View a markdown version of this page

Politiche di sicurezza per il tuo Application Load Balancer - Elastic Load Balancing
Esempi di comandi describe-ssl-policiesPolicy di sicurezza TLSPolitiche di sicurezza FIPSPolitiche di sicurezza RFC 9151 (CNSA 1.0)Policy FS supportate

Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.

Politiche di sicurezza per il tuo Application Load Balancer

Elastic Load Balancing utilizza una configurazione di negoziazione Secure Socket Layer (SSL), nota come policy di sicurezza, per negoziare le connessioni SSL tra un client e il load balancer. Una policy di sicurezza è una combinazione di protocolli e codici. Il protocollo stabilisce una connessione sicura tra un client e un server e garantisce che tutti i dati trasmessi tra il client e il sistema di bilanciamento del carico siano privati. Un codice è un algoritmo di crittografia che utilizza chiavi di crittografia per creare un messaggio codificato. I protocolli utilizzano diversi codici per crittografare i dati su Internet. Durante il processo di negoziazione della connessione, il client e il sistema di bilanciamento del carico forniscono un elenco di crittografie e protocolli supportati, in ordine di preferenza. Per impostazione predefinita, la prima crittografia nell'elenco del server che corrisponde a una qualsiasi delle crittografie del client viene selezionata per la connessione sicura.

Considerazioni

  • Un listener HTTPS richiede una politica di sicurezza. Se non specifichi una politica di sicurezza quando crei il listener, utilizziamo la politica di sicurezza predefinita. La politica di sicurezza predefinita dipende da come è stato creato il listener HTTPS:

    • Console: la politica di sicurezza predefinita èELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09.

    • Altri metodi (ad esempio, la AWS CLI AWS CloudFormation, e la AWS CDK): la politica di sicurezza predefinita èELBSecurityPolicy-2016-08.

    • Per visualizzare la versione del protocollo TLS (posizione 5 del campo di registro) e lo scambio di chiavi (posizione del campo di registro 13) per le richieste di connessione al sistema di bilanciamento del carico, abilita la registrazione delle connessioni ed esamina le voci di registro corrispondenti. Per ulteriori informazioni, consulta Registri di connessione.

    • Le politiche di sicurezza con PQ nel nome offrono lo scambio di chiavi ibrido post-quantistico. Per motivi di compatibilità, supportano algoritmi di scambio di chiavi classici e post-quantistici ML-KEM . I clienti devono supportare lo scambio di ML-KEM chiavi per utilizzare il TLS post-quantistico ibrido per lo scambio di chiavi. Le politiche post-quantistiche ibride supportano gli algoritmi SECP256R1MLKem768, SECP384R1MLKEM1024 e X25519MLKEM768. Per ulteriori informazioni Post-quantum , vedere Crittografia.

    • AWS consiglia di implementare la nuova policy di sicurezza basata su TLS (PQ-TLS) post-quantum o. ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 Questa politica garantisce la compatibilità con le versioni precedenti supportando i clienti in grado di negoziare solo in modalità ibrida PQ-TLS, solo TLS 1.3 o solo TLS 1.2, riducendo così al minimo le interruzioni del servizio durante la transizione alla crittografia post-quantistica. È possibile migrare progressivamente verso politiche di sicurezza più restrittive man mano che le applicazioni client sviluppano la capacità di negoziare per le principali operazioni di scambio. PQ-TLS

    • Le politiche di sicurezza con RFC 9151 nel nome aiutano a rispettare la RFC 9151, che definisce i requisiti TLS per la suite Commercial National Security Algorithm (CNSA) 1.0, come specificato dalla National Security Agency (NSA) degli Stati Uniti. Per facilitare la transizione, sono disponibili in due categorie: politiche rigorose che applicano i requisiti RFC 9151 completi e politiche di interoperabilità (contenenti «INTEROP» nel nome) che supportano sia cifrari conformi a RFC 9151 che non RFC 9151 per favorire una transizione graduale. AWS consiglia di iniziare per ridurre al minimo le interruzioni, per poi passare gradualmente a politiche più rigorose man mano che i clienti supportano la RFC 9151. ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07 È possibile utilizzare i tls_keyexchange campi tls_protocoltls_cipher, e nei registri di connessione ALB per monitorare le connessioni dei client. Per ulteriori informazioni su RFC 9151, vedere RFC 9151 sul sito Web IETF.

