的数据进行加密。在 连接协商过程中,客户端和负载均衡器会按首选项顺序提供各自支持的密码和协议的列表。默认情况下,会为安全连接选择服务器列表中与任何一个客户端的密码匹配的第一个密码。

注意事项

  • 应用程序负载均衡器仅支持目标连接的SSL重新协商。

  • Application Load Balancer 不支持自定义安全策略。

  • ELBSecurityPolicy-TLS13-1-2-2021-06策略是使用创建的HTTPS监听器的默认安全策略。 AWS Management Console

  • ELBSecurityPolicy-2016-08策略是使用创建的HTTPS监听器的默认安全策略。 AWS CLI

  • 创建HTTPS监听器时,需要选择安全策略。

    • 我们建议使用ELBSecurityPolicy-TLS13-1-2-2021-06安全策略,该策略包括 TLS 1.3,并且向后兼容 TLS 1.2。

  • 您可以选择用于前端连接但不能选择用于后端连接的安全策略。

    • 对于后端连接,如果您的任何HTTPS监听器使用的是 TLS 1.3 安全策略,则使用该ELBSecurityPolicy-TLS13-1-0-2021-06安全策略。否则,ELBSecurityPolicy-2016-08 安全策略用于后端连接。

  • 为了满足需要禁用某些TLS协议版本的合规性和安全标准,或者为了支持需要已弃用密码的旧客户端,您可以使用其中一个安全策略。ELBSecurityPolicy-TLS-要查看对 Application Load Balancer 的请求的TLS协议版本,请启用负载均衡器的访问日志并检查相应的访问日志条目。有关更多信息,请参阅 Access logs for your Application Load Balancer

  • 您可以分别使用您的 AWS 账户 和 AWS Organizations 服务控制策略中的 Elastic Load Balancing 条件密钥IAM和服务控制策略 (SCPs) 来限制用户可以使用哪些安全策略。有关更多信息,请参阅《AWS Organizations 用户指南》中的服务控制策略 (SCPs)

  • 应用程序负载均衡器支持使用 PSK (TLS1.3) 和会话 IDs /会话票证(TLS1.2 及更早版本)进行TLS恢复。只有连接到相同的应用程序负载均衡器 IP 地址时才支持恢复。未实现 0-RTT Data 功能和 early_data 扩展名。

您可以使用describe-ssl-policies AWS CLI 命令描述协议和密码,也可以参考下表。

TLS安全策略

您可以使用TLS安全策略来满足要求禁用某些TLS协议版本的合规性和安全标准,或者支持需要已弃用密码的旧客户端。

按策略划分的协议

下表描述了每种TLS安全策略支持的协议。

安全策略 TLS1.3 TLS1.2 TLS1.1 TLS 1.0
ELBSecurityPolicy-TLS13 -1-3-2021-06 没有 没有 没有
ELBSecurityPolicy-TLS13 -1-2-2021-06 没有 没有
ELBSecurityPolicy--1-2-TLS13 Res-2021-06 没有 没有
ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06 没有 没有
ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06 没有 没有
ELBSecurityPolicy-TLS13 -1-1-2021-06 没有
ELBSecurityPolicy--1-0 TLS13 -2021-06
ELBSecurityPolicy--1-2-Ext TLS -2018-06 没有 没有 没有
ELBSecurityPolicy--1-2-2017 TLS -01 没有 没有 没有
ELBSecurityPolicy--1-1-2017 TLS -01 没有 没有
ELBSecurityPolicy-2016-08 没有
ELBSecurityPolicy-2015-05 没有

按策略划分的密码

下表描述了每种TLS安全策略支持的密码。

安全策略 密码
ELBSecurityPolicy-TLS13 -1-3-2021-06

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • TLS_ CHACHA2 0_ 05_ POLY13 SHA256
ELBSecurityPolicy-TLS13 -1-2-2021-06

