Classic Load Balancer 適用的預先定義 SSL 安全政策 - Elastic Load Balancing
依政策的通訊協定依政策的 Ciphers依密碼排列的政策

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

Classic Load Balancer 適用的預先定義 SSL 安全政策

您可以為 HTTPS/SSL 接聽程式選擇其中一個預先定義安全政策。您可以使用其中一個 ELBSecurityPolicy-TLS 政策來符合規範及安全標準,其需要停用某些特定 TLS 通訊協定版本。或者,您也可以建立自訂安全政策。如需詳細資訊,請參閱更新 SSL 組態檔案

RSA 和 DSA 為基礎的加密方式是專用於建立 SSL 憑證的簽署演算法。請務必使用簽署演算法來建立 SSL 憑證,此方法是根據您的安全政策而啟用的加密方式。

如果您選擇的政策已針對伺服器優先順序而啟用,負載平衡器會依此處指定的順序使用加密方式來溝通協調用戶端和負載平衡器之間的連線。否則,負載平衡器會依用戶端列出的順序使用加密。

下列各節說明 Classic Load Balancer 的最新預先定義安全政策,包括其已啟用的 SSL 通訊協定和 SSL 密碼。您也可以使用 describe-load-balancer-policies 命令來描述預先定義的政策。

提示

此資訊僅適用於 Classic Load Balancer。如需適用於其他負載平衡器的資訊,請參閱 Application Load Balancer 的安全政策,以及 Network Load Balancer 的安全政策

依政策的通訊協定

下表說明每個安全政策支援的 TLS 通訊協定。

安全政策 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS-1-2-2017-01
ELBSecurityPolicy-TLS-1-1-2017-01
ELBSecurityPolicy-2016-08
ELBSecurityPolicy-2015-05
ELBSecurityPolicy-2015-03
ELBSecurityPolicy-2015-02

依政策的 Ciphers

下表說明每個安全政策支援的加密。

安全政策 加密方式
ELBSecurityPolicy-TLS-1-2-2017-01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256
ELBSecurityPolicy-TLS-1-1-2017-01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-2016-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-2015-05

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DES-CBC3-SHA
ELBSecurityPolicy-2015-03

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DHE-RSA-AES128-SHA

  • DHE-DSS-AES128-SHA

  • DES-CBC3-SHA
ELBSecurityPolicy-2015-02

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • DHE-RSA-AES128-SHA

  • DHE-DSS-AES128-SHA

依密碼排列的政策

下表說明支援每個密碼的安全政策。

密碼名稱 安全政策 密碼套件

OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02b

OpenSSL – ECDHE-RSA-AES128-GCM-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02f

OpenSSL – ECDHE-ECDSA-AES128-SHA256

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c023

OpenSSL – ECDHE-RSA-AES128-SHA256

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c027

OpenSSL – ECDHE-ECDSA-AES128-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c009

OpenSSL – ECDHE-RSA-AES128-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c013

OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c02c

OpenSSL – ECDHE-RSA-AES256-GCM-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c030

OpenSSL – ECDHE-ECDSA-AES256-SHA384

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c024

OpenSSL – ECDHE-RSA-AES256-SHA384

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c028

OpenSSL – ECDHE-ECDSA-AES256-SHA

IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c014

OpenSSL – ECDHE-RSA-AES256-SHA

IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

c00a

OpenSSL – AES128-GCM-SHA256

IANA – TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

9c

OpenSSL – AES128-SHA256

IANA – TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

3c

OpenSSL – AES128-SHA

IANA – TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

2f

OpenSSL – AES256-GCM-SHA384

IANA – TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

9 天

OpenSSL – AES256-SHA256

IANA – TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

3d

OpenSSL – AES256-SHA

IANA – TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

35

OpenSSL – DHE-RSA-AES128-SHA

IANA – TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

33

OpenSSL – DHE-DSS-AES128-SHA

IANA – TLS_DHE_DSS_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-2015-03

  • ELBSecurityPolicy-2015-02

32

OpenSSL – DES-CBC3-SHA

IANA – TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • ELBSecurityPolicy-2015-05

  • ELBSecurityPolicy-2015-03

0a