Security policies for your Network Load Balancer
When you create a TLS listener, you must select a security policy. A security policy determines which ciphers and protocols are supported during SSL negotiations between your load balancer and clients. You can update the security policy for your load balancer if your requirements change or when we release a new security policy. For more information, see Update the security policy.
Considerations
-
A TLS listener requires a security policy. If you do not specify a security policy when you create the listener, we use the default security policy. The default security policy depends on how you created the TLS listener:
-
Console – The default security policy is
ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09. -
Other methods (for example, the AWS CLI, AWS CloudFormation, and the AWS CDK) – The default security policy is
ELBSecurityPolicy-2016-08.
-
-
Security policies with PQ in their names offer hybrid post-quantum key exchange. For compatibility, they support both classical and post-quantum ML-KEM key exchange algorithms. Clients must support the ML-KEM key exchange to use hybrid post-quantum TLS for key exchange. The hybrid post-quantum policies support SecP256r1MLKEM768, SecP384r1MLKEM1024 and X25519MLKEM768 algorithms. For more information, see Post-quantum Cryptography
. -
AWS recommends implementing the new post-quantum TLS (PQ-TLS) based security policy
ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09orELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09. This policy ensures backward compatibility by supporting clients capable of negotiating hybrid PQ-TLS, TLS 1.3 only, or TLS 1.2 only, thereby minimizing service disruption during the transition to post-quantum cryptography. You can progressively migrate to more restrictive security policies as your client applications develop the capability to negotiate PQ-TLS for key exchange operations. -
Security policies with RFC 9151 in their names help you comply with RFC 9151, which defines TLS requirements for the Commercial National Security Algorithm (CNSA) 1.0 suite as specified by the US National Security Agency (NSA). To help with transition, they are available in two categories: strict policies that enforce full RFC 9151 requirements, and interop policies (containing "INTEROP" in their name) that support both RFC 9151-compliant and non-RFC 9151 ciphers to facilitate gradual transition. AWS recommends starting with
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07to minimize disruption, then gradually moving to stricter policies as clients support RFC 9151. You can use thetls_protocol,tls_cipher, andtls_keyexchangefields in NLB access logs to monitor client connections. For more information about RFC 9151, see RFC 9151on the IETF website. -
You can enable access logs for information about the TLS requests sent to your Network Load Balancer, analyze TLS traffic patterns, manage security policy upgrades, and troubleshoot issues. Enable access logging for your load balancer and examine the corresponding access log entries. For more information, see Access logs and Network Load Balancer Example Queries.
-
To view the TLS protocol version (log field position 5) and key exchange (log field position 13) for access requests to your load balancer, enable access logging and examine the corresponding log entries. For more information, see Access logs.
-
You can restrict which security policies are available to users across your AWS accounts and AWS Organizations by using the Elastic Load Balancing condition keys in your IAM and service control policies (SCPs), respectively. For more information, see Service control policies (SCPs) in the AWS Organizations User Guide.
-
Policies that support only TLS 1.3 support Forward Secrecy (FS). Policies that support TLS 1.3 and TLS 1.2 that have only ciphers of the form TLS_* and ECDHE_* also provide FS.
-
Network Load Balancers support the Extended Master Secret (EMS) extension for TLS 1.2.
Backend Connections
You can choose the security policy that is used for front-end connections, but not backend connections. The security policy for backend connections depends on the listener's security policy. If any of your listeners are using:
-
RFC 9151 policy (including any interop policy) - Backend connections use
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07 -
FIPS post-quantum TLS policy - Backend connections use
ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 -
FIPS policy - Backend connections use
ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 -
Post-quantum TLS policy - Backend connections use
ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 -
TLS 1.3 policy - Backend connections use
ELBSecurityPolicy-TLS13-1-0-2021-06 -
Other TLS policy - Backend connections use
ELBSecurityPolicy-2016-08
You can describe the protocols and ciphers using the describe-ssl-policies AWS CLI command, or refer to the tables below.
Security policies
TLS security policies
You can use the TLS security policies to meet compliance and security standards that require disabling certain TLS protocol versions, or to support legacy clients that require deprecated ciphers.
Policies that support only TLS 1.3 support Forward Secrecy (FS). Policies that support TLS 1.3 and TLS 1.2 that have only ciphers of the form TLS_* and ECDHE_* also provide FS.
