# 查看器和 CloudFront 之间支持的协议和密码当您[需要在查看器和 CloudFront 分配之间使用 HTTPS](DownloadDistValuesCacheBehavior.md#DownloadDistValuesViewerProtocolPolicy) 时，必须选择一项[安全策略](DownloadDistValuesGeneral.md#DownloadDistValues-security-policy)来确定以下设置。 + CloudFront 与查看器通信时使用的最低 SSL/TLS 协议。 + CloudFront 可用于加密与查看器之间的通信的密码。要选择安全策略，请为 [安全策略（最低 SSL/TLS 版本）](DownloadDistValuesGeneral.md#DownloadDistValues-security-policy) 指定合适的值。下表列出了每个安全策略中，CloudFront 可用的协议和密码。查看器至少必须支持这些受支持的密码中的一个，才能与 CloudFront 建立 HTTPS 连接。CloudFront 按列出的顺序从查看器支持的密码中选择一种密码。另请参阅 [OpenSSL、s2n 和 RFC 密码名称](#secure-connections-openssl-rfc-cipher-names)。

	安全策略
	SSLv3	TLSv1	TLSv1\_2016	TLSv1.1\_2016	TLSv1.2\_2018	TLSv1.2\_2019	TLSv1.2\_2021	TLSv1.2\_2025	TLSv1.3\_2025
支持的 SSL/TLS 协议
TLSv1.3	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLSv1.2	♦	♦	♦	♦	♦	♦	♦	♦
TLSv1.1	♦	♦	♦	♦
TLSv1	♦	♦	♦
SSLv3	♦
支持的 TLSv1.3 密码
TLS\_AES\_128\_GCM\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_AES\_256\_GCM\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_CHACHA20\_POLY1305\_SHA256	♦	♦	♦	♦	♦	♦	♦		♦
支持的 ECDSA 密码
ECDHE-ECDSA-AES128- GCM-SHA256	♦	♦	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES128-SHA256	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES128-SHA	♦	♦	♦	♦
ECDHE-ECDSA-AES256- GCM-SHA384	♦	♦	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-CHACHA20-POLY1305	♦	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES256-SHA384	♦	♦	♦	♦	♦	♦
ECDHE-ECDSA-AES256-SHA	♦	♦	♦	♦
支持的 RSA 密码
ECDHE-RSA-AES128- GCM-SHA256	♦	♦	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES128-SHA256	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES128-SHA	♦	♦	♦	♦
ECDHE-RSA-AES256- GCM-SHA384	♦	♦	♦	♦	♦	♦	♦	♦
ECDHE-RSA-CHACHA20-POLY1305	♦	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES256-SHA384	♦	♦	♦	♦	♦	♦
ECDHE-RSA-AES256-SHA	♦	♦	♦	♦
AES128-GCM-SHA256	♦	♦	♦	♦	♦
AES256-GCM-SHA384	♦	♦	♦	♦	♦
AES128-SHA256	♦	♦	♦	♦	♦
AES256-SHA	♦	♦	♦	♦
AES128-SHA	♦	♦	♦	♦
DES-CBC3-SHA	♦	♦
RC4-MD5	♦

## OpenSSL、s2n 和 RFC 密码名称 OpenSSL 和 [s2n](https://github.com/awslabs/s2n) 使用的密码名称与 TLS 标准使用的不同（[RFC 2246](https://tools.ietf.org/html/rfc2246)、[RFC 4346](https://tools.ietf.org/html/rfc4346)、[RFC 5246](https://tools.ietf.org/html/rfc5246) 和 [RFC 8446](https://tools.ietf.org/html/rfc8446)）。下表为每个密码列出了 OpenSSL 和 s2n 名称及对应的 RFC 名称。 CloudFront 同时支持经典密钥交换与量子安全密钥交换。对于使用椭圆曲线的经典密钥交换，CloudFront 支持： + `prime256v1` + `X25519` + `secp384r1` 对于量子安全密钥交换，CloudFront 支持： + `X25519MLKEM768` + `SecP256r1MLKEM768` **注意** 仅 TLS 1.3 支持量子安全密钥交换。TLS 1.2 及早期版本不支持量子安全密钥交换。有关更多信息，请参阅以下主题： + [Post-Quantum Cryptography](https://aws.amazon.com/security/post-quantum-cryptography/) + [Cryptography algorithms and AWS 服务](https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/aws-cryptography-services.html#algorithms) + [Hybrid key exchange in TLS 1.3](https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/) 有关 CloudFront 的证书要求的更多信息，请参阅[在 CloudFront 中使用 SSL/TLS 证书的要求](cnames-and-https-requirements.md)。

OpenSSL 和 s2n 密码名称	RFC 密码名称
支持的 TLSv1.3 密码
TLS\_AES\_128\_GCM\_SHA256	TLS\_AES\_128\_GCM\_SHA256
TLS\_AES\_256\_GCM\_SHA384	TLS\_AES\_256\_GCM\_SHA384
TLS\_CHACHA20\_POLY1305\_SHA256	TLS\_CHACHA20\_POLY1305\_SHA256
支持的 ECDSA 密码
ECDHE-ECDSA-AES128- GCM-SHA256	TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256
ECDHE-ECDSA-AES128-SHA256	TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256
ECDHE-ECDSA-AES128-SHA	TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA
ECDHE-ECDSA-AES256- GCM-SHA384	TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384
ECDHE-ECDSA-CHACHA20-POLY1305	TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305\_SHA256
ECDHE-ECDSA-AES256-SHA384	TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384
ECDHE-ECDSA-AES256-SHA	TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA
支持的 RSA 密码
ECDHE-RSA-AES128- GCM-SHA256	TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
ECDHE-RSA-AES128-SHA256	TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
ECDHE-RSA-AES128-SHA	TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA
ECDHE-RSA-AES256- GCM-SHA384	TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384
ECDHE-RSA-CHACHA20-POLY1305	TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256
ECDHE-RSA-AES256-SHA384	TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384
ECDHE-RSA-AES256-SHA	TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA
AES128-GCM-SHA256	TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256
AES256-GCM-SHA384	TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384
AES128-SHA256	TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256
AES256-SHA	TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA
AES128-SHA	TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA
DES-CBC3-SHA	TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA
RC4-MD5	TLS\_RSA\_WITH\_RC4\_128\_MD5

## 查看器和 CloudFront 之间受支持的签名方案 CloudFront 支持以下用于查看器和 CloudFront 之间的连接的签名方案。

	安全策略
签名模式	SSLv3	TLSv1	TLSv1\_2016	TLSv1.1\_2016	TLSv1.2\_2018	TLSv1.2\_2019	TLSv1.2\_2021	TLSv1.2\_2025	TLSv1.3\_2025
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_PSS\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_PSS\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_PSS\_SHA512	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_RSAE\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_RSAE\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PSS\_RSAE\_SHA512	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA512	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA224	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA512	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA224	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SECP256R1\_SHA256	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SECP384R1\_SHA384	♦	♦	♦	♦	♦	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_RSA\_PKCS1\_SHA1	♦	♦	♦	♦
TLS\_SIGNATURE\_SCHEME\_ECDSA\_SHA1	♦	♦	♦	♦