Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS S3 Disabling SSLv3 Support

Tags:

ssl

ruby-on-rails

heroku

amazon-s3

fog

We received an email from AWS that basically says 'S3 is disabling SSLv3 Support, access will be cut-off in 15 days'. They then listed some buckets we have (one in production) that are 'currently accepting request from clients that specify SSLv3'. The full email is here, and other AWS users seem to have received one too:

https://gist.github.com/anonymous/4240c8af5208782c144c

My question is how do we test for this scenario, and what do we need to do to prepare for this cut-off date?

We use Rails 4.1 and the Fog (~> 1.28.0) and right_aws (~> 3.1.0) gems for AWS access and we're on Heroku. Our app provides signed HTTPS links to S3 resources to our browser users in our UI.

Is this just a client (browser) issue or something we need to understand better and test/fix?

like image 477
user1690146 Avatar asked Apr 15 '15 17:04

user1690146

People also ask

Does S3 support TLS?

As a managed service, Amazon S3 is protected by the AWS global network security procedures that are described in the security pillar of the AWS Well-Architected Framework. Access to Amazon S3 via the network is through AWS published APIs. Clients must support Transport Layer Security (TLS) 1.0. We recommend TLS 1.2.

How do I disable Amazon on S3?

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, select the option next to the name of the bucket that you want to delete, and then choose Delete at the top of the page.

Does S3 use HTTP or HTTPS?

Amazon S3 allows both HTTP and HTTPS requests. By default, requests are made through the AWS Management Console, AWS Command Line Interface (AWS CLI), or HTTPS. To comply with the s3-bucket-ssl-requests-only rule, confirm that your bucket policies explicitly deny access to HTTP requests.

1 Answers

fog uses excon for its http(s) transport. excon is a low-level pure-ruby http client, which relies on the ruby openssl bindings to work. Though it is possible to explicitly set an ssl version to use, excon doesn't, which to the best of my knowledge should mean that it negotiates with the server to choose what to use (so if the server asks for not SSLv3, it should cooperate).

I believe that should mean no action would be required here, but the specifics of all that vary a bit across Ruby and OpenSSL versions (not to mention that it is just a bit hard to introspect/understand the specifics of those bindings), so it is hard to say for certain. excon does support an ssl_version argument, which can be used to force a specific version if it does end up being a problem (this is just not a good general choice because it disallows negotiation and the specifics vary between ruby versions).

Hope that helps.

like image 136
geemus Avatar answered Sep 20 '22 13:09

geemus
Sign in to Comment

Related questions

heroku run console returns 'Error connecting to process'
Factory not registered: user
rails assets pipeline "Cannot allocate memory - nodejs"
Rails 4: How to cancel save on a "before_save" callback?
How to name the blank value in select?
PostgreSQL gem pg was unable to install
cannot load such file -- readline (LoadError) when running heroku create --stack cedar
Postgresql gem install pg 0.18.4 passes, bundle install fails
Devise with Rails 4
How do I document Rake tasks with YARD?
rails best practices where to place unobtrusive javascript
How do I set up a Rails Angular project to test JS?
Rails, Mongoid & Unicorn config for Heroku
What's the cause of "PGError: FATAL: terminating connection due to administrator command" on heroku?
Best practices for new Rails deployments on Linux?
How to show twitter bootstrap modal via JS request in rails?
Filtering on activerecord relation without additional sql query?
has_many :through : How do you access join table attributes?
How to remove items from Activerecord query resultset?
Difference between add_dependency and add_runtime_dependency?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!