Protocols by policy
The following table describes the protocols that each TLS security policy supports.
| Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
|---|---|---|---|---|
| ELBSecurityPolicy-TLS13-1-3-2021-06 | ||||
| ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-2-2021-06 | ||||
| ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-2-Res-2021-06 | ||||
| ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-1-2021-06 | ||||
| ELBSecurityPolicy-TLS13-1-0-2021-06 | ||||
| ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 | ||||
| ELBSecurityPolicy-TLS-1-2-2017-01 | ||||
| ELBSecurityPolicy-TLS-1-1-2017-01 | ||||
| ELBSecurityPolicy-2016-08 | ||||
| ELBSecurityPolicy-2015-05 |
Ciphers by policy
The following table describes the ciphers that each TLS security policy supports.
| Security policy | Ciphers |
|---|---|
|
ELBSecurityPolicy-TLS13-1-3-2021-06 ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 |
|
|
ELBSecurityPolicy-TLS13-1-2-2021-06 ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 |
|
|
ELBSecurityPolicy-TLS13-1-2-Res-2021-06 ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 |
|
|
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 |
|
|
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 |
|
| ELBSecurityPolicy-TLS13-1-1-2021-06 |
|
|
ELBSecurityPolicy-TLS13-1-0-2021-06 ELBSecurityPolicy-TLS13-1-0-PQ-2025-09 |
|
| ELBSecurityPolicy-TLS-1-2-Ext-2018-06 |
|
| ELBSecurityPolicy-TLS-1-2-2017-01 |
|
| ELBSecurityPolicy-TLS-1-1-2017-01 |
|
| ELBSecurityPolicy-2016-08 |
|
| ELBSecurityPolicy-2015-05 |
|
Policies by cipher
The following table describes the TLS security policies that support each cipher.
| Cipher name | Security policies | Cipher suite |
|---|---|---|
|
OpenSSL – TLS_AES_128_GCM_SHA256 IANA – TLS_AES_128_GCM_SHA256 |
|
1301 |
|
OpenSSL – TLS_AES_256_GCM_SHA384 IANA – TLS_AES_256_GCM_SHA384 |
|
1302 |
|
OpenSSL – TLS_CHACHA20_POLY1305_SHA256 IANA – TLS_CHACHA20_POLY1305_SHA256 |
|
1303 |
|
OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
c02b |
|
OpenSSL – ECDHE-RSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
c02f |
|
OpenSSL – ECDHE-ECDSA-AES128-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
c023 |
|
OpenSSL – ECDHE-RSA-AES128-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
c027 |
|
OpenSSL – ECDHE-ECDSA-AES128-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
|
c009 |
|
OpenSSL – ECDHE-RSA-AES128-SHA IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
c013 |
|
OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
c02c |
|
OpenSSL – ECDHE-RSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
c030 |
|
OpenSSL – ECDHE-ECDSA-AES256-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
|
c024 |
|
OpenSSL – ECDHE-RSA-AES256-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
c028 |
|
OpenSSL – ECDHE-ECDSA-AES256-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
c00a |
|
OpenSSL – ECDHE-RSA-AES256-SHA IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
c014 |
|
OpenSSL – AES128-GCM-SHA256 IANA – TLS_RSA_WITH_AES_128_GCM_SHA256 |
|
9c |
|
OpenSSL – AES128-SHA256 IANA – TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
3c |
|
OpenSSL – AES128-SHA IANA – TLS_RSA_WITH_AES_128_CBC_SHA |
|
2f |
|
OpenSSL – AES256-GCM-SHA384 IANA – TLS_RSA_WITH_AES_256_GCM_SHA384 |
|
9d |
|
OpenSSL – AES256-SHA256 IANA – TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
3d |
|
OpenSSL – AES256-SHA IANA – TLS_RSA_WITH_AES_256_CBC_SHA |
|
35 |
FIPS security policies
The Federal Information Processing Standard (FIPS) is a US and Canadian
government standard that specifies the security requirements for cryptographic
modules that protect sensitive information. To learn more, see Federal Information Processing Standard (FIPS) 140
All FIPS policies leverage the AWS-LC FIPS validated cryptographic module. To learn more,
see the
AWS-LC Cryptographic Module
Important
Policies ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 and ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04
are provided for legacy compatibility only. While they utilize FIPS cryptography using the FIPS140 module, they may not
conform to the latest NIST guidance for TLS configuration.
Protocols by policy
The following table describes the protocols that each FIPS security policy supports.
| Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
|---|---|---|---|---|
| ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 | ||||
| ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 | ||||
| ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 | ||||
| ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 | ||||
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 | ||||
| ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 | ||||
| ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 |
Ciphers by policy
The following table describes the ciphers that each FIPS security policy supports.
| Security policy | Ciphers |
|---|---|
|
ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 |
|
|
ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 |
|
|
ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 |
|
|
ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 |
|
|
ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 |
|
|
ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 |
|
| ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 |
|
|
ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09 |
|
Policies by cipher
The following table describes the FIPS security policies that support each cipher.
