Enforce the same minimum TLS version (1.2) for both TLS backends (#2312)

* Enforce the same minimum TLS version (1.2) for both TLS backends * Add CHANGELOG entry * Add documentation for both `https` and `native_tls`. * Remove unnecessary mut
smithy-lang · Feb 6, 2023 · a389ea2 · a389ea2
1 parent 51047b1
commit a389ea2
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/CHANGELOG.next.toml b/CHANGELOG.next.toml
@@ -11,6 +11,12 @@
 # meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client | server | all"}
 # author = "rcoh"
 
+[[smithy-rs]]
+message = "Raise the minimum TLS version from 1.0 to 1.2 when using the `native-tls` feature in `aws-smithy-client`."
+references = ["smithy-rs#2312"]
+meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client"}
+author = "LukeMathWalker"
+
 [[aws-sdk-rust]]
 message = """
 Provide a way to retrieve fallback credentials if a call to `provide_credentials` is interrupted. An interrupt can occur when a timeout future is raced against a future for `provide_credentials`, and the former wins the race. A new method, `fallback_on_interrupt` on the `ProvideCredentials` trait, can be used in that case. The following code snippet from `LazyCredentialsCache::provide_cached_credentials` has been updated like so:

diff --git a/rust-runtime/aws-smithy-client/src/lib.rs b/rust-runtime/aws-smithy-client/src/lib.rs
@@ -72,13 +72,27 @@ pub mod conns {
     }
 
     #[cfg(feature = "rustls")]
+    /// Return a default HTTPS connector backed by the `rustls` crate.
+    ///
+    /// It requires a minimum TLS version of 1.2.
+    /// It allows you to connect to both `http` and `https` URLs.
     pub fn https() -> Https {
         HTTPS_NATIVE_ROOTS.clone()
     }
 
     #[cfg(feature = "native-tls")]
+    /// Return a default HTTPS connector backed by the `hyper_tls` crate.
+    ///
+    /// It requires a minimum TLS version of 1.2.
+    /// It allows you to connect to both `http` and `https` URLs.
     pub fn native_tls() -> NativeTls {
-        hyper_tls::HttpsConnector::new()
+        let mut tls = hyper_tls::native_tls::TlsConnector::builder();
+        let tls = tls
+            .min_protocol_version(Some(hyper_tls::native_tls::Protocol::Tlsv12))
+            .build()
+            .unwrap_or_else(|e| panic!("Error while creating TLS connector: {}", e));
+        let http = hyper::client::HttpConnector::new();
+        hyper_tls::HttpsConnector::from((http, tls.into()))
     }
 
     #[cfg(feature = "native-tls")]