Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add s2n-tls client TLS provider #3965

Draft
wants to merge 1 commit into
base: hyper1
Choose a base branch
from
Draft

Add s2n-tls client TLS provider #3965

wants to merge 1 commit into from
+698 −444

Conversation

goatgoose
Copy link

@goatgoose goatgoose commented Jan 10, 2025
edited
Loading

(WIP)

Motivation and Context

Adds s2n-tls as an optional TLS provider to the hyper1 branch.

Related issue: #2446

Description

Currently, smithy-rs clients use rustls as the TLS provider. This PR adds s2n-tls as an optional provider, allowing users to configure smithy-rs to secure their HTTP requests with s2n-tls.

Testing

I added a new client smoke test for s2n-tls. I also added a test that makes sure s2n-tls is actually set as the provider when configured. I was looking for more tests that invoke rustls that I could add an equivalent s2n-tls test for, but was having trouble discovering them. If there are tests that make sense to have please let me know and I will add them!

I did find the hyper_10_end_to_end test, and I modified this locally to use the new s2n-tls provider to list my s3 buckets, and this succeeded. However, this test isn't being run in CI so I didn't modify it in this PR. Is there a similar end-to-end SDK test that is being run in CI that I could add s2n-tls to?

Checklist

  • For changes to the smithy-rs codegen or runtime crates, I have created a changelog entry Markdown file in the .changelog directory, specifying "client," "server," or both in the applies_to key.
  • For changes to the AWS SDK, generated SDK code, or SDK runtime crates, I have created a changelog entry Markdown file in the .changelog directory, specifying "aws-sdk-rust" in the applies_to key.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@goatgoose goatgoose marked this pull request as ready for review January 10, 2025 16:42
@goatgoose goatgoose requested a review from a team as a code owner January 10, 2025 16:42
@goatgoose goatgoose marked this pull request as draft January 10, 2025 16:47
goatgoose
goatgoose commented Jan 10, 2025
View reviewed changes
rust-runtime/aws-smithy-http-client/src/client/tls.rs
http_connector.enforce_http(false);
let config = {
let mut builder = s2n_tls::config::Config::builder();
let policy = Policy::from_version("20230317").unwrap();
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

20230317 is a security policy we recommend for TLS 1.3. Similar to the rustls configuration, this policy is forward secret and requires TLS 1.2 as the minimum protocol version. It's also compatible with FIPS. If there are specific requirements for the TLS policy let me know and we can find another policy or create a new one.

Details:

20230317 

name: 20230317
min version: TLS1.2
rules:
- Perfect Forward Secrecy: yes
- FIPS 140-3 (2019): yes
cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
signature schemes:
- rsa_pss_rsae_sha256
- rsa_pss_rsae_sha384
- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512
curves:
- secp256r1
- secp384r1
- secp521r1
certificate signature schemes:
- rsa_pss_rsae_sha256
- rsa_pss_rsae_sha384
- rsa_pss_rsae_sha512
- rsa_pkcs1_sha256
- rsa_pkcs1_sha384
- rsa_pkcs1_sha512
- ecdsa_sha256
- ecdsa_sha384
- ecdsa_sha512
- rsa_pss_pss_sha256
- rsa_pss_pss_sha384
- rsa_pss_pss_sha512

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@goatgoose