Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change S2N security policy for 0-RTT in TLS 1.3 #585

Merged
merged 3 commits into from
Jul 14, 2023
Merged

Change S2N security policy for 0-RTT in TLS 1.3 #585

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
08c7129
Change s2n security policy for 0-RTT TLSv1.3 setup
graebm Jul 11, 2023
2d534ae
stop pinning to 1yr old version of s2n 😰
graebm Jul 13, 2023
b1818ac
Check that s2n_config_set_cipher_preferences() actually succeeds.
graebm Jul 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions source/s2n/s2n_tls_channel_handler.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1373,7 +1373,8 @@ static struct aws_tls_ctx *s_tls_ctx_new(
}

if (options->custom_key_op_handler != NULL) {
/* PKCS#11 integration hasn't been tested with TLS 1.3, so don't use cipher preferences that allow 1.3 */
/* When custom_key_op_handler is set, don't use cipher preferences that allow TLS 1.3.
* This hack is necessary until our PKCS#11 custom_key_op_handler supports RSA PSS */
switch (options->minimum_tls_version) {
case AWS_IO_SSLv3:
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "CloudFront-SSL-v-3");
Expand All @@ -1396,25 +1397,26 @@ static struct aws_tls_ctx *s_tls_ctx_new(
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "ELBSecurityPolicy-TLS-1-1-2017-01");
}
} else {
/* No custom_key_op_handler is set, use normal cipher preferences */
switch (options->minimum_tls_version) {
case AWS_IO_SSLv3:
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-SSLv3.0");
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-SSLv3.0-2023");
break;
case AWS_IO_TLSv1:
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.0");
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.0-2023");
break;
case AWS_IO_TLSv1_1:
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.1");
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.1-2023");
break;
case AWS_IO_TLSv1_2:
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.2");
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.2-2023");
break;
case AWS_IO_TLSv1_3:
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.3");
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.3-2023");
break;
case AWS_IO_TLS_VER_SYS_DEFAULTS:
default:
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.0");
s2n_config_set_cipher_preferences(s2n_ctx->s2n_config, "AWS-CRT-SDK-TLSv1.0-2023");
}
}

Expand Down