Enforcing a minimum TLS version in the AWS SDK for Ruby
Communication between the AWS SDK for Ruby and AWS is secured using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). All versions of SSL, and versions of TLS earlier than 1.2, have vulnerabilities that can compromise the security of your communication with AWS. For this reason, you should make sure that you’re using the AWS SDK for Ruby with a version of Ruby that supports TLS version 1.2 or later.
Ruby uses the OpenSSL library to secure HTTP connections. Supported versions of Ruby (1.9.3 and later) installed through
system package managersyum, apt, and others), an official installer
When used with a supported version of Ruby with OpenSSL 1.0.1 or later, the AWS SDK for Ruby prefers TLS 1.2, and uses the latest version
of SSL or TLS supported by both the client and server. This is always at least TLS 1.2 for AWS services. (The SDK uses the Ruby
Net::HTTP class with use_ssl=true.)
Checking the OpenSSL version
To make sure your installation of Ruby is using OpenSSL 1.0.1 or later, enter the following command.
ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION'
An alternative way to get the OpenSSL version is to query the openssl executable directly. First, locate the appropriate
executable using the following command.
ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]'
The output should have --with-openssl-dir=/path/to/openssl indicating the location of the OpenSSL installation. Make a note of
this path. To check the version of OpenSSL, enter the following commands.
cd /path/to/openssl bin/openssl version
This latter method might not work with all installations of Ruby.
Upgrading TLS support
If the version of OpenSSL used by your Ruby installation is earlier than 1.0.1, upgrade your Ruby or OpenSSL installation using your system package
manager, Ruby installer, or Ruby manager, as described in Ruby’s installation guide--with-openssl-dir=/path/to/upgraded/openssl when running ./configure.
