Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cloudfront] Update Suported Security Protocol Enum #9212

Closed
2 tasks
Xarno opened this issue Jul 22, 2020 · 1 comment · Fixed by #9738
Closed
2 tasks

[cloudfront] Update Suported Security Protocol Enum #9212

Xarno opened this issue Jul 22, 2020 · 1 comment · Fixed by #9738
Assignees
@njlynch
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p1

Comments

@Xarno
Copy link

Xarno commented Jul 22, 2020

Recently the List of Supported Security Protocols got extended. Please follow https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers and update this enum:

export declare enum SecurityPolicyProtocol {
    SSL_V3 = "SSLv3",
    TLS_V1 = "TLSv1",
    TLS_V1_2016 = "TLSv1_2016",
    TLS_V1_1_2016 = "TLSv1.1_2016",
    TLS_V1_2_2018 = "TLSv1.2_2018"
}

Use Case

Cloudfront setup.

Proposed Solution

export declare enum SecurityPolicyProtocol {
    SSL_V3 = "SSLv3",
    TLS_V1 = "TLSv1",
    TLS_V1_2016 = "TLSv1_2016",
    TLS_V1_1_2016 = "TLSv1.1_2016",
    TLS_V1_2_2018 = "TLSv1.2_2018",
    TLS_V1_2_2019 = "TLSv1.2_2019"
}
  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@Xarno Xarno added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jul 22, 2020
@jogold
Copy link
Contributor

jogold commented Jul 22, 2020

This also needs to be updated:

aws-cdk/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts

Lines 805 to 811 in 345389f

private readonly VALID_SSL_PROTOCOLS: { [method in SSLMethod]: string[] } = {
[SSLMethod.SNI]: [
SecurityPolicyProtocol.TLS_V1, SecurityPolicyProtocol.TLS_V1_1_2016,
SecurityPolicyProtocol.TLS_V1_2016, SecurityPolicyProtocol.TLS_V1_2_2018,
],
[SSLMethod.VIP]: [SecurityPolicyProtocol.SSL_V3, SecurityPolicyProtocol.TLS_V1],
};

Btw it blocks users from using a policy not yet included in the CDK code.

@SomayaB SomayaB changed the title Update Suported Security Protocol Enum [cloudfront] Update Suported Security Protocol Enum Jul 22, 2020
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Jul 22, 2020
@iliapolo iliapolo added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 3, 2020
@robertd robertd mentioned this issue Aug 15, 2020
Merged
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Aug 17, 2020
@iliapolo iliapolo assigned njlynch and unassigned iliapolo Aug 19, 2020
@mergify mergify bot closed this as completed in #9738 Aug 19, 2020
mergify bot pushed a commit that referenced this issue Aug 19, 2020
@robertd
fix(cloudfront): Update Suported Security Protocol enum and set TLS_V…
f6c25ad 
…1_2_2019 as a default version (#9738)

Closes #9212

I believe that official CloudFormation docs and AWS Console are out of sync.

### [CloudFormation Docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html#cfn-cloudfront-distribution-viewercertificate-minimumprotocolversion):

![image](https://user-images.githubusercontent.com/31543/90306646-a13ae280-de8c-11ea-8438-be97f6cae804.png)


### AWS Console:
![image](https://user-images.githubusercontent.com/31543/90306601-312c5c80-de8c-11ea-9e7e-491374f324df.png)

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
misterjoshua pushed a commit to misterjoshua/aws-cdk that referenced this issue Aug 19, 2020
@robertd @misterjoshua
fix(cloudfront): Update Suported Security Protocol enum and set TLS_V…
76f63a1 
…1_2_2019 as a default version (aws#9738)

Closes aws#9212

I believe that official CloudFormation docs and AWS Console are out of sync.

### [CloudFormation Docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html#cfn-cloudfront-distribution-viewercertificate-minimumprotocolversion):

![image](https://user-images.githubusercontent.com/31543/90306646-a13ae280-de8c-11ea-8438-be97f6cae804.png)


### AWS Console:
![image](https://user-images.githubusercontent.com/31543/90306601-312c5c80-de8c-11ea-9e7e-491374f324df.png)

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@njlynch njlynch

Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
5 participants
@njlynch @iliapolo @Xarno @jogold @SomayaB