# Supported protocols and ciphers between CloudFront and the origin If you choose to [require HTTPS between CloudFront and your origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginProtocolPolicy), you can decide [which SSL/TLS protocol to allow](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols) for the secure connection, and CloudFront can connect to the origin using any of the ECDSA or RSA ciphers listed in the following table. Your origin must support at least one of these ciphers for CloudFront to establish an HTTPS connection to your origin. OpenSSL and [s2n](https://github.com/awslabs/s2n) use different names for ciphers than the TLS standards use ([RFC 2246](https://tools.ietf.org/html/rfc2246), [RFC 4346](https://tools.ietf.org/html/rfc4346), [RFC 5246](https://tools.ietf.org/html/rfc5246), and [RFC 8446](https://tools.ietf.org/html/rfc8446)). The following table includes the OpenSSL and s2n name, and the RFC name, for each cipher. For ciphers with elliptic curve key exchange algorithms, CloudFront supports the following elliptic curves: + prime256v1 + secp384r1 + X25519 | OpenSSL and s2n cipher name | RFC cipher name | | --- | --- | | Supported ECDSA ciphers | | ECDHE-ECDSA-AES256-GCM-SHA384 | TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | | ECDHE-ECDSA-AES256-SHA384 | TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | | ECDHE-ECDSA-AES256-SHA | TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | | ECDHE-ECDSA-AES128-GCM-SHA256 | TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | | ECDHE-ECDSA-AES128-SHA256 | TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | | ECDHE-ECDSA-AES128-SHA | TLS\$1ECDHE\$1ECDSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | | Supported RSA ciphers | | ECDHE-RSA-AES256-GCM-SHA384 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1GCM\$1SHA384 | | ECDHE-RSA-AES256-SHA384 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA384 | | ECDHE-RSA-AES256-SHA | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | | ECDHE-RSA-AES128-GCM-SHA256 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1GCM\$1SHA256 | | ECDHE-RSA-AES128-SHA256 | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA256 | | ECDHE-RSA-AES128-SHA | TLS\$1ECDHE\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | | AES256-SHA | TLS\$1RSA\$1WITH\$1AES\$1256\$1CBC\$1SHA | | AES128-SHA | TLS\$1RSA\$1WITH\$1AES\$1128\$1CBC\$1SHA | | DES-CBC3-SHA | TLS\$1RSA\$1WITH\$13DES\$1EDE\$1CBC\$1SHA | | RC4-MD5 | TLS\$1RSA\$1WITH\$1RC4\$1128\$1MD5 | **Supported signature schemes between CloudFront and the origin** CloudFront supports the following signature schemes for connections between CloudFront and the origin. + TLS\$1SIGNATURE\$1SCHEME\$1RSA\$1PKCS1\$1SHA256 + TLS\$1SIGNATURE\$1SCHEME\$1RSA\$1PKCS1\$1SHA384 + TLS\$1SIGNATURE\$1SCHEME\$1RSA\$1PKCS1\$1SHA512 + TLS\$1SIGNATURE\$1SCHEME\$1RSA\$1PKCS1\$1SHA224 + TLS\$1SIGNATURE\$1SCHEME\$1ECDSA\$1SHA256 + TLS\$1SIGNATURE\$1SCHEME\$1ECDSA\$1SHA384 + TLS\$1SIGNATURE\$1SCHEME\$1ECDSA\$1SHA512 + TLS\$1SIGNATURE\$1SCHEME\$1ECDSA\$1SHA224 + TLS\$1SIGNATURE\$1SCHEME\$1RSA\$1PKCS1\$1SHA1 + TLS\$1SIGNATURE\$1SCHEME\$1ECDSA\$1SHA1