AWS S3 Disabling SSLv3 Support AWS S3 Disabling SSLv3 Support ruby-on-rails ruby-on-rails

AWS S3 Disabling SSLv3 Support


ruby-on-rails ssl heroku amazon-s3 fog

fog uses excon for its http(s) transport. excon is a low-level pure-ruby http client, which relies on the ruby openssl bindings to work. Though it is possible to explicitly set an ssl version to use, excon doesn't, which to the best of my knowledge should mean that it negotiates with the server to choose what to use (so if the server asks for not SSLv3, it should cooperate).

I believe that should mean no action would be required here, but the specifics of all that vary a bit across Ruby and OpenSSL versions (not to mention that it is just a bit hard to introspect/understand the specifics of those bindings), so it is hard to say for certain. excon does support an ssl_version argument, which can be used to force a specific version if it does end up being a problem (this is just not a good general choice because it disallows negotiation and the specifics vary between ruby versions).

Hope that helps.

ruby-on-rails ssl heroku amazon-s3 fog

Deadline has been moved:

Based on the feedback received we are extending the deadline for discontinuing support of SSLv3 for securing connections to S3 buckets to 12:00 AM PDT May 20, 2015.

ruby-on-rails ssl heroku amazon-s3 fog

Update May 7 2015, 11:26 AM IST

In carrierwave initializer, put things as following,

CarrierWave.configure do |config|  config.fog_credentials = {      :provider               => 'AWS',       # required      :aws_access_key_id      => Settings.carrier_wave.amazon_s3.access_key,       # required      :aws_secret_access_key  => Settings.carrier_wave.amazon_s3.secret_key,       # required      :region                 => 'external-1'  # optional, defaults to 'us-east-1'  }  config.fog_directory  = Settings.carrier_wave.amazon_s3.bucket                    # required  #config.fog_host       = 'http://aws.amazon.com/s3/'            # optional, defaults to nil  config.fog_public     = false                                   # optional, defaults to true  config.fog_authenticated_url_expiration = 600  config.fog_attributes = {ssl_version: :TLSv1_2} #{'Cache-Control'=>'max-age=315576000'}  # optional, defaults to {}end

This worked for me, and have a look at the wireshark trace log.

1577    22.611358000    192.168.0.113   8.8.8.8 DNS 87  Standard query 0xffd8  A s3-external-1.amazonaws.com1578    22.611398000    192.168.0.113   8.8.8.8 DNS 87  Standard query 0xbf2f  AAAA s3-external-1.amazonaws.com1580    22.731084000    8.8.8.8 192.168.0.113   DNS 103 Standard query response 0xffd8  A 54.231.1.2341586    22.849595000    54.231.10.34    192.168.0.113   TLSv1.2 107 Encrypted Alert1594    23.012866000    192.168.0.113   54.231.1.234    TLSv1.2 347 Client Hello1607    23.310950000    192.168.0.113   54.231.1.234    TLSv1.2 204 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message1608    23.578966000    54.231.1.234    192.168.0.113   TLSv1.2 129 Change Cipher Spec, Encrypted Handshake Message1609    23.579480000    192.168.0.113   54.231.1.234    TLSv1.2 427 Application Data1610    23.868725000    54.231.1.234    192.168.0.113   TLSv1.2 299 Application Data

Update May 6 2015, 6-53 PM IST

Ok, After updating the Excon gem, we are able to see the TLSv1.2 protocol between our server and S3 servers.

bundle update excon

Wireshark trace log statements,

29  1.989230000 192.168.0.115   54.231.32.0 SSL 336 Client Hello34  2.215461000 54.231.32.0 192.168.0.115   TLSv1.2 1494    Server Hello40  2.219301000 54.231.32.0 192.168.0.115   TLSv1.2 471 Certificate42  2.222127000 192.168.0.115   54.231.32.0 TLSv1.2 204 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

UPDATE May 6, 2015, 4-29 PM IST

After updating the hosts file, following is the wireshark trace log.

14  2.012094000 192.168.0.115   54.231.32.0 SSLv3   192 Client Hello 17  2.242423000 54.231.32.0 192.168.0.115   SSLv3   61  Alert (Level:  Fatal, Description: Handshake Failure)

Wireshark request capture

Please see the above wireshark request capture, when I upload a file from my local development rails on S3. As it shows, on initial handshake Amazon server uses SSLv3 and so my rails server sends all future requests with SSLv3.

Now, the question is, How can I change the bucket settings so that it would accept/initiate the process using TLS only? I have checked in amazon settings, there is nothing like that.

I have already changed my nginx to use TLS, but I think that is not needed because Rails will talk to S3 in the background using Excon as mentioned in above comment.

So, Please suggest what could be the best possible way to test this before 20th May, to make sure that it will not break on that day.

Any help would be great.

Just for information - My bucket name is like xyz.abc.com, so no - in the name.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last