  • Per soddisfare gli standard di conformità e sicurezza che richiedono la disabilitazione di determinate versioni del protocollo TLS o per supportare client legacy che richiedono cifrari obsoleti, puoi utilizzare una delle politiche di sicurezza. ELBSecurityPolicy-TLS- Per visualizzare la versione del protocollo TLS per le richieste all'Application Load Balancer, abilita la registrazione degli accessi per il tuo load balancer ed esamina le voci del registro di accesso corrispondenti. Per ulteriori informazioni, consulta Log di accesso.

  • Puoi limitare le policy di sicurezza disponibili per gli utenti in tutto il tuo Account AWS e AWS Organizations utilizzando le chiavi di condizione Elastic Load Balancing rispettivamente nelle tue policy IAM e service control (SCP). Per ulteriori informazioni, consulta Policy di controllo dei servizi nella Guida per l'utente di AWS Organizations .

  • Le politiche che supportano solo TLS 1.3 supportano Forward Secrecy (FS). Le politiche che supportano TLS 1.3 e TLS 1.2 che hanno solo cifrari del formato TLS_* ed ECDHE_* forniscono anche FS.

  • Gli Application Load Balancer supportano la ripresa del TLS utilizzando PSK (TLS 1.3) e ticket di sessione (TLS 1.2 e versioni precedenti). IDs/session Le riprese sono supportate solo nelle connessioni allo stesso indirizzo IP di Application Load Balancer. La funzionalità 0-RTT Data e l'estensione early_data non sono implementate.

  • Gli Application Load Balancer non supportano policy di sicurezza personalizzate.

  • Gli Application Load Balancer supportano la rinegoziazione SSL solo per le connessioni di destinazione.

Connessioni di backend

  • È possibile scegliere la politica di sicurezza utilizzata per le connessioni front-end, ma non per le connessioni backend. La politica di sicurezza per le connessioni di backend dipende dalla politica di sicurezza del listener. Se qualcuno dei tuoi ascoltatori utilizza:

    • Politica RFC 9151 (inclusa qualsiasi politica di interoperabilità) - Utilizzo delle connessioni di backend ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

    • Politica TLS post-quantistica FIPS: utilizzo delle connessioni di backend ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

    • Politica FIPS: utilizzo delle connessioni di backend ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

    • Post-quantum Politica TLS: utilizzo delle connessioni di backend ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

    • Politica TLS 1.3 - Utilizzo delle connessioni di backend ELBSecurityPolicy-TLS13-1-0-2021-06

    • Altra politica TLS: utilizzo delle connessioni di backend ELBSecurityPolicy-2016-08

Esempi di comandi describe-ssl-policies

È possibile descrivere i protocolli e i codici di una politica di sicurezza o trovare una politica che soddisfi le proprie esigenze utilizzando il comando describe-ssl-policies. AWS CLI

L'esempio seguente descrive la politica specificata.

aws elbv2 describe-ssl-policies \
    --names "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"

L'esempio seguente elenca le politiche con la stringa specificata nel nome della politica.

aws elbv2 describe-ssl-policies \
    --query "SslPolicies[?contains(Name,'FIPS')].Name"

L'esempio seguente elenca le politiche che supportano il protocollo specificato.

aws elbv2 describe-ssl-policies \
    --query "SslPolicies[?contains(SslProtocols,'TLSv1.3')].Name"

L'esempio seguente elenca le politiche che supportano il codice specificato.

aws elbv2 describe-ssl-policies \
    --query "SslPolicies[?Ciphers[?contains(Name,'TLS_AES_128_GCM_SHA256')]].Name"

L'esempio seguente elenca le politiche che non supportano il codice specificato.

aws elbv2 describe-ssl-policies \
    --query 'SslPolicies[?length(Ciphers[?starts_with(Name,`AES128-GCM-SHA256`)]) == `0`].Name'

Policy di sicurezza TLS

È possibile utilizzare le politiche di sicurezza TLS per soddisfare gli standard di conformità e sicurezza che richiedono la disabilitazione di determinate versioni del protocollo TLS o per supportare client legacy che richiedono cifrari obsoleti.

Le politiche che supportano solo TLS 1.3 supportano Forward Secrecy (FS). Le politiche che supportano TLS 1.3 e TLS 1.2 che hanno solo cifrari del formato TLS_* ed ECDHE_* forniscono anche FS.

