[Feature] CloudFront Origin TLS v1.3


Right now, CloudFront only supports TLS v1.3 for CDN viewers but not for Origin. I'd be useful if CloudFront supports Origins TLS v1.3 also.

Is there an ETA for this feature?

3 Answers

Hi HyperX Pro,

I have used CloudFront with origins configured with TLS v1.3. Did you have any issues when you tried it? Feel free to share more details so we can help you out!

profile picture
answered a year ago
  • We have a DoH Resolver running on Knot Resolver. It only supports TLS v1.3 for HTTP requests. When CloudFront connects via TLS v1.2, Knot shuts down the connection.

    Here is the CloudFront error:

    502 ERROR
    The request could not be satisfied.
    The origin closed the connection. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
    If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
    Generated by cloudfront (CloudFront)

    Reference to Knot TLS Requirements: https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_tlssrv.html#dns-over-https-doh


I'm also affected by this when configuring an origin that is an Application Load Balancer using the "ELBSecurityPolicy-TLS13-1-3-2021-06" SSL policy in the listener (which only supports tlsv1.3). I the ALB conn logs I see these messages:

2023-12-05T11:11:34.357695Z 32158 443 TLSv1.2 - - "-" - - Failed:UnmappedConnectionError

In CloudFront logs I see this message:

2023-12-05 13:06:32        MAD56-P3        1304    207.188.*.*  GET     **redacted**.cloudfront.net   /testcf 502     -       curl/8.4.0      -       -       Error       ****redactedrequestid******        ***redacted-origin-hostname***     https   95      0.076   -       TLSv1.3 TLS_AES_128_GCM_SHA256  Error   HTTP/1.1        -       -  62423    0.076   OriginConnectError      text/html       951     -       -

When switching to a SSL policy that supports TLS v1.2 CloudFront origin requests start working, but I need to restrict ALBs to tls 1.3 only

answered 7 months ago

When using the Python CDK library, the OriginSslPolicy enum is limited to the following options:

  • SSL_V3
  • TLS_V1
  • TLS_V1_1
  • TLS_V1_2

And when creating an HttpOrigin instance, if the origin_ssl_protocols parameter is left unspecified, it defaults to TLS_V1_2, and I have confirmed from my server logs that this is the protocol that CloudFront is using to communicate with to my server.

This limitation is also mentioned here: Amazon CloudFront > API Reference > OriginSslProtocols

Ivan Caso, are you sure that the CloudFront to origin communication is using TLS v1.3? Because that currently doesn't seem to be supported.

Adding support for TLS v1.3 for CloudFront to origin communication seems important since TLS v1.3 offers performance benefits over TLS v1.2.

profile picture
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions