Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cloudfront: when using VIP ssl support method, minimum protocol version is incorrectly set #28940

Open
MrPrimate opened this issue Jan 31, 2024 · 3 comments
Open

aws-cloudfront: when using VIP ssl support method, minimum protocol version is incorrectly set #28940

MrPrimate opened this issue Jan 31, 2024 · 3 comments
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. effort/medium Medium work item – several days of effort p3

Comments

@MrPrimate
Copy link

Describe the bug

When creating a distribution for a VIP sslSupportMethod distribution the resource handler returns an error message that the "The specified MinimumProtocolVersion cannot be used
with the specified SSLSupportMethod".

Expected Behavior

The cloudfront distribution is created.

Current Behavior

The distribution fails to create with messages such as:

17:43:12 | UPDATE_FAILED        | AWS::CloudFront::Distribution    | XXXXXXXXX
Resource handler returned message: "Invalid request provided: The specified MinimumProtocolVersion cannot be used
with the specified SSLSupportMethod (Service: CloudFront, Status Code: 400, Request ID: xxxxx)" (RequestToken: xxxxx HandlerErrorCode: InvalidRequest)

Reproduction Steps

new Distribution(this, "api.example.com", {
	defaultBehavior: {
		origin: new HttpOrigin("api.example.com", {
			 originSslProtocols: [OriginSslPolicy.TLS_V1_2],
		}),
		viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
	},
	domainNames: ["test.example.com"],
	certificate: props.certificate,
	sslSupportMethod: SSLMethod.VIP,
});

Possible Solution

I believe

aws-cdk/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts

Line 679 in 95d187e

const minimumProtocolVersion = minimumProtocolVersionProp ?? defaultVersion;
is setting a minimumProtocolVersion, but should not if the sslSupportMethod is SSLMethod.VIP.

Additional Information/Context

No response

CDK CLI Version

2.104.0 (build 3b99abe)

Framework Version

No response

Node.js Version

v18.13.0

OS

linux

Language

TypeScript

Language Version

No response

Other information

No response
@MrPrimate MrPrimate added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 31, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Jan 31, 2024
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
@MrPrimate
Copy link
Author

Having done a bit more digging here, the minimumProtocolVersion needs to be set to SecurityPolicyProtocol.TLS_V1 at the top level, rather than one of the subsets. Not sure if this is an actual bug with CDK at this point.

@pahud
Copy link
Contributor

pahud commented Feb 5, 2024

@MrPrimate

Can you share your workaround snippets? Thank you.

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 5, 2024
@MrPrimate
Copy link
Author

MrPrimate commented Feb 5, 2024
edited
Loading

@MrPrimate

Can you share your workaround snippets? Thank you.

Yes, I ended up using:

new Distribution(this, "api.example.com", {
	defaultBehavior: {
		origin: new HttpOrigin("api.example.com", {
			 originSslProtocols: [OriginSslPolicy.TLS_V1_2],
		}),
		viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
	},
	domainNames: ["test.example.com"],
	certificate: props.certificate,
	sslSupportMethod: SSLMethod.VIP,
	minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1,
});

It's the minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1 that needs to be defaulted if sslSupportMethod: SSLMethod.VIP, is set

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Feb 6, 2024
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @MrPrimate