本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 檢視器和 CloudFront 之間支援的通訊協定和密碼
<a name="secure-connections-supported-viewer-protocols-ciphers"></a>

當您[在檢視器和 CloudFront 分佈之間請求 HTTPS 時](DownloadDistValuesCacheBehavior.md#DownloadDistValuesViewerProtocolPolicy)，您必須選擇[安全性政策](DownloadDistValuesGeneral.md#DownloadDistValues-security-policy)，以決定下列設定。
+ CloudFront 用來與檢視者通訊的最低 SSL/TLS 通訊協定。
+ CloudFront 可用來加密與檢視器通訊的密碼。

若要選擇安全政策，請指定適用於 [安全政策 (最低 SSL/TLS 版本)](DownloadDistValuesGeneral.md#DownloadDistValues-security-policy) 的適用值。下表列出 CloudFront 可以用於每個安全原則的協定與密碼。

檢視器必須支援至少一個受支援的密碼，建立與 CloudFront 的 HTTPS 連線。CloudFront 從檢視器支援的密碼中依列出的順序選擇密碼。另請參閱[OpenSSL、S2n 和 RFC 密碼名稱](#secure-connections-openssl-rfc-cipher-names)。


|  | 安全政策 |  | SSLv3 | TLSv1 | TLSv1\_2016 | TLSv1.1\_2016 | TLSv1.2\_2018 | TLSv1.2\_2019 | TLSv1.2\_2021 | TLSv1.2\_2025 | TLSv1.3\_2025 | 
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | 
| 支援的 SSL/TLS 通訊協定 | 
| TLSv1.3 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLSv1.2 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  | 
| TLSv1.1 | ♦ | ♦ | ♦ | ♦ |  |  |  |  |  | 
| TLSv1 | ♦ | ♦ | ♦ |  |  |  |  |  |  | 
| SSLv3 | ♦ |  |  |  |  |  |  |  |  | 
| 支援的 TLSv1.3 密碼 | 
| TLS\_AES\_128\_GCM\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_AES\_256\_GCM\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_CHACHA20\_POLY1305\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  | ♦ | 
| 支援的 ECDSA 密碼 | 
| ECDHE-ECDSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  | 
| ECDHE-ECDSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  | 
| ECDHE-ECDSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |  | 
| ECDHE-ECDSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  | 
| ECDHE-ECDSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  | 
| ECDHE-ECDSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  | 
| ECDHE-ECDSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |  | 
| 支援的 RSA 密碼 | 
| ECDHE-RSA-AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  | 
| ECDHE-RSA-AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  | 
| ECDHE-RSA-AES128-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |  | 
| ECDHE-RSA-AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  | 
| ECDHE-RSA-CHACHA20-POLY1305 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  | 
| ECDHE-RSA-AES256-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  | 
| ECDHE-RSA-AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |  | 
| AES128-GCM-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  |  | 
| AES256-GCM-SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  |  | 
| AES128-SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ |  |  |  |  | 
| AES256-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |  | 
| AES128-SHA | ♦ | ♦ | ♦ | ♦ |  |  |  |  |  | 
| DES-CBC3-SHA | ♦ | ♦ |  |  |  |  |  |  |  | 
| RC4-MD5 | ♦ |  |  |  |  |  |  |  |  | 

## OpenSSL、S2n 和 RFC 密碼名稱
<a name="secure-connections-openssl-rfc-cipher-names"></a>

penSSL and [s2n](https://github.com/awslabs/s2n) 會使用與 TLS 標準不同的密碼名稱 ([RFC 2246](https://tools.ietf.org/html/rfc2246)、[RFC 4346](https://tools.ietf.org/html/rfc4346)、[RFC 5246](https://tools.ietf.org/html/rfc5246) 和 [RFC 8446](https://tools.ietf.org/html/rfc8446))。下表將 OpenSSL 和 s2n 名稱對應到每個密碼的 RFC 名稱。