Protocolli per politica

La tabella seguente descrive i protocolli supportati da ogni policy di sicurezza TLS.

Policy di sicurezza TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS13-1-3-2021-06 No No No
ELBSecurityPolicy-TLS13-1-3-PQ-2025-09 No No No
ELBSecurityPolicy-TLS13-1-2-2021-06 No No
ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 No No
ELBSecurityPolicy-TLS13-1-2-Res-2021-06 No No
ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09 No No
ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06 No No
ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09 No No
ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06 No No
ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09 No No
ELBSecurityPolicy-TLS13-1-1-2021-06 No
ELBSecurityPolicy-TLS13-1-0-2021-06
ELBSecurityPolicy-TLS13-1-0-PQ-2025-09
ELBSecurityPolicy-TLS-1-2-Ext-2018-06 No No No
ELBSecurityPolicy-TLS-1-2-2017-01 No No No
ELBSecurityPolicy-TLS-1-1-2017-01 No No
ELBSecurityPolicy-2016-08 No

Cifre per policy

La tabella seguente descrive i codici supportati da ogni politica di sicurezza TLS.

Policy di sicurezza Crittografie

ELBSecurityPolicy-TLS13-1-3-2021-06

ELBSecurityPolicy-TLS13-1-3-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

ELBSecurityPolicy-TLS13-1-2-2021-06

ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

ELBSecurityPolicy-TLS13-1-2-Res-2021-06

ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256
ELBSecurityPolicy-TLS13-1-1-2021-06

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS13-1-0-2021-06

ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-TLS-1-2-2017-01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256
ELBSecurityPolicy-TLS-1-1-2017-01

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA
ELBSecurityPolicy-2016-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

Politiche per cifra

La tabella seguente descrive le politiche di sicurezza TLS che supportano ogni cifrario.

Nome del cifrario Policy di sicurezza Suite di cifratura

OpenSSL — TLS_AES_128_GCM_SHA256

IANA — TLS_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-3-2021-06

  • ELBSecurityPolicy-TLS13-1-3-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

1301

OpenSSL — TLS_AES_256_GCM_SHA384

IANA — TLS_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-3-2021-06

  • ELBSecurityPolicy-TLS13-1-3-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

1302

OpenSSL — TLS_CHACHA20_POLY1305_SHA256

IANA — TLS_CHACHA20_POLY1305_SHA256

  • ELBSecurityPolicy-TLS13-1-3-2021-06

  • ELBSecurityPolicy-TLS13-1-3-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

1303

OpenSSL — ECDHE-ECDSA-AES128-GCM-SHA256

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c02b

OpenSSL — ECDHE-RSA-AES128-GCM-SHA256

IANA — TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c02f

OpenSSL — ECDHE-ECDSA-AES128-SHA256

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c023

OpenSSL — ECDHE-RSA-AES128-SHA256

IANA — TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c027

OpenSSL — ECDHE-ECDSA-AES128-SHA

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c009

OpenSSL — ECDHE-RSA-AES128-SHA

IANA — TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c013

OpenSSL — ECDHE-ECDSA-AES256-GCM-SHA384

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c02c

OpenSSL — ECDHE-RSA-AES256-GCM-SHA384

IANA — TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Res-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c030

OpenSSL — ECDHE-ECDSA-AES256-SHA384

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c024

OpenSSL — ECDHE-RSA-AES256-SHA384

IANA — TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c028

OpenSSL — ECDHE-ECDSA-AES256-SHA

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c00a

OpenSSL — ECDHE-RSA-AES256-SHA

IANA — TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

c014

OpenSSL — AES128-GCM-SHA256

IANA — TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

9 cm

OpenSSL — AES128-SHA256

IANA — TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

3c

OpenSSL — AES128-SHA

IANA — TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

2f

OpenSSL — AES256-GCM-SHA384

IANA — TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

9d

OpenSSL — AES256-SHA256

IANA — TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-2-2017-01

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

3d

OpenSSL — AES256-SHA

IANA — TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-2021-06

  • ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-2021-06

  • ELBSecurityPolicy-TLS13-1-0-2021-06

  • ELBSecurityPolicy-TLS13-1-0-PQ-2025-09

  • ELBSecurityPolicy-TLS-1-2-Ext-2018-06

  • ELBSecurityPolicy-TLS-1-1-2017-01

  • ELBSecurityPolicy-2016-08

35

Politiche di sicurezza FIPS

Il Federal Information Processing Standard (FIPS) è uno standard governativo statunitense e canadese che specifica i requisiti di sicurezza per i moduli crittografici che proteggono le informazioni sensibili. Per ulteriori informazioni, consulta Federal Information Processing Standard (FIPS) 140 nella pagina AWS Cloud Security Compliance.

