Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cmake parameter to enforce tls version #2604

Merged
merged 1 commit into from
Aug 1, 2023
Merged

Add cmake parameter to enforce tls version #2604

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .cspell.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
"PythonInterp", "DWAVE", "Winmm", "DPULSE", "pulseaudio", "MSVC", "NOTFOUND", "libpulse", "COREAUDIO",
"devel", "AUDIOTOOLBOX", "DCORE", "CONCAT", "DNON", "FULLPATCH", "setopt", "CURLOPT", "SSLCERT",
"CROSSCOMPILING", "nullptr", "DWORD", "lpsz", "commoncrypto", "COMMONCRYPTO", "endforeach", "pkgconfig",
"MGMT", "DENABLED",
"MGMT", "DENABLED", "DENFORCE",
// Compiler and linker
"Wpedantic", "Wextra", "Werror", "xldscope", "Wtype", "Wunused", "RTTI", "ffunction", "fdata", "fsanitize",
"pathconf", "unistd", "umask", "GNUCXX", "libasan", "SUNPRO", "gnustl", "libgnustl", "Wmissing",
Expand Down
8 changes: 8 additions & 0 deletions CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ if (LEGACY_BUILD)
option(BUILD_BENCHMARKS "Enables building the benchmark executable" OFF)
option(BUILD_OPTEL "Enables building the open telemetry implementation of tracing" OFF)
option(AWS_SDK_WARNINGS_ARE_ERRORS "Compiler warning is treated as an error. Try turning this off when observing errors on a new or uncommon compiler" ON)
option(USE_TLS_V1_2 "Set http client to enforce TLS 1.2" ON)
option(USE_TLS_V1_3 "Set http client to enforce TLS 1.3" OFF)

set(AWS_USER_AGENT_CUSTOMIZATION "" CACHE STRING "User agent extension")
set(AWS_TEST_REGION "US_EAST_1" CACHE STRING "Region to target integration tests against")
Expand All @@ -78,6 +80,12 @@ if (LEGACY_BUILD)
if (DISABLE_INTERNAL_IMDSV1_CALLS)
add_definitions(-DDISABLE_IMDSV1)
endif ()
if (USE_TLS_V2)
add_definitions(-DENFORCE_TLS_V1_2)
endif ()
if (USE_TLS_V3)
add_definitions(-DENFORCE_TLS_V1_3)
endif ()

#From https://stackoverflow.com/questions/18968979/how-to-get-colorized-output-with-cmake
if (NOT WIN32)
Expand Down
6 changes: 6 additions & 0 deletions src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
View file
Open in desktop
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these changes have no effect with current versions of curl 8 since LIBCURL_VERSION_MINOR would be <34.
For curl version range checks LIBCURL_VERSION_NUM might be a better choice
https://curl.se/docs/versions.html

also, CURL_SSLVERSION_TLSv1_3 is available as of curl 7.52 according to curl documentation
https://curl.se/libcurl/c/CURLOPT_SSLVERSION.html

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #2662

Original file line number Diff line number Diff line change
Expand Up @@ -674,7 +674,13 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr<

#if LIBCURL_VERSION_MAJOR >= 7
#if LIBCURL_VERSION_MINOR >= 34
#if defined(ENFORCE_TLS_V1_3)
curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_3);
#elif defined(ENFORCE_TLS_V1_2)
curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
#else
curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
#endif
#endif //LIBCURL_VERSION_MINOR
#endif //LIBCURL_VERSION_MAJOR
}
Expand Down
19 changes: 15 additions & 4 deletions src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,11 +105,22 @@ WinHttpSyncHttpClient::WinHttpSyncHttpClient(const ClientConfiguration& config)
if (m_verifySSL)
{
//disable insecure tls protocols, otherwise you might as well turn ssl verification off.
#if defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
#if defined(ENFORCE_TLS_V1_3) && defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
#elif defined(ENFORCE_TLS_V1_2) && defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 |
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
#elif defined(ENFORCE_TLS_V1_2) && !defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
#elif defined(WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3)
DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 |
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
#else
DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
#endif

if (!WinHttpSetOption(GetOpenHandle(), WINHTTP_OPTION_SECURE_PROTOCOLS, &flags, sizeof(flags)))
Expand Down
Loading