Posted On: Sep 3, 2020

Amazon CloudFront now supports TLSv1.3 for improved performance and security. Amazon CloudFront is a global content delivery network (CDN) that enables you to securely distribute content to viewers with low latency and high availability. Amazon CloudFront supports HTTPS using Transport Layer Security (TLS) to encrypt and secure communication between your viewer clients and CloudFront. TLSv1.3 is the latest version of TLS.

Better Performance

TLSv1.3 provides better performance with a simpler handshake process that requires fewer roundtrips. TLSv1.3 requires one round-trip (1-RTT) compared to TLSv1.2 that requires two round trips (2-RTT) to negotiate a new secure connection which translates into real-world performance improvements with lower first byte latency. In our own internal tests in the US region as an example, first byte latency for new negotiated connections saw reductions of up to 33% for TLSv1.3 compared to previous versions of TLS.

Security Improvements

TLSv1.3 removes legacy features and older cipher suites that are present in previous versions of TLS. TLSv1.3 also supports only PFS (perfect forward secrecy) cipher suites that generate a one-time key used only for the current network session. 

TLSv1.3 is available today and enabled by default across all Amazon CloudFront security policies options. No additional changes are required to your CloudFront configuration to benefit from the security and performance improvements of TLSv1.3 for your viewer connections. While most modern web browsers already support TLSv1.3, clients that do not will automatically negotiate to the client’s highest supported TLS version (TLS 1.2, 1.1, or 1). You may select a minimum supported security policy when using a custom SSL certificate.

To learn more about supported protocols and ciphers between viewers and CloudFront, see the CloudFront Developer Guide. To learn more about Amazon CloudFront, visit our product page.