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • TLS_ CHACHA2 0_ 05_ POLY13 SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384
ELBSecurityPolicy--1-2-TLS13 Res-2021-06

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • TLS_ CHACHA2 0_ 05_ POLY13 SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384
ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • TLS_ CHACHA2 0_ 05_ POLY13 SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • TLS_ CHACHA2 0_ 05_ POLY13 SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256
ELBSecurityPolicy-TLS13 -1-1-2021-06

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • TLS_ CHACHA2 0_ 05_ POLY13 SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy--1-0 TLS13 -2021-06

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • TLS_ CHACHA2 0_ 05_ POLY13 SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy--1-2-2017 TLS -01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256
ELBSecurityPolicy--1-1-2017 TLS -01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-2016-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-2015-05

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

按密码划分的策略

下表描述了支持每种密码TLS的安全策略。

密码名称 安全策略 密码套件

打开 SSL — TLS _ AES _128 GCM _ _ SHA256

IANA— TLS _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-TLS13 -1-3-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy--1-2-TLS13 Res-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

1301

打开 SSL — TLS _ AES _256 GCM _ _ SHA384

IANA— TLS _ AES _256 GCM _ _ SHA384

  • ELBSecurityPolicy-TLS13 -1-3-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy--1-2-TLS13 Res-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

1302

打开 SSL — TLS _ CHACHA2 0_ 05_ POLY13 SHA256

IANA— TLS _ CHACHA2 0_ 05_ POLY13 SHA256

  • ELBSecurityPolicy-TLS13 -1-3-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy--1-2-TLS13 Res-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

1303

打开 SSL — ECDHE-ECDSA-AES 128-GCM-SHA256

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy--1-2-TLS13 Res-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c02b

打开 SSL — ECDHE-RSA-AES 128-GCM-SHA256

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy--1-2-TLS13 Res-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c02f

打开 SSL — ECDHE-ECDSA-AES 128-SHA256

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c023

打开 SSL — ECDHE-RSA-AES 128-SHA256

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c027

打开 SSL — ECDHE-ECDSA-AES 128-SHA

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c009

打开 SSL — ECDHE-RSA-AES 128-SHA

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c013

打开 SSL — ECDHE-ECDSA-AES 256-GCM-SHA384

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 GCM _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy--1-2-TLS13 Res-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c02c

打开 SSL — ECDHE-RSA-AES 256-GCM-SHA384

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 GCM _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy--1-2-TLS13 Res-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c030

打开 SSL — ECDHE-ECDSA-AES 256-SHA384

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 CBC _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c024

打开 SSL — ECDHE-RSA-AES 256-SHA384

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 CBC _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c028

打开 SSL — ECDHE-ECDSA-AES 256-SHA

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c00a

打开 SSL — ECDHE-RSA-AES 256-SHA

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

c014

打开 SSL — AES128-GCM-SHA256

IANA— TLS _ _ RSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

9c

打开 SSL — AES128-SHA256

IANA— TLS _ _ RSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

3c

打开 SSL — AES128-SHA

IANA— TLS _ _ RSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

2f

打开 SSL — AES256-GCM-SHA384

IANA— TLS _ _ RSA WITH _ AES _256 GCM _ _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

9d

打开 SSL — AES256-SHA256

IANA— TLS _ _ RSA WITH _ AES _256 CBC _ _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-2-2017 TLS -01

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

3d

打开 SSL — AES256-SHA

IANA— TLS _ _ RSA WITH _ AES _256 CBC _ _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13 -1-1-2021-06

  • ELBSecurityPolicy--1-0 TLS13 -2021-06

  • ELBSecurityPolicy--1-2-Ext TLS -2018-06

  • ELBSecurityPolicy--1-1-2017 TLS -01

  • ELBSecurityPolicy-2016-08

35

FIPS安全策略

重要

连接到 Application Load Balancer 的所有FIPS安全侦听器都必须使用FIPS安全策略或非安全策略;它们不能混用。如果现有的 Application Load Balancer 有两个或更多使用非FIPS策略的侦听器,而您希望监听器改用FIPS安全策略,请移除所有侦听器,直到只有一个监听器。将监听器的安全策略更改为,FIPS然后使用FIPS安全策略创建其他侦听器。或者,您也可以仅使用FIPS安全策略创建带有新侦听器的新 Application Load Balancer。

