Skip to content

Commit a28c712

Browse files
joguSDjoguSD
committed
Update TLS enforcement documentation
This updates the Python and openssl versions used in the TLS enforcement documentation to accomodate for more platforms, such as M1 Macs. Additionally, a new section has been added with an updated build script to enforce the usage of TLS V1.3.
1 parent 6e400a3 commit a28c712

File tree

1 file changed

+36
-3
lines changed

1 file changed

+36
-3
lines changed

docs/source/guide/security.rst

+36-3
Original file line numberDiff line numberDiff line change
@@ -192,9 +192,9 @@ To ensure the SDK or CLI doesn't not negotiate for anything earlier than TLS 1.2
192192
#!/usr/bin/env bash
193193
set -e
194194

195-
OPENSSL_VERSION="1.1.1d"
195+
OPENSSL_VERSION="1.1.1m"
196196
OPENSSL_PREFIX="/opt/openssl-with-min-tls1_2"
197-
PYTHON_VERSION="3.8.1"
197+
PYTHON_VERSION="3.9.10"
198198
PYTHON_PREFIX="/opt/python-with-min-tls1_2"
199199

200200

@@ -223,6 +223,39 @@ After you run this script, you should be able to use this newly installed versio
223223

224224
This should print out::
225225

226-
Python 3.8.1
226+
Python 3.9.10
227227

228228
To confirm this new version of Python does not negotiate a version earlier than TLS 1.2, rerun the steps from `Determining Supported Protocols`_ using the newly installed Python version (that is, ``/opt/python-with-min-tls1_2/bin/python3``).
229+
230+
Enforcing TLS 1.3
231+
------------------
232+
233+
The process of ensuring the AWS SDK for Python uses no TLS version earlier than TLS 1.3 is the same as the instructions in the `Enforcing TLS 1.2`_ section with some minor modifications, primarily adding the ``no-tls1_2`` flag to the openssl build configuration.
234+
235+
The following are the modified build instructions::
236+
237+
238+
#!/usr/bin/env bash
239+
set -e
240+
241+
OPENSSL_VERSION="1.1.1m"
242+
OPENSSL_PREFIX="/opt/openssl-with-min-tls1_3"
243+
PYTHON_VERSION="3.9.10"
244+
PYTHON_PREFIX="/opt/python-with-min-tls1_3"
245+
246+
247+
curl -O "https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"
248+
tar -xzf "openssl-$OPENSSL_VERSION.tar.gz"
249+
cd openssl-$OPENSSL_VERSION
250+
./config --prefix=$OPENSSL_PREFIX no-ssl3 no-tls1 no-tls1_1 no-tls1_2 no-shared
251+
make > /dev/null
252+
sudo make install_sw > /dev/null
253+
254+
255+
cd /tmp
256+
curl -O "https://www.python.org/ftp/python/$PYTHON_VERSION/Python-$PYTHON_VERSION.tgz"
257+
tar -xzf "Python-$PYTHON_VERSION.tgz"
258+
cd Python-$PYTHON_VERSION
259+
./configure --prefix=$PYTHON_PREFIX --with-openssl=$OPENSSL_PREFIX --disable-shared > /dev/null
260+
make > /dev/null
261+
sudo make install > /dev/null

0 commit comments

Comments
 (0)