- Newest
- Most votes
- Most comments
Hi HyperX Pro,
I have used CloudFront with origins configured with TLS v1.3. Did you have any issues when you tried it? Feel free to share more details so we can help you out!
I'm also affected by this when configuring an origin that is an Application Load Balancer using the "ELBSecurityPolicy-TLS13-1-3-2021-06" SSL policy in the listener (which only supports tlsv1.3). I the ALB conn logs I see these messages:
2023-12-05T11:11:34.357695Z 15.158.31.228 32158 443 TLSv1.2 - - "-" - - Failed:UnmappedConnectionError
In CloudFront logs I see this message:
2023-12-05 13:06:32 MAD56-P3 1304 207.188.*.* GET **redacted**.cloudfront.net /testcf 502 - curl/8.4.0 - - Error ****redactedrequestid****** ***redacted-origin-hostname*** https 95 0.076 - TLSv1.3 TLS_AES_128_GCM_SHA256 Error HTTP/1.1 - - 62423 0.076 OriginConnectError text/html 951 - -
When switching to a SSL policy that supports TLS v1.2 CloudFront origin requests start working, but I need to restrict ALBs to tls 1.3 only
When using the Python CDK library, the OriginSslPolicy enum is limited to the following options:
- SSL_V3
- TLS_V1
- TLS_V1_1
- TLS_V1_2
And when creating an HttpOrigin instance, if the origin_ssl_protocols
parameter is left unspecified, it defaults to TLS_V1_2
, and I have confirmed from my server logs that this is the protocol that CloudFront is using to communicate with to my server.
This limitation is also mentioned here: Amazon CloudFront > API Reference > OriginSslProtocols
Ivan Caso, are you sure that the CloudFront to origin communication is using TLS v1.3? Because that currently doesn't seem to be supported.
Adding support for TLS v1.3 for CloudFront to origin communication seems important since TLS v1.3 offers performance benefits over TLS v1.2.
Relevant content
- asked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
We have a DoH Resolver running on Knot Resolver. It only supports TLS v1.3 for HTTP requests. When CloudFront connects via TLS v1.2, Knot shuts down the connection.
Here is the CloudFront error:
Reference to Knot TLS Requirements: https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_tlssrv.html#dns-over-https-doh