| Cipher name | Security policies | Cipher suite |
|---|---|---|
|
OpenSSL – TLS_AES_128_GCM_SHA256 IANA – TLS_AES_128_GCM_SHA256 |
|
1301 |
|
OpenSSL – TLS_AES_256_GCM_SHA384 IANA – TLS_AES_256_GCM_SHA384 |
|
1302 |
|
OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
c02b |
|
OpenSSL – ECDHE-RSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
c02f |
|
OpenSSL – ECDHE-ECDSA-AES128-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
c023 |
|
OpenSSL – ECDHE-RSA-AES128-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
c027 |
|
OpenSSL – ECDHE-ECDSA-AES128-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
|
c009 |
|
OpenSSL – ECDHE-RSA-AES128-SHA IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
c013 |
|
OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
c02c |
|
OpenSSL – ECDHE-RSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
c030 |
|
OpenSSL – ECDHE-ECDSA-AES256-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
|
c024 |
|
OpenSSL – ECDHE-RSA-AES256-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
c028 |
|
OpenSSL – ECDHE-ECDSA-AES256-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
c00a |
|
OpenSSL – ECDHE-RSA-AES256-SHA IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
c014 |
|
OpenSSL – AES128-GCM-SHA256 IANA – TLS_RSA_WITH_AES_128_GCM_SHA256 |
|
9c |
|
OpenSSL – AES128-SHA256 IANA – TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
3c |
|
OpenSSL – AES128-SHA IANA – TLS_RSA_WITH_AES_128_CBC_SHA |
|
2f |
|
OpenSSL – AES256-GCM-SHA384 IANA – TLS_RSA_WITH_AES_256_GCM_SHA384 |
|
9d |
|
OpenSSL – AES256-SHA256 IANA – TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
3d |
|
OpenSSL – AES256-SHA IANA – TLS_RSA_WITH_AES_256_CBC_SHA |
|
35 |
RFC 9151 (CNSA 1.0) security policies
Network Load Balancer supports security policies that help you comply with RFC 9151, which
defines TLS requirements for the Commercial National Security Algorithm (CNSA) 1.0 suite as
specified by the US National Security Agency (NSA). RFC 9151 specifies how to use the CNSA suite
with TLS 1.2 and TLS 1.3 protocols, defining the cryptographic requirements for secure
communications that meet government security standards. To learn more about RFC 9151, see
RFC 9151
RFC 9151 policies are available in two categories:
-
Strict policies – Enforce strict RFC 9151 cipher and signature scheme requirements. Use these when all your clients can support RFC 9151.
-
Interop policies – Support both RFC 9151 compliant and non-RFC 9151 ciphers and signature schemes to facilitate a gradual transition to RFC 9151 compliance. Use these when you are uncertain whether all clients can support RFC 9151, or you want to avoid disrupting clients during the transition. All interop policies contain "INTEROP" in their policy name.
AWS recommends starting with the interop policy
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07, which supports clients
that can negotiate classical TLS 1.3, TLS 1.2, or strict RFC 9151 algorithms, minimizing disruption.
You can gradually move to stricter policies as your clients support RFC 9151-compliant algorithms. You can
leverage the tls_protocol, tls_cipher, and tls_keyexchange
fields in NLB access logs to monitor how clients are connecting.
Important
When you select an RFC 9151 security policy for your listener, the load balancer uses
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07 for backend connections
to targets and other services. However, the load balancer cannot guarantee or enforce RFC 9151
compliance on egress connections, including connections to targets, or customer-configured
external services (such as third-party identity providers or authentication endpoints).
It is your responsibility to ensure the following:
-
Your targets and any external services you configure can support the protocols and ciphers in the backend connection policy.
-
For strict RFC 9151 compliance between the load balancer and your targets, your targets must have RFC 9151 compliant certificates and ciphers implemented.
-
If your backend targets only support TLS 1.0 or TLS 1.1, connections will fail. You must update the protocols and ciphers on your targets to align with the ciphers supported by the
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07policy.
Protocols by policy
The following table describes the protocols that each RFC 9151 security policy supports.
| Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
|---|---|---|---|---|
| ELBSecurityPolicy-TLS13-1-3-RFC9151-FIPS-2023-07 | ||||
| ELBSecurityPolicy-TLS13-1-2-RFC9151-FIPS-2023-07 | ||||
| ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07 | ||||
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07 | ||||
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07 | ||||
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07 | ||||
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07 |
Ciphers by policy
The following table describes the ciphers that each RFC 9151 security policy supports.
| Security policy | Ciphers |
|---|---|
| ELBSecurityPolicy-TLS13-1-3-RFC9151-FIPS-2023-07 |
|
| ELBSecurityPolicy-TLS13-1-2-RFC9151-FIPS-2023-07 |
|
| ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07 |
|
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07 |
|
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07 |
|
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07 |
|
| ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07 |
|
Policies by cipher
The following table describes the RFC 9151 security policies that support each cipher.
| Cipher name | Security policies | Cipher suite |
|---|---|---|
|
OpenSSL – TLS_AES_256_GCM_SHA384 IANA – TLS_AES_256_GCM_SHA384 |
|
1302 |
|
OpenSSL – TLS_AES_128_GCM_SHA256 IANA – TLS_AES_128_GCM_SHA256 |
|
1301 |
|
OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
c02c |
|
OpenSSL – ECDHE-RSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
c030 |
|
OpenSSL – AES256-GCM-SHA384 IANA – TLS_RSA_WITH_AES_256_GCM_SHA384 |
|
9d |
|
OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
c02b |
|
OpenSSL – ECDHE-RSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
c02f |
|
OpenSSL – ECDHE-ECDSA-AES256-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
|
c024 |
|
OpenSSL – ECDHE-RSA-AES256-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
c028 |
|
OpenSSL – ECDHE-ECDSA-AES128-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
c023 |
|
OpenSSL – ECDHE-RSA-AES128-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
c027 |
|
OpenSSL – ECDHE-ECDSA-AES256-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
c00a |
|
OpenSSL – ECDHE-RSA-AES256-SHA IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
c014 |
|
OpenSSL – ECDHE-ECDSA-AES128-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
|
c009 |
|
OpenSSL – ECDHE-RSA-AES128-SHA IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
c013 |
|
OpenSSL – AES256-SHA256 IANA – TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
3d |
|
OpenSSL – AES256-SHA IANA – TLS_RSA_WITH_AES_256_CBC_SHA |
|
35 |
|
OpenSSL – AES128-GCM-SHA256 IANA – TLS_RSA_WITH_AES_128_GCM_SHA256 |
|
9c |
|
OpenSSL – AES128-SHA256 IANA – TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
3c |
|
OpenSSL – AES128-SHA IANA – TLS_RSA_WITH_AES_128_CBC_SHA |
|
2f |
FS supported security policies
FS (Forward Secrecy) supported security policies provide additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.
The policies in this section support FS, and "FS" is included in their names. However, these are not the only policies that support FS. Policies that support only TLS 1.3 support FS. Policies that support TLS 1.3 and TLS 1.2 that have only ciphers of the form TLS_* and ECDHE_* also provide FS.
Protocols by policy
The following table describes the protocols that each FS supported security policy supports.
| Security policies | TLS 1.3 | TLS 1.2 | TLS 1.1 | TLS 1.0 |
|---|---|---|---|---|
| ELBSecurityPolicy-FS-1-2-Res-2020-10 | ||||
| ELBSecurityPolicy-FS-1-2-Res-2019-08 | ||||
| ELBSecurityPolicy-FS-1-2-2019-08 | ||||
| ELBSecurityPolicy-FS-1-1-2019-08 | ||||
| ELBSecurityPolicy-FS-2018-06 |
Ciphers by policy
The following table describes the ciphers that each FS supported security policy supports.
| Security policy | Ciphers |
|---|---|
| ELBSecurityPolicy-FS-1-2-Res-2020-10 |
|
| ELBSecurityPolicy-FS-1-2-Res-2019-08 |
|
| ELBSecurityPolicy-FS-1-2-2019-08 |
|
| ELBSecurityPolicy-FS-1-1-2019-08 |
|
| ELBSecurityPolicy-FS-2018-06 |
|
Policies by cipher
The following table describes the FS supported security policies that support each cipher.
| Cipher name | Security policies | Cipher suite |
|---|---|---|
|
OpenSSL – ECDHE-ECDSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
|
c02b |
|
OpenSSL – ECDHE-RSA-AES128-GCM-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|
c02f |
|
OpenSSL – ECDHE-ECDSA-AES128-SHA256 IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
|
c023 |
|
OpenSSL – ECDHE-RSA-AES128-SHA256 IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
c027 |
|
OpenSSL – ECDHE-ECDSA-AES128-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
|
c009 |
|
OpenSSL – ECDHE-RSA-AES128-SHA IANA – TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
|
c013 |
|
OpenSSL – ECDHE-ECDSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
|
c02c |
|
OpenSSL – ECDHE-RSA-AES256-GCM-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
|
c030 |
|
OpenSSL – ECDHE-ECDSA-AES256-SHA384 IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
|
c024 |
|
OpenSSL – ECDHE-RSA-AES256-SHA384 IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
|
c028 |
|
OpenSSL – ECDHE-ECDSA-AES256-SHA IANA – TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
|
c00a |
|
OpenSSL – ECDHE-RSA-AES256-SHA IANA – TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
|
c014 |