Using TLS 1.2 in this AWS Product or Service - AWS SDK for Ruby

Using TLS 1.2 in this AWS Product or Service

Communication between AWS SDK for Ruby and AWS is secured using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). All versions of SSL, and versions of TLS prior to 1.2, have vulnerabilities that can compromise the security of your communication with AWS. For this reason, you should make sure that you are using the AWS SDK for Ruby with a version of Ruby that supports TLS v1.2 or later.

Ruby uses the OpenSSL library to secure HTTP connections. Supported versions of Ruby (1.9.3 and later) installed through system package managers (yum, apt, etc.), an official installer, or Ruby managers (rbenv, RVM, etc.) typically incorporate OpenSSL 1.0.1 or later, which supports TLS 1.2.

When used with a supported version of Ruby with OpenSSL 1.0.1 or later, AWS SDK for Ruby prefers TLS 1.2, and uses the highest version of SSL or TLS supported by both the client and server, which is always at least TLS 1.2 for AWS services. (The SDK uses the Ruby Net::HTTP class with use_ssl=true.)

Checking OpenSSL version

To make sure your installation of Ruby is using OpenSSL 1.0.1 or later, enter this command:

ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION'

An alternative way to get the OpenSSL version is to query the openssl executable directly. First, locate the appropriate executable using the following command.

ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]'

The output should have --with-openssl-dir=/path/to/openssl indicating the location of the OpenSSL installation. Make a note of this path. To check the version of OpenSSL, enter the following commands.

cd /path/to/openssl bin/openssl version

This latter method may not work with all installations of Ruby.

Upgrading TLS Support

If the version of OpenSSL used by your Ruby is less than 1.0.1, upgrade your Ruby or OpenSSL installation using your system package manager, Ruby installer, or Ruby manager as described in Ruby’s installation guide. If you are installing Ruby from source, install the latest OpenSSL first, and pass --with-openssl-dir=/path/to/upgraded/openssl when running ./configure.