CloudFront 支援傳統和量子安全金鑰交換。對於使用橢圓曲線的傳統金鑰交換，CloudFront 支援下列項目：
+ `prime256v1`
+ `X25519`
+ `secp384r1`

對於保護量子的金鑰交換，CloudFront 支援下列項目：
+ `X25519MLKEM768`
+ `SecP256r1MLKEM768`
**注意**  
TLS 1.3 僅支援 Quantum 安全金鑰交換。TLS 1.2 和舊版不支援規定人數安全金鑰交換。

  如需詳細資訊，請參閱下列主題：
  + [後量子密碼學](https://aws.amazon.com/security/post-quantum-cryptography/)
  + [密碼編譯演算法和 AWS 服務](https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.html#algorithms)
  + [TLS 1.3 中的混合金鑰交換](https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/)

如需 CloudFront 憑證需求的詳細資訊，請參閱 [與 CloudFront 搭配使用 SSL/TLS 憑證的要求](cnames-and-https-requirements.md)。


| OpenSSL 和 s2n 密碼名稱 | RFC 密碼名稱 | 
| --- | --- | 
| 支援的 TLSv1.3 密碼 | 
| TLS\_AES\_128\_GCM\_SHA256 | TLS\_AES\_128\_GCM\_SHA256 | 
| TLS\_AES\_256\_GCM\_SHA384 | TLS\_AES\_256\_GCM\_SHA384 | 
| TLS\_CHACHA20\_POLY1305\_SHA256 | TLS\_CHACHA20\_POLY1305\_SHA256 | 
| 支援的 ECDSA 密碼 | 
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | 
| ECDHE-ECDSA-AES128-SHA256 | TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 | 
| ECDHE-ECDSA-AES128-SHA | TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA | 
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | 
| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305\_SHA256 | 
| ECDHE-ECDSA-AES256-SHA384 | TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 | 
| ECDHE-ECDSA-AES256-SHA | TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA | 
| 支援的 RSA 密碼 | 
| ECDHE-RSA-AES128-GCM-SHA256 | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | 
| ECDHE-RSA-AES128-SHA256 | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256  | 
| ECDHE-RSA-AES128-SHA | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA | 
| ECDHE-RSA-AES256-GCM-SHA384 | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384  | 
| ECDHE-RSA-CHACHA20-POLY1305 | TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 | 
| ECDHE-RSA-AES256-SHA384 | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384  | 
| ECDHE-RSA-AES256-SHA | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA | 
| AES128-GCM-SHA256 | TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | 
| AES256-GCM-SHA384 | TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | 
| AES128-SHA256 | TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | 
| AES256-SHA | TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA | 
| AES128-SHA | TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA | 
| DES-CBC3-SHA  | TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA  | 
| RC4-MD5 | TLS\_RSA\_WITH\_RC4\_128\_MD5 | 

## 檢視器和檢視器之間支援的簽名結構描述和 CloudFront
<a name="secure-connections-viewer-signature-schemes"></a>

CloudFront 支援下列簽名結構描述，用於與檢視器之間的連結和 CloudFront。


|  | 安全政策 | 簽章結構描述 | SSLv3 | TLSv1 | TLSv1\_2016 | TLSv1.1\_2016 | TLSv1.2\_2018 | TLSv1.2\_2019 |  TLSv1.2\_2021 | TLSv1.2\_2025 | TLSv1.3\_2025 | 
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_PSS\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_PSS\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_PSS\_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_RSAE\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_RSAE\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_RSAE\_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  | 
| TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA512 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA224 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ |  |  | 
| TLS\_SIGNATURE\_SCHEME\_ECDSA\_SECP256R1\_SHA256 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_ECDSA\_SECP384R1\_SHA384 | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | ♦ | 
| TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA1 | ♦ | ♦ | ♦ | ♦ |  |  |  |  |  | 
| TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA1 | ♦ | ♦ | ♦ | ♦ |  |  |  |  |  |