We run custom Python built from source. Just upgraded to use TLS-1.2, due to AWS sending us email warning TLS-1.2 is minimum TLS for AWS API. Our homebuilt Python was using TLS-1.0 or 1.1, and AWS Security sent us note saying we needed to upgrade to minimum TLS 1.2. So we did, and it all seems to work ok. But we are using an older OpenSSL, which supports TLS-1.2. (and we can confirm
this.)
<pre>
$python
import ssl, json, urllib2
print (json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])
TLS 1.2
</pre>
If we link in a newer OpenSSL, eg, any of the more recent 1.1.1 series, we get TLS-1.3, when we test/check it. I am guessing that using a more recent OpenSSL is OK for AWS API. But I wanted to check, just to be sure. We are using: aws-cli version: 1.16.312.
If we build our Python with OpenSSL 1.1.1 series, we get TLS-1.3 when we check it against the
"www.howsmyssl.com" site.
<pre>
$python
>>> import ssl, json, urllib2
>>> print (json.loads(urllib2.urlopen('https://www.howsmyssl.com/a/check').read())['tls_version'])
TLS 1.3
>>>
Check your Python SSL version like this:
>>> import ssl
>>> ssl.OPENSSL_VERSION
(reports OpenSSL version built into Python, which aws-cli 1.16.312 will use)
</pre>
Will the newer TLS-1.3 (or other newer transport layer protocols) work ok with the server
side of "aws-cli"? I am assuming probably yes, but experience has taught me to check. Or
will OpenSSL/Python/AWS-CLI be able to fall-back to TLS-1.2 that it wants? As of
now, when aws-cli runs, I can't tell which TLS it is using. If TLS-1.3 is ok, then we can go with a
much newer version of OpenSSL.
TL;DR:
Ok, in reviewing AWS Documentation, I found this:
https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/
and it looks like aws-cli does support TLS-1.3, so we will go with the OpenSSL 1.1.1 stuff
to compile into our custom Python.
Question now is just: How to we check which TLS-1.x our aws-cli client is using when it
connects? Thanx for any info.