Menu
We received an email from AWS that basically says 'S3 is disabling SSLv3 Support, access will be cut-off in 15 days'. They then listed some buckets we have (one in production) that are 'currently accepting request from clients that specify SSLv3'. The full email is here, and other AWS users seem to have received one too:
https://gist.github.com/anonymous/4240c8af5208782c144c
My question is how do we test for this scenario, and what do we need to do to prepare for this cut-off date?
We use Rails 4.1 and the Fog (~> 1.28.0) and right_aws (~> 3.1.0) gems for AWS access and we're on Heroku. Our app provides signed HTTPS links to S3 resources to our browser users in our UI.
Is this just a client (browser) issue or something we need to understand better and test/fix?
477
As a managed service, Amazon S3 is protected by the AWS global network security procedures that are described in the security pillar of the AWS Well-Architected Framework. Access to Amazon S3 via the network is through AWS published APIs. Clients must support Transport Layer Security (TLS) 1.0. We recommend TLS 1.2.
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, select the option next to the name of the bucket that you want to delete, and then choose Delete at the top of the page.
Amazon S3 allows both HTTP and HTTPS requests. By default, requests are made through the AWS Management Console, AWS Command Line Interface (AWS CLI), or HTTPS. To comply with the s3-bucket-ssl-requests-only rule, confirm that your bucket policies explicitly deny access to HTTP requests.
fog uses excon for its http(s) transport. excon is a low-level pure-ruby http client, which relies on the ruby openssl bindings to work. Though it is possible to explicitly set an ssl version to use, excon doesn't, which to the best of my knowledge should mean that it negotiates with the server to choose what to use (so if the server asks for not SSLv3, it should cooperate).
I believe that should mean no action would be required here, but the specifics of all that vary a bit across Ruby and OpenSSL versions (not to mention that it is just a bit hard to introspect/understand the specifics of those bindings), so it is hard to say for certain. excon does support an ssl_version argument, which can be used to force a specific version if it does end up being a problem (this is just not a good general choice because it disallows negotiation and the specifics vary between ruby versions).
Hope that helps.
136
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
