本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 网络负载均衡器的安全策略
创建 TLS 侦听器时,您必须选择一个安全策略。安全策略确定了在负载均衡器与客户端之间进行 SSL 协商期间支持的密码和协议。如果您的要求更改或者当我们发布新的安全策略时,您可以更新负载均衡器的安全策略。有关更多信息,请参阅 [更新安全策略](listener-update-certificates.md#update-security-policy)。
**注意事项**
+ TLS 侦听器需要有安全策略。如果您在创建侦听器时未指定安全策略,我们将使用默认安全策略。默认安全策略取决于您创建 TLS 侦听器的方式:
+ **控制台** – 默认安全策略为 `ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09`。
+ **其他方法**(例如 AWS CLI AWS CloudFormation、和 AWS CDK)-默认安全策略是`ELBSecurityPolicy-2016-08`。
+ 以 PQ 命名的安全策略提供混合后量子密钥交换。出于兼容性考虑,它们支持经典和后量子 ML-KEM 密钥交换算法。客户端必须支持 ML-KEM 密钥交换,才能使用混合后量子 TLS 进行密钥交换。混合后量子策略支持 secp256r1、secp384r1 和 X25519 算法MLKEM768。MLKEM1024 MLKEM768 有关更多信息,请参阅[后量子密码学](https://aws.amazon.com/security/post-quantum-cryptography/)。
+ AWS 建议实施新的基于后量子 TLS (PQ-TLS) 的安全策略或。`ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09` `ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09`该策略通过支持能够协商混合 PQ-TLS、仅限 TLS 1.3 或仅限 TLS 1.2 的客户端来确保向后兼容性,从而最大限度地减少向后量子加密过渡期间的服务中断。随着您的客户端应用程序开发出针对密钥交换操作协商 PQ-TLS 的能力,您可以逐步迁移到更严格的安全策略。
+ 您可以启用访问日志以了解有关发送到网络负载均衡器的 TLS 请求的信息、分析 TLS 流量模式、管理安全策略升级以及排查问题。为负载均衡器启用访问日志记录,然后检查相应的访问日志条目。有关更多信息,请参阅[访问日志](load-balancer-access-logs.md)和[网络负载均衡器示例查询](https://docs.aws.amazon.com/athena/latest/ug/networkloadbalancer-classic-logs.html#query-nlb-example)。
+ 要查看负载均衡器访问请求的 TLS 协议版本(日志字段位置 5)和密钥交换(日志字段位置 13),请启用访问日志并检查相应的日志条目。有关更多信息,请参阅[访问日志](load-balancer-access-logs.md)。
+ 您可以分别使用您 AWS 账户 的 IAM 中的 [Elastic Load Balancing 条件密钥](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/security_iam_service-with-iam.html)和服务控制策略 (SCPs) 来限制用户可以使用哪些安全策略。 AWS Organizations 有关更多信息,请参阅《*AWS Organizations 用户指南》*中的[服务控制策略 (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)。
+ 仅支持 TLS 1.3 的策略支持向前保密 (FS)。支持 TLS 1.3 和 TLS 1.2 且仅包含 TLS\$1\$1 和 ECDHE\$1\$1 格式密码的策略也提供 FS。
+ 网络负载均衡器支持 TLS 1.2 的 Extended Master Secret(EMS)扩展。
**后端连接**
您可以选择用于前端连接但不能选择用于后端连接的安全策略。后端连接的安全策略取决于侦听器的安全策略。如果你的听众中有人在使用:
+ **FIPS 后量子 TLS 策略**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09`
+ **FIPS 策略**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04`
+ **后量子 TLS 策略**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-PQ-2025-09`
+ **TLS 1.3 政策**-后端连接使用 `ELBSecurityPolicy-TLS13-1-0-2021-06`
+ 后端连接使用的所有其他 TLS 策略 `ELBSecurityPolicy-2016-08`
您可以使用[describe-ssl-policies](https://docs.aws.amazon.com/cli/latest/reference/elbv2/describe-ssl-policies.html) AWS CLI 命令描述协议和密码,也可以参考下表。
**Contents**
+ [TLS 安全策略](#tls-security-policies)
+ [按策略划分的协议](#tls-protocols)
+ [按策略划分的密码](#tls-policy-ciphers)
+ [按密码划分的策略](#tls-cipher-policies)
+ [FIPS 安全策略](#fips-security-policies)
+ [按策略划分的协议](#fips-protocols)
+ [按策略划分的密码](#fips-policy-ciphers)
+ [按密码划分的策略](#fips-cipher-policies)
+ [FIPS 支持的安全策略](#fs-security-policies)
+ [按策略划分的协议](#fs-protocols)
+ [按策略划分的密码](#fs-policy-ciphers)
+ [按密码划分的策略](#fs-cipher-policies)
## TLS 安全策略
您可以使用 TLS 安全策略来满足需要禁用某些 TLS 协议版本的合规性和安全标准,或者支持需要已弃用密码的旧客户端。
仅支持 TLS 1.3 的策略支持向前保密 (FS)。支持 TLS 1.3 和 TLS 1.2 且仅包含 TLS\$1\$1 和 ECDHE\$1\$1 格式密码的策略也提供 FS。
**Topics**
+ [按策略划分的协议](#tls-protocols)
+ [按策略划分的密码](#tls-policy-ciphers)
+ [按密码划分的策略](#tls-cipher-policies)
### 按策略划分的协议
下表描述了每个 TLS 安全策略支持的协议。
| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
| --- | --- | --- | --- | --- |
| ELBSecurity政策-TLS13 -1-3-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策 TLS13 -1-3-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-TLS13 -1-2-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策 TLS13 -1-2-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策 TLS13 -1-2-Res-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-res TLS13-pq-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策 TLS13 -1-2-Ext2-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-ext2-TLS13 pq-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策 TLS13 -1-2-Ext1-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-ext1-TLS13 pq-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-TLS13 -1-1-2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-0 TLS13 -2021-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 |
