Add cmake parameter to enforce tls version

aws · Aug 1, 2023 · dd4818a · dd4818a
1 parent d62e545
commit dd4818a
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 5 deletions.
diff --git a/.cspell.json b/.cspell.json
@@ -22,7 +22,7 @@
         "PythonInterp", "DWAVE", "Winmm", "DPULSE", "pulseaudio", "MSVC", "NOTFOUND", "libpulse", "COREAUDIO",
         "devel", "AUDIOTOOLBOX", "DCORE", "CONCAT", "DNON", "FULLPATCH", "setopt", "CURLOPT", "SSLCERT",
         "CROSSCOMPILING", "nullptr", "DWORD", "lpsz", "commoncrypto", "COMMONCRYPTO", "endforeach", "pkgconfig",
-        "MGMT", "DENABLED",
+        "MGMT", "DENABLED", "DENFORCE",
         // Compiler and linker
         "Wpedantic", "Wextra", "Werror", "xldscope", "Wtype", "Wunused", "RTTI", "ffunction", "fdata", "fsanitize",
         "pathconf", "unistd", "umask", "GNUCXX", "libasan", "SUNPRO", "gnustl", "libgnustl", "Wmissing",

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -64,6 +64,8 @@ if (LEGACY_BUILD)
     option(BUILD_BENCHMARKS "Enables building the benchmark executable" OFF)
     option(BUILD_OPTEL "Enables building the open telemetry implementation of tracing" OFF)
     option(AWS_SDK_WARNINGS_ARE_ERRORS "Compiler warning is treated as an error. Try turning this off when observing errors on a new or uncommon compiler" ON)
+    option(USE_TLS_V1_2 "Set http client to enforce TLS 1.2" ON)
+    option(USE_TLS_V1_3 "Set http client to enforce TLS 1.3" OFF)
 
     set(AWS_USER_AGENT_CUSTOMIZATION "" CACHE STRING "User agent extension")
     set(AWS_TEST_REGION "US_EAST_1" CACHE STRING "Region to target integration tests against")
@@ -78,6 +80,12 @@ if (LEGACY_BUILD)
     if (DISABLE_INTERNAL_IMDSV1_CALLS)
         add_definitions(-DDISABLE_IMDSV1)
     endif ()
+    if (USE_TLS_V2)
+        add_definitions(-DENFORCE_TLS_V1_2)
+    endif ()
+    if (USE_TLS_V3)
+        add_definitions(-DENFORCE_TLS_V1_3)
+    endif ()
 
     #From https://stackoverflow.com/questions/18968979/how-to-get-colorized-output-with-cmake
     if (NOT WIN32)

diff --git a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
@@ -674,7 +674,13 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr<
 
 #if LIBCURL_VERSION_MAJOR >= 7
 #if LIBCURL_VERSION_MINOR >= 34
+#if defined(ENFORCE_TLS_V1_3)
+            curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_3);
+#elif defined(ENFORCE_TLS_V1_2)
+            curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
+#else
             curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
+#endif
 #endif //LIBCURL_VERSION_MINOR
 #endif //LIBCURL_VERSION_MAJOR
         }

diff --git a/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp
@@ -105,11 +105,22 @@ WinHttpSyncHttpClient::WinHttpSyncHttpClient(const ClientConfiguration& config)
     if (m_verifySSL)
     {
         //disable insecure tls protocols, otherwise you might as well turn ssl verification off.
-#if defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
-        DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
-                WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
+#if defined(ENFORCE_TLS_V1_3) && defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
+        DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
+#elif defined(ENFORCE_TLS_V1_2) && defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
+        DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 |
+                      WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
+#elif defined(ENFORCE_TLS_V1_2) && !defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
+        DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
+#elif defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
+        DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
+                      WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
+                      WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 |
+                      WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
 #else
-        DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
+        DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
+                      WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
+                      WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
 #endif
 
         if (!WinHttpSetOption(GetOpenHandle(), WINHTTP_OPTION_SECURE_PROTOCOLS, &flags, sizeof(flags)))