Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS S3 Disabling SSLv3 Support

We received an email from AWS that basically says 'S3 is disabling SSLv3 Support, access will be cut-off in 15 days'. They then listed some buckets we have (one in production) that are 'currently accepting request from clients that specify SSLv3'. The full email is here, and other AWS users seem to have received one too:

https://gist.github.com/anonymous/4240c8af5208782c144c

My question is how do we test for this scenario, and what do we need to do to prepare for this cut-off date?

We use Rails 4.1 and the Fog (~> 1.28.0) and right_aws (~> 3.1.0) gems for AWS access and we're on Heroku. Our app provides signed HTTPS links to S3 resources to our browser users in our UI.

Is this just a client (browser) issue or something we need to understand better and test/fix?

like image 477
user1690146 Avatar asked Apr 15 '15 17:04

user1690146


People also ask

Does S3 support TLS?

As a managed service, Amazon S3 is protected by the AWS global network security procedures that are described in the security pillar of the AWS Well-Architected Framework. Access to Amazon S3 via the network is through AWS published APIs. Clients must support Transport Layer Security (TLS) 1.0. We recommend TLS 1.2.

How do I disable Amazon on S3?

Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Buckets list, select the option next to the name of the bucket that you want to delete, and then choose Delete at the top of the page.

Does S3 use HTTP or HTTPS?

Amazon S3 allows both HTTP and HTTPS requests. By default, requests are made through the AWS Management Console, AWS Command Line Interface (AWS CLI), or HTTPS. To comply with the s3-bucket-ssl-requests-only rule, confirm that your bucket policies explicitly deny access to HTTP requests.


1 Answers

fog uses excon for its http(s) transport. excon is a low-level pure-ruby http client, which relies on the ruby openssl bindings to work. Though it is possible to explicitly set an ssl version to use, excon doesn't, which to the best of my knowledge should mean that it negotiates with the server to choose what to use (so if the server asks for not SSLv3, it should cooperate).

I believe that should mean no action would be required here, but the specifics of all that vary a bit across Ruby and OpenSSL versions (not to mention that it is just a bit hard to introspect/understand the specifics of those bindings), so it is hard to say for certain. excon does support an ssl_version argument, which can be used to force a specific version if it does end up being a problem (this is just not a good general choice because it disallows negotiation and the specifics vary between ruby versions).

Hope that helps.

like image 136
geemus Avatar answered Sep 20 '22 13:09

geemus