| ELBSecurity政策-1-0 TLS13-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 |
| ELBSecurityPolicy-tls-1-2-ext-2018-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-tls-1-2-2017-01 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-tls-1-1-2017-01 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-2016-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 |
| ELBSecurity政策-2015-05 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 |
### 按策略划分的密码
下表描述了每个 TLS 安全策略支持的密码。
| 安全策略 | 密码 |
| --- | --- |
| ELBSecurity政策-TLS13 -1-3-2021-06 ELBSecurity政策 TLS13 -1-3-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-TLS13 -1-2-2021-06 ELBSecurity政策 TLS13 -1-2-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策 TLS13 -1-2-Res-2021-06 ELBSecurity政策-1-2-res TLS13-pq-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策 TLS13 -1-2-Ext2-2021-06 ELBSecurity政策-1-2-ext2-TLS13 pq-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策 TLS13 -1-2-Ext1-2021-06 ELBSecurity政策-1-2-ext1-TLS13 pq-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-TLS13 -1-1-2021-06 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-1-0 TLS13 -2021-06 ELBSecurity政策-1-0 TLS13-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-tls-1-2-ext-2018-06 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-tls-1-2-2017-01 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-tls-1-1-2017-01 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-2016-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-2015-05 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
### 按密码划分的策略
下表描述了支持每个密码的 TLS 安全策略。
| 密码名称 | 安全策略 | 密码套件 |
| --- | --- | --- |
| **OpenSSL** — TLS\$1AES\$1128\$1GCM\$1 SHA256 **IANA** — TLS\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1301 |
| **OpenSSL** — TLS\$1AES\$1256\$1GCM\$1 SHA384 **IANA** — TLS\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1302 |
| **OpenSSL** — TLS\$1 \$1 CHACHA20 POLY1305 SHA256 **IANA** — TLS\$1 \$1 CHACHA20 POLY1305 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1303 |
| **OpenSSL** — ECDHE-ECDSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02b |
| **OpenSSL** — ECDHE-RSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02f |
| **OpenSSL — 12** 8- ECDHE-ECDSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c023 |
| **OpenSSL — 12** 8- ECDHE-RSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c027 |
| **OpenSSL — 128**-SHA ECDHE-ECDSA-AES **IANA**:TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c009 |
| **OpenSSL — 128**-SHA ECDHE-RSA-AES **IANA**:TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c013 |
| **OpenSSL** — ECDHE-ECDSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02c |
| **OpenSSL** — ECDHE-RSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c030 |
| **OpenSSL — 25** 6- ECDHE-ECDSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c024 |
| **OpenSSL — 25** 6- ECDHE-RSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c028 |
| **OpenSSL — 256-SHA** ECDHE-ECDSA-AES **IANA**:TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c00a |
| **OpenSSL — 256-SHA** ECDHE-RSA-AES **IANA**:TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c014 |
| **OpenSSL —- AES128 G** CM-SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9c |
| **OpenSSL —**- AES128 SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3c |
| **OpenSSL —**-SHA AES128 **IANA**:TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 2f |
| **OpenSSL —- AES256 G** CM-SHA384 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9d |
| **OpenSSL —**- AES256 SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3d |
| **OpenSSL —**-SHA AES256 **IANA**:TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 35 |
