Default to TLS 1.2 for HTTPS requests (#892)

Updates the SDK's default HTTP client to use TLS 1.2 as the minimum TLS version for all HTTPS requests by default.
aws · Nov 12, 2020 · 1a5f0a3 · 1a5f0a3
1 parent 65b91cc
commit 1a5f0a3
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/.changes/next-release/aws-feature-1605201722393831000.json b/.changes/next-release/aws-feature-1605201722393831000.json
@@ -0,0 +1,9 @@
+{
+ "ID": "aws-feature-1605201722393831000",
+ "SchemaVersion": 1,
+ "Module": "aws",
+ "Type": "feature",
+ "Description": "Default to TLS 1.2 for HTTPS requests #892 * Updates the SDK's default HTTP client to use TLS 1.2 as the minimum TLS version for all HTTPS requests by default.",
+ "MinVersion": "",
+ "AffectedModules": null
+}
diff --git a/aws/http_client.go b/aws/http_client.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"crypto/tls"
 	"net"
 	"net/http"
 	"reflect"
@@ -10,12 +11,17 @@ import (
 
 // Defaults for the HTTPTransportBuilder.
 var (
+	// Default connection pool options
 	DefaultHTTPTransportMaxIdleConns        = 100
 	DefaultHTTPTransportMaxIdleConnsPerHost = 10
 
+	// Default connection timeouts
 	DefaultHTTPTransportIdleConnTimeout       = 90 * time.Second
 	DefaultHTTPTransportTLSHandleshakeTimeout = 10 * time.Second
 	DefaultHTTPTransportExpectContinueTimeout = 1 * time.Second
+
+	// Default to TLS 1.2 for all HTTPS requests.
+	DefaultHTTPTransportTLSMinVersion uint16 = tls.VersionTLS12
 )
 
 // Timeouts for net.Dialer's network connection.
@@ -178,6 +184,9 @@ func defaultHTTPTransport() *http.Transport {
 		IdleConnTimeout:       DefaultHTTPTransportIdleConnTimeout,
 		ExpectContinueTimeout: DefaultHTTPTransportExpectContinueTimeout,
 		ForceAttemptHTTP2:     true,
+		TLSClientConfig: &tls.Config{
+			MinVersion: DefaultHTTPTransportTLSMinVersion,
+		},
 	}
 
 	return tr