Tutte le policy FIPS utilizzano il modulo crittografico convalidato AWS-LC FIPS. Per saperne di più, consultate la pagina del modulo di AWS-LC crittografia sul sito del NIST Cryptographic Module Validation Program.

Importante

Le politiche ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 e ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04 sono fornite solo per la compatibilità con le versioni precedenti. Sebbene utilizzino la crittografia FIPS utilizzando il modulo FIPS140, potrebbero non essere conformi alle ultime linee guida NIST per la configurazione TLS.

Protocolli per politica

La tabella seguente descrive i protocolli supportati da ogni politica di sicurezza FIPS.

Policy di sicurezza TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04 No No No
ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09 No No No
ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 No No
ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09 No No
ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 No No
ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09 No No
ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04 No No
ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09 No No
ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04 No No
ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09 No No
ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04 No No
ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09 No No
ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04 No
ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04
ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

Cifre per policy

La tabella seguente descrive i codici supportati da ogni politica di sicurezza FIPS.

Policy di sicurezza Crittografie

ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04

ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES256-GCM-SHA384

  • AES256-SHA256

ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA
ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

Politiche per cifra

La tabella seguente descrive le politiche di sicurezza FIPS che supportano ogni cifrario.

Nome del cifrario Policy di sicurezza Suite di cifratura

OpenSSL — TLS_AES_128_GCM_SHA256

IANA — TLS_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

1301

OpenSSL — TLS_AES_256_GCM_SHA384

IANA — TLS_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-3-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

1302

OpenSSL — ECDHE-ECDSA-AES128-GCM-SHA256

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c02b

OpenSSL — ECDHE-RSA-AES128-GCM-SHA256

IANA — TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c02f

OpenSSL — ECDHE-ECDSA-AES128-SHA256

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c023

OpenSSL — ECDHE-RSA-AES128-SHA256

IANA — TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c027

OpenSSL — ECDHE-ECDSA-AES128-SHA

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c009

OpenSSL — ECDHE-RSA-AES128-SHA

IANA — TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c013

OpenSSL — ECDHE-ECDSA-AES256-GCM-SHA384

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c02c

OpenSSL — ECDHE-RSA-AES256-GCM-SHA384

IANA — TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c030

OpenSSL — ECDHE-ECDSA-AES256-SHA384

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c024

OpenSSL — ECDHE-RSA-AES256-SHA384

IANA — TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c028

OpenSSL — ECDHE-ECDSA-AES256-SHA

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c00a

OpenSSL — ECDHE-RSA-AES256-SHA

IANA — TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

c014

OpenSSL — AES128-GCM-SHA256

IANA — TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

9 cm

OpenSSL — AES128-SHA256

IANA — TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

3c

OpenSSL — AES128-SHA

IANA — TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

2f

OpenSSL — AES256-GCM-SHA384

IANA — TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

9d

OpenSSL — AES256-SHA256

IANA — TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

3d

OpenSSL — AES256-SHA

IANA — TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09

  • ELBSecurityPolicy-TLS13-1-1-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04

  • ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09

35

Politiche di sicurezza RFC 9151 (CNSA 1.0)

Application Load Balancer supporta politiche di sicurezza che aiutano a rispettare la RFC 9151, che definisce i requisiti TLS per la suite Commercial National Security Algorithm (CNSA) 1.0 come specificato dalla National Security Agency (NSA) degli Stati Uniti. RFC 9151 specifica come utilizzare la suite CNSA con i protocolli TLS 1.2 e TLS 1.3, definendo i requisiti crittografici per comunicazioni sicure che soddisfano gli standard di sicurezza governativi. Per ulteriori informazioni su RFC 9151, consulta RFC 9151.

Le politiche RFC 9151 sono disponibili in due categorie:

  • Politiche rigorose: applica rigorosi requisiti di crittografia e schema di firma RFC 9151. Utilizzali quando tutti i tuoi clienti possono supportare RFC 9151.