## FIPS 安全策略
联邦信息处理标准(FIPS)是美国和加拿大政府标准,其中规定了对保护敏感信息的加密模块的安全要求。要了解更多信息,请参阅 *AWS Cloud 安全性合规性*页面上的[美国联邦信息处理标准(FIPS)140](https://aws.amazon.com/compliance/fips/)。
所有 FIPS 策略均利用 AWS-LC FIPS 验证的加密模块。要了解更多信息,请参阅 *NIST Cryptographic Module Validation Program* 网站上的 [AWS-LC Cryptographic Module](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4631) 页面。
**重要**
策略 `ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04` 和 `ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04` 只是为了与旧版兼容而提供。虽然他们使用该 FIPS140 模块使用 FIPS 加密,但它们可能不符合最新的 NIST TLS 配置指南。
**Topics**
+ [按策略划分的协议](#fips-protocols)
+ [按策略划分的密码](#fips-policy-ciphers)
+ [按密码划分的策略](#fips-cipher-policies)
### 按策略划分的协议
下表描述了每个 FIPS 安全策略支持的协议。
| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
| --- | --- | --- | --- | --- |
| ELBSecurity政策 TLS13 -1-3-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-3-FIP TLS13 S-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策 TLS13 -1-2-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-FIP TLS13 S-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-res TLS13-fips-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-res-f TLS13 ips-pq-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-ext2-f TLS13 ips-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-ext2-f TLS13 ips-pq-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-ext1-f TLS13 ips-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-ext1-f TLS13 ips-pq-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-ext0 TLS13-fips-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-2-ext0-f TLS13 ips-pq-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策 TLS13 -1-1-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-1-0 TLS13-FIPS-2023-04 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 |
| ELBSecurity政策-1-0-FIP TLS13 S-PQ-2025-09 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 |
### 按策略划分的密码
下表描述了每个 FIPS 安全策略支持的密码。
| 安全策略 | 密码 |
| --- | --- |
| ELBSecurity政策 TLS13 -1-3-FIPS-2023-04 ELBSecurity政策-1-3-FIP TLS13 S-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策 TLS13 -1-2-FIPS-2023-04 ELBSecurity政策-1-2-FIP TLS13 S-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-1-2-res TLS13-fips-2023-04 ELBSecurity政策-1-2-res-f TLS13 ips-pq-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-1-2-ext2-f TLS13 ips-2023-04 ELBSecurity政策-1-2-ext2-f TLS13 ips-pq-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-1-2-ext1-f TLS13 ips-2023-04 ELBSecurity政策-1-2-ext1-f TLS13 ips-pq-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-1-2-ext0 TLS13-fips-2023-04 ELBSecurity政策-1-2-ext0-f TLS13 ips-pq-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策 TLS13 -1-1-FIPS-2023-04 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-1-0 TLS13-FIPS-2023-04 ELBSecurity政策-1-0-FIP TLS13 S-PQ-2025-09 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
### 按密码划分的策略
下表描述了支持每个密码的 FIPS 安全策略。
| 密码名称 | 安全策略 | 密码套件 |
| --- | --- | --- |
| **OpenSSL** — TLS\$1AES\$1128\$1GCM\$1 SHA256 **IANA** — TLS\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1301 |
| **OpenSSL** — TLS\$1AES\$1256\$1GCM\$1 SHA384 **IANA** — TLS\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 1302 |
| **OpenSSL** — ECDHE-ECDSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02b |
| **OpenSSL** — ECDHE-RSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02f |
| **OpenSSL — 12** 8- ECDHE-ECDSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c023 |
| **OpenSSL — 12** 8- ECDHE-RSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c027 |
| **OpenSSL — 128**-SHA ECDHE-ECDSA-AES **IANA**:TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c009 |
| **OpenSSL — 128**-SHA ECDHE-RSA-AES **IANA**:TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c013 |
| **OpenSSL** — ECDHE-ECDSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02c |
| **OpenSSL** — ECDHE-RSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c030 |
