From dd4818ae6a6e30fa247baee9d804f1e1fd00d6f5 Mon Sep 17 00:00:00 2001 From: sbiscigl Date: Mon, 31 Jul 2023 17:41:19 -0400 Subject: [PATCH] Add cmake parameter to enforce tls version --- .cspell.json | 2 +- CMakeLists.txt | 8 ++++++++ .../source/http/curl/CurlHttpClient.cpp | 6 ++++++ .../http/windows/WinHttpSyncHttpClient.cpp | 19 +++++++++++++++---- 4 files changed, 30 insertions(+), 5 deletions(-) diff --git a/.cspell.json b/.cspell.json index 1871edbbc3c..e7b0626fbd5 100644 --- a/.cspell.json +++ b/.cspell.json @@ -22,7 +22,7 @@ "PythonInterp", "DWAVE", "Winmm", "DPULSE", "pulseaudio", "MSVC", "NOTFOUND", "libpulse", "COREAUDIO", "devel", "AUDIOTOOLBOX", "DCORE", "CONCAT", "DNON", "FULLPATCH", "setopt", "CURLOPT", "SSLCERT", "CROSSCOMPILING", "nullptr", "DWORD", "lpsz", "commoncrypto", "COMMONCRYPTO", "endforeach", "pkgconfig", - "MGMT", "DENABLED", + "MGMT", "DENABLED", "DENFORCE", // Compiler and linker "Wpedantic", "Wextra", "Werror", "xldscope", "Wtype", "Wunused", "RTTI", "ffunction", "fdata", "fsanitize", "pathconf", "unistd", "umask", "GNUCXX", "libasan", "SUNPRO", "gnustl", "libgnustl", "Wmissing", diff --git a/CMakeLists.txt b/CMakeLists.txt index aadd71e481d..21e09c5e47d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -64,6 +64,8 @@ if (LEGACY_BUILD) option(BUILD_BENCHMARKS "Enables building the benchmark executable" OFF) option(BUILD_OPTEL "Enables building the open telemetry implementation of tracing" OFF) option(AWS_SDK_WARNINGS_ARE_ERRORS "Compiler warning is treated as an error. Try turning this off when observing errors on a new or uncommon compiler" ON) + option(USE_TLS_V1_2 "Set http client to enforce TLS 1.2" ON) + option(USE_TLS_V1_3 "Set http client to enforce TLS 1.3" OFF) set(AWS_USER_AGENT_CUSTOMIZATION "" CACHE STRING "User agent extension") set(AWS_TEST_REGION "US_EAST_1" CACHE STRING "Region to target integration tests against") @@ -78,6 +80,12 @@ if (LEGACY_BUILD) if (DISABLE_INTERNAL_IMDSV1_CALLS) add_definitions(-DDISABLE_IMDSV1) endif () + if (USE_TLS_V2) + add_definitions(-DENFORCE_TLS_V1_2) + endif () + if (USE_TLS_V3) + add_definitions(-DENFORCE_TLS_V1_3) + endif () #From https://stackoverflow.com/questions/18968979/how-to-get-colorized-output-with-cmake if (NOT WIN32) diff --git a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp index 8c2a8d928bc..7d386d74d11 100644 --- a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp +++ b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp @@ -674,7 +674,13 @@ std::shared_ptr CurlHttpClient::MakeRequest(const std::shared_ptr< #if LIBCURL_VERSION_MAJOR >= 7 #if LIBCURL_VERSION_MINOR >= 34 +#if defined(ENFORCE_TLS_V1_3) + curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_3); +#elif defined(ENFORCE_TLS_V1_2) + curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); +#else curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); +#endif #endif //LIBCURL_VERSION_MINOR #endif //LIBCURL_VERSION_MAJOR } diff --git a/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp index 4dade648990..b4a9b5fbd72 100644 --- a/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp +++ b/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp @@ -105,11 +105,22 @@ WinHttpSyncHttpClient::WinHttpSyncHttpClient(const ClientConfiguration& config) if (m_verifySSL) { //disable insecure tls protocols, otherwise you might as well turn ssl verification off. -#if defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3) - DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | - WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3; +#if defined(ENFORCE_TLS_V1_3) && defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3) + DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3; +#elif defined(ENFORCE_TLS_V1_2) && defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3) + DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3; +#elif defined(ENFORCE_TLS_V1_2) && !defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3) + DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2; +#elif defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3) + DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3; #else - DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2; + DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | + WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2; #endif if (!WinHttpSetOption(GetOpenHandle(), WINHTTP_OPTION_SECURE_PROTOCOLS, &flags, sizeof(flags)))