By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[Feature] CloudFront Origin TLS v1.3

2

Right now, CloudFront only supports TLS v1.3 for CDN viewers but not for Origin. I'd be useful if CloudFront supports Origins TLS v1.3 also.

Is there an ETA for this feature?

Topics
Networking & Content DeliveryInternet of Things (IoT)
Tags
Networking & Content DeliveryAmazon CloudFrontTransport Layer Security (TLS)
Language
English
HyperX Pro
asked 9 months ago718 views
3 Answers
0

Hi HyperX Pro,

I have used CloudFront with origins configured with TLS v1.3. Did you have any issues when you tried it? Feel free to share more details so we can help you out!

profile picture
EXPERT
Ivan Casco
answered 9 months ago
  • HyperX Pro
    9 months ago

    We have a DoH Resolver running on Knot Resolver. It only supports TLS v1.3 for HTTP requests. When CloudFront connects via TLS v1.2, Knot shuts down the connection.

    Here is the CloudFront error:

    502 ERROR
The request could not be satisfied.
The origin closed the connection. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
Generated by cloudfront (CloudFront)

    Reference to Knot TLS Requirements: https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_tlssrv.html#dns-over-https-doh

0

I'm also affected by this when configuring an origin that is an Application Load Balancer using the "ELBSecurityPolicy-TLS13-1-3-2021-06" SSL policy in the listener (which only supports tlsv1.3). I the ALB conn logs I see these messages:

2023-12-05T11:11:34.357695Z 15.158.31.228 32158 443 TLSv1.2 - - "-" - - Failed:UnmappedConnectionError

In CloudFront logs I see this message:

2023-12-05 13:06:32        MAD56-P3        1304    207.188.*.*  GET     **redacted**.cloudfront.net   /testcf 502     -       curl/8.4.0      -       -       Error       ****redactedrequestid******        ***redacted-origin-hostname***     https   95      0.076   -       TLSv1.3 TLS_AES_128_GCM_SHA256  Error   HTTP/1.1        -       -  62423    0.076   OriginConnectError      text/html       951     -       -

When switching to a SSL policy that supports TLS v1.2 CloudFront origin requests start working, but I need to restrict ALBs to tls 1.3 only

Fer
answered 5 months ago
0

When using the Python CDK library, the OriginSslPolicy enum is limited to the following options:

  • SSL_V3
  • TLS_V1
  • TLS_V1_1
  • TLS_V1_2

And when creating an HttpOrigin instance, if the origin_ssl_protocols parameter is left unspecified, it defaults to TLS_V1_2, and I have confirmed from my server logs that this is the protocol that CloudFront is using to communicate with to my server.

This limitation is also mentioned here: Amazon CloudFront > API Reference > OriginSslProtocols

Ivan Caso, are you sure that the CloudFront to origin communication is using TLS v1.3? Because that currently doesn't seem to be supported.

Adding support for TLS v1.3 for CloudFront to origin communication seems important since TLS v1.3 offers performance benefits over TLS v1.2.

profile picture
Elliot Waite
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content