联邦信息处理标准 (FIPS) 是美国和加拿大政府的一项标准,它规定了保护敏感信息的加密模块的安全要求。要了解更多信息,请参阅AWS 云安全合规性页面上的联邦信息处理标准 (FIPS) 140

所有FIPS策略都使用经过 AWS-LC FIPS 验证的加密模块。要了解更多信息,请参阅加密模块验证计划网站上的 AWS-LC NIST 加密模块页面。

重要

策略 ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 只是为了与旧版兼容而提供。虽然他们使用 FIPS14 0 模块使用FIPS加密技术,但它们可能不符合最新的TLS配置NIST指南。

按策略划分的协议

下表描述了每种FIPS安全策略支持的协议。

安全策略 TLS1.3 TLS1.2 TLS1.1 TLS 1.0
ELBSecurityPolicy-TLS13 -1-3--2023-04 FIPS 没有 没有 没有
ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS 没有 没有
ELBSecurityPolicy-TLS13 -1-2-Res--2023-04 FIPS 没有 没有
ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS 没有 没有
ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS 没有 没有
ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS 没有 没有
ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS 没有
ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

按策略划分的密码

下表描述了每种FIPS安全策略支持的密码。

安全策略 密码
ELBSecurityPolicy-TLS13 -1-3--2023-04 FIPS

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384
ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384
ELBSecurityPolicy-TLS13 -1-2-Res--2023-04 FIPS

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384
ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256
ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA
ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

  • TLS_ AES _128 GCM _ _ SHA256

  • TLS_ AES _256 GCM _ _ SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

按密码划分的策略

下表描述了支持每种密码FIPS的安全策略。

密码名称 安全策略 密码套件

打开 SSL — TLS _ AES _128 GCM _ _ SHA256

IANA— TLS _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-TLS13 -1-3--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Res--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

1301

打开 SSL — TLS _ AES _256 GCM _ _ SHA384

IANA— TLS _ AES _256 GCM _ _ SHA384

  • ELBSecurityPolicy-TLS13 -1-3--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Res--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

1302

打开 SSL — ECDHE-ECDSA-AES 128-GCM-SHA256

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-Res--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c02b

打开 SSL — ECDHE-RSA-AES 128-GCM-SHA256

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-Res--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c02f

打开 SSL — ECDHE-ECDSA-AES 128-SHA256

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c023

打开 SSL — ECDHE-RSA-AES 128-SHA256

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c027

打开 SSL — ECDHE-ECDSA-AES 128-SHA

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c009

打开 SSL — ECDHE-RSA-AES 128-SHA

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c013

打开 SSL — ECDHE-ECDSA-AES 256-GCM-SHA384

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 GCM _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2-Res--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c02c

打开 SSL — ECDHE-RSA-AES 256-GCM-SHA384

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 GCM _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2-Res--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c030

打开 SSL — ECDHE-ECDSA-AES 256-SHA384

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 CBC _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c024

打开 SSL — ECDHE-RSA-AES 256-SHA384

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 CBC _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c028

打开 SSL — ECDHE-ECDSA-AES 256-SHA

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c00a

打开 SSL — ECDHE-RSA-AES 256-SHA

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext0--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

c014

打开 SSL — AES128-GCM-SHA256

IANA— TLS _ _ RSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

9c

打开 SSL — AES128-SHA256

IANA— TLS _ _ RSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

3c

打开 SSL — AES128-SHA

IANA— TLS _ _ RSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

2f

打开 SSL — AES256-GCM-SHA384

IANA— TLS _ _ RSA WITH _ AES _256 GCM _ _ SHA384

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

9d

打开 SSL — AES256-SHA256

IANA— TLS _ _ RSA WITH _ AES _256 CBC _ _ SHA256

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-2-Ext1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