| **OpenSSL — 25** 6- ECDHE-ECDSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c024 |
| **OpenSSL — 25** 6- ECDHE-RSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c028 |
| **OpenSSL — 256-SHA** ECDHE-ECDSA-AES **IANA**:TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c00a |
| **OpenSSL — 256-SHA** ECDHE-RSA-AES **IANA**:TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c014 |
| **OpenSSL —- AES128 G** CM-SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9c |
| **OpenSSL —**- AES128 SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3c |
| **OpenSSL —**-SHA AES128 **IANA**:TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 2f |
| **OpenSSL —- AES256 G** CM-SHA384 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 9d |
| **OpenSSL —**- AES256 SHA256 **IANA** — TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 3d |
| **OpenSSL —**-SHA AES256 **IANA**:TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | 35 |
## FIPS 支持的安全策略
FS(前向保密)支持的安全策略通过使用唯一的随机会话密钥提供了额外的保护措施,防止加密数据侦听。即使秘密的长期密钥被泄露,这也可以防止对捕获的数据进行解码。
本节中的策略支持 FS,且其名称中包含“FS”字样。但是,这些并不是唯一支持 FS 的策略。仅支持 TLS 1.3 的策略支持向前保密 (FS)。支持 TLS 1.3 和 TLS 1.2 且仅包含 TLS\$1\$1 和 ECDHE\$1\$1 格式密码的策略也提供 FS。
**Topics**
+ [按策略划分的协议](#fs-protocols)
+ [按策略划分的密码](#fs-policy-ciphers)
+ [按密码划分的策略](#fs-cipher-policies)
### 按策略划分的协议
下表描述了每个 FS 支持的安全策略支持的协议。
| 安全策略 | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
| --- | --- | --- | --- | --- |
| ELBSecurityPolicy-fs-1-2-res-2020-10 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurityPolicy-fs-1-2-res-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurityPolicy-fs-1-2-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurityPolicy-fs-1-2019-08 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 |
| ELBSecurity政策-fs-2018-06 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/negative_icon.svg)没有 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 | ![\[alt text not found\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/images/success_icon.svg) 是 |
### 按策略划分的密码
下表描述了每个 FS 支持的安全策略支持的密码。
| 安全策略 | 密码 |
| --- | --- |
| ELBSecurityPolicy-fs-1-2-res-2020-10 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-fs-1-2-res-2019-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-fs-1-2-2019-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurityPolicy-fs-1-2019-08 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
| ELBSecurity政策-fs-2018-06 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) |
### 按密码划分的策略
下表描述了支持每个密码的 FS 支持的安全策略。
| 密码名称 | 安全策略 | 密码套件 |
| --- | --- | --- |
| **OpenSSL** — ECDHE-ECDSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02b |
| **OpenSSL** — ECDHE-RSA-AES 128-GCM-SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02f |
| **OpenSSL — 12** 8- ECDHE-ECDSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c023 |
| **OpenSSL — 12** 8- ECDHE-RSA-AES SHA256 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1 SHA256 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c027 |
| **OpenSSL — 128**-SHA ECDHE-ECDSA-AES **IANA**:TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c009 |
| **OpenSSL — 128**-SHA ECDHE-RSA-AES **IANA**:TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c013 |
| **OpenSSL** — ECDHE-ECDSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c02c |
| **OpenSSL** — ECDHE-RSA-AES 256-GCM-SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c030 |
| **OpenSSL — 25** 6- ECDHE-ECDSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c024 |
| **OpenSSL — 25** 6- ECDHE-RSA-AES SHA384 **IANA** — TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1 SHA384 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c028 |
| **OpenSSL — 256-SHA** ECDHE-ECDSA-AES **IANA**:TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c00a |
| **OpenSSL — 256-SHA** ECDHE-RSA-AES **IANA**:TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/elasticloadbalancing/latest/network/describe-ssl-policies.html) | c014 |