  • Politiche di interoperabilità: supportano codici e schemi di firma conformi a RFC 9151 e non RFC 9151 per facilitare una transizione graduale alla conformità RFC 9151. Utilizzali quando non sei sicuro che tutti i client siano in grado di supportare RFC 9151 o se desideri evitare di interrompere i client durante la transizione. Tutte le politiche di interoperabilità contengono «INTEROP» nel nome della politica.

AWS consiglia di iniziare con la politica di interoperabilitàELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07, che supporta i client in grado di negoziare algoritmi TLS 1.3, TLS 1.2 o RFC 9151 rigorosi, riducendo al minimo le interruzioni. Puoi passare gradualmente a politiche più rigorose man mano che i tuoi clienti possono negoziare la RFC 9151 rigorosa. È possibile utilizzare i tls_keyexchange campi tls_protocoltls_cipher, e nei registri di connessione ALB per monitorare il modo in cui i client si connettono.

Importante

Quando si seleziona una politica di sicurezza RFC 9151 per il listener, il load balancer la utilizza ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07 per le connessioni di backend a destinazioni e altri servizi. Tuttavia, il load balancer non può garantire o imporre la conformità alla RFC 9151 sulle connessioni in uscita, incluse le connessioni a destinazioni o servizi esterni configurati dal cliente (come provider di identità di terze parti o endpoint di autenticazione).

È tua responsabilità garantire quanto segue:

  • Le tue destinazioni e tutti i servizi esterni che configuri possono supportare i protocolli e le cifre della politica di connessione al backend.

  • Per una rigorosa conformità alla RFC 9151 tra il sistema di bilanciamento del carico e gli obiettivi, questi ultimi devono disporre di certificati e cifrari conformi alla RFC 9151.

  • Se le destinazioni di backend supportano solo TLS 1.0 o TLS 1.1, le connessioni falliranno. È necessario aggiornare i protocolli e i codici sui target per allinearli ai codici supportati dalla politica. ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

Protocolli per politica

La tabella seguente descrive i protocolli supportati da ogni politica di sicurezza RFC 9151.

Policy di sicurezza TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-TLS13-1-3-RFC9151-FIPS-2023-07 No No No
ELBSecurityPolicy-TLS13-1-2-RFC9151-FIPS-2023-07 No No
ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07 No No
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07 No No
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07 No No
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07 No No
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07 No No

Cifre per policy

La tabella seguente descrive i codici supportati da ogni politica di sicurezza RFC 9151.

Policy di sicurezza Crittografie
ELBSecurityPolicy-TLS13-1-3-RFC9151-FIPS-2023-07

  • TLS_AES_256_GCM_SHA384
ELBSecurityPolicy-TLS13-1-2-RFC9151-FIPS-2023-07

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384
ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07

  • TLS_AES_256_GCM_SHA384

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • AES256-GCM-SHA384
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07

  • TLS_AES_256_GCM_SHA384

  • TLS_AES_128_GCM_SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • TLS_AES_256_GCM_SHA384

  • TLS_AES_128_GCM_SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • TLS_AES_256_GCM_SHA384

  • TLS_AES_128_GCM_SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA
ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

  • TLS_AES_256_GCM_SHA384

  • TLS_AES_128_GCM_SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • AES256-GCM-SHA384

  • AES256-SHA256

  • AES256-SHA

  • AES128-GCM-SHA256

  • AES128-SHA256

  • AES128-SHA

Politiche per cifra

La tabella seguente descrive le politiche di sicurezza RFC 9151 che supportano ogni cifrario.

Nome del cifrario Policy di sicurezza Suite di cifratura

OpenSSL — TLS_AES_256_GCM_SHA384

IANA — TLS_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-3-RFC9151-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

1302

OpenSSL — TLS_AES_128_GCM_SHA256

IANA — TLS_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

1301

OpenSSL — ECDHE-ECDSA-AES256-GCM-SHA384

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c02c

OpenSSL — ECDHE-RSA-AES256-GCM-SHA384

IANA — TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c030

OpenSSL — AES256-GCM-SHA384

IANA — TLS_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-TLS13-1-2-Ext0-RFC9151-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

9d

OpenSSL — ECDHE-ECDSA-AES128-GCM-SHA256

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c02b

OpenSSL — ECDHE-RSA-AES128-GCM-SHA256

IANA — TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP1-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c02f