3d

打开 SSL — AES256-SHA

IANA— TLS _ _ RSA WITH _ AES _256 CBC _ _ SHA

  • ELBSecurityPolicy-TLS13 -1-2-Ext2--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-1--2023-04 FIPS

  • ELBSecurityPolicy-TLS13 -1-0--2023-04 FIPS

35

FS 支持的策略

FS(向前保密)支持的安全策略通过使用唯一的随机会话密钥,提供了防止加密数据被窃听的额外保障。即使秘密的长期密钥被泄露,这也可以防止对捕获的数据进行解码。

按策略划分的协议

下表描述了每个 FS 支持的安全策略支持的协议。

安全策略 TLS1.3 TLS1.2 TLS1.1 TLS 1.0
ELBSecurityPolicy-fs-1-2-res-2020-10 没有 没有 没有
ELBSecurityPolicy-fs-1-2-res-2019-08 没有 没有 没有
ELBSecurityPolicy-FS-1-2-2019-08 没有 没有 没有
ELBSecurityPolicy-FS-1-1-2019-08 没有 没有
ELBSecurityPolicy-fs-2018-06 没有

按策略划分的密码

下表描述了每个 FS 支持的安全策略支持的密码。

安全策略 密码
ELBSecurityPolicy-fs-1-2-res-2020-10

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384
ELBSecurityPolicy-fs-1-2-res-2019-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384
ELBSecurityPolicy-FS-1-2-2019-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA
ELBSecurityPolicy-FS-1-1-2019-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA
ELBSecurityPolicy-fs-2018-06

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

按密码划分的策略

下表描述了支持每个密码的 FS 支持的安全策略。

密码名称 安全策略 密码套件

打开 SSL — ECDHE-ECDSA-AES 128-GCM-SHA256

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-fs-1-2-res-2020-10

  • ELBSecurityPolicy-fs-1-2-res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c02b

打开 SSL — ECDHE-RSA-AES 128-GCM-SHA256

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 GCM _ SHA256

  • ELBSecurityPolicy-fs-1-2-res-2020-10

  • ELBSecurityPolicy-fs-1-2-res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c02f

打开 SSL — ECDHE-ECDSA-AES 128-SHA256

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy-fs-1-2-res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c023

打开 SSL — ECDHE-RSA-AES 128-SHA256

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 CBC _ SHA256

  • ELBSecurityPolicy-fs-1-2-res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c027

打开 SSL — ECDHE-ECDSA-AES 128-SHA

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c009

打开 SSL — ECDHE-RSA-AES 128-SHA

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _128 CBC _ SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c013

打开 SSL — ECDHE-ECDSA-AES 256-GCM-SHA384

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 GCM _ SHA384

  • ELBSecurityPolicy-fs-1-2-res-2020-10

  • ELBSecurityPolicy-fs-1-2-res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c02c

打开 SSL — ECDHE-RSA-AES 256-GCM-SHA384

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 GCM _ SHA384

  • ELBSecurityPolicy-fs-1-2-res-2020-10

  • ELBSecurityPolicy-fs-1-2-res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c030

打开 SSL — ECDHE-ECDSA-AES 256-SHA384

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 CBC _ SHA384

  • ELBSecurityPolicy-fs-1-2-res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c024

打开 SSL — ECDHE-RSA-AES 256-SHA384

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 CBC _ SHA384

  • ELBSecurityPolicy-fs-1-2-res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c028

打开 SSL — ECDHE-ECDSA-AES 256-SHA

IANA— TLS _ _ ECDHE _ ECDSA WITH _ AES _256 CBC _ SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c00a

打开 SSL — ECDHE-RSA-AES 256-SHA

IANA— TLS _ _ ECDHE _ RSA WITH _ AES _256 CBC _ SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-fs-2018-06

c014