OpenSSL — ECDHE-ECDSA-AES256-SHA384

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c024

OpenSSL — ECDHE-RSA-AES256-SHA384

IANA — TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c028

OpenSSL — ECDHE-ECDSA-AES128-SHA256

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c023

OpenSSL — ECDHE-RSA-AES128-SHA256

IANA — TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP2-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c027

OpenSSL — ECDHE-ECDSA-AES256-SHA

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c00a

OpenSSL — ECDHE-RSA-AES256-SHA

IANA — TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c014

OpenSSL — ECDHE-ECDSA-AES128-SHA

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c009

OpenSSL — ECDHE-RSA-AES128-SHA

IANA — TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP3-FIPS-2023-07

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

c013

OpenSSL — AES256-SHA256

IANA — TLS_RSA_WITH_AES_256_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

3d

OpenSSL — AES256-SHA

IANA — TLS_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

35

OpenSSL — AES128-GCM-SHA256

IANA — TLS_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

9 cm

OpenSSL — AES128-SHA256

IANA — TLS_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

3c

OpenSSL — AES128-SHA

IANA — TLS_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-TLS13-1-2-RFC9151-INTEROP4-FIPS-2023-07

2f

Policy FS supportate

Le politiche di sicurezza supportate da FS (Forward Secrecy) forniscono ulteriori garanzie contro l'intercettazione di dati crittografati, attraverso l'uso di una chiave di sessione casuale unica. Ciò impedisce la decodifica dei dati acquisiti, anche se la chiave segreta a lungo termine è compromessa.

Le politiche in questa sezione supportano FS e «FS» è incluso nei loro nomi. Tuttavia, queste non sono le uniche politiche che supportano FS. Le politiche che supportano solo TLS 1.3 supportano FS. Le politiche che supportano TLS 1.3 e TLS 1.2 che hanno solo cifrari del formato TLS_* ed ECDHE_* forniscono anche FS.

Protocolli per politica

La tabella seguente descrive i protocolli supportati da ogni policy di sicurezza supportata da FS.

Policy di sicurezza TLS 1.3 TLS 1.2 TLS 1.1 TLS 1.0
ELBSecurityPolicy-FS-1-2-Res-2020-10 No No No
ELBSecurityPolicy-FS-1-2-Res-2019-08 No No No
ELBSecurityPolicy-FS-1-2-2019-08 No No No
ELBSecurityPolicy-FS-1-1-2019-08 No No
ELBSecurityPolicy-FS-2018-06 No

Cifre per policy

La tabella seguente descrive i codici supportati da ogni politica di sicurezza supportata da FS.

Policy di sicurezza Crittografie
ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384
ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384
ELBSecurityPolicy-FS-1-2-2019-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA
ELBSecurityPolicy-FS-1-1-2019-08

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA
ELBSecurityPolicy-FS-2018-06

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA

  • ECDHE-ECDSA-AES256-SHA

Politiche per cifra

La tabella seguente descrive le politiche di sicurezza supportate da FS che supportano ogni cifrario.

Nome del cifrario Policy di sicurezza Suite di cifratura

OpenSSL — ECDHE-ECDSA-AES128-GCM-SHA256

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c02b

OpenSSL — ECDHE-RSA-AES128-GCM-SHA256

IANA — TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c02f

OpenSSL — ECDHE-ECDSA-AES128-SHA256

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c023

OpenSSL — ECDHE-RSA-AES128-SHA256

IANA — TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c027

OpenSSL — ECDHE-ECDSA-AES128-SHA

IANA — TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c009

OpenSSL — ECDHE-RSA-AES128-SHA

IANA — TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c013

OpenSSL — ECDHE-ECDSA-AES256-GCM-SHA384

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c02c

OpenSSL — ECDHE-RSA-AES256-GCM-SHA384

IANA — TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2020-10

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c030

OpenSSL — ECDHE-ECDSA-AES256-SHA384

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c024

OpenSSL — ECDHE-RSA-AES256-SHA384

IANA — TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • ELBSecurityPolicy-FS-1-2-Res-2019-08

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c028

OpenSSL — ECDHE-ECDSA-AES256-SHA

IANA — TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c00a

OpenSSL — ECDHE-RSA-AES256-SHA

IANA — TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • ELBSecurityPolicy-FS-1-2-2019-08

  • ELBSecurityPolicy-FS-1-1-2019-08

  • ELBSecurityPolicy-FS-2018-06

c014