Questions tagged with Transport Layer Security (TLS)

I'm trying to call IoT Data Plane from a browser (only from localhost) and I'm trying to authenticate the client using a certificate registered in IoT Core. I found some code examples where it's implemented by setting `requestHandler` in clientConfig: ``` this.client = new IoTDataPlaneClient({ region: 'us-east-1', endpoint: 'XXXXX.iot.us-east-1.amazonaws.com', requestHandler: new NodeHttpHandler({ httpAgent: agent, httpsAgent: agent }) }) ``` `NodeHttpHandler` is for backend use and for browser there's `FetchHttpHandler` (from "@aws-sdk/fetch-http-handler"), which does not allow setting up the agent. What's the best approach to implement certificate+key based authN in IoT from browser?lg...

I'm using rds-combined-ca-bundle.pem to connect to a PostgreSQL instance on ap-east-1, I originally downloaded the file from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem. The CA level cert expired on Jun 1 12:00:00 2022 GMT, and the certificates in other links for the global bundles / ap-east-1 on https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html also have the same expiry date, where can I find a newer one?lg...

We have: - an AWS transfer family server with FTPS protocol - a custom hostname and a valid ACM certificate which is attached to the FTP server - a Lambda for the Identity provider The client is using: - EXPLICIT AUTH TLS - our custom hostname - port 21 The problem is: the client can connect, the authentication is successfully (see below for the auth test result), but during the communication with the FTP server a TLS_RESUME_FAILURE occurs. The error in the customer client is "522 Data connection must use cached TLS session", and the error in the CloudWatch LogGroup of the transfer server is just "TLS_RESUME_FAILURE" I have no clue why this is happen. Any ideas? Here is the auth test result ``` { "Response": "{\"HomeDirectoryDetails\":\"[{\\\"Entry\\\":\\\"/\\\",\\\"Target\\\":\\\"/xxx/new\\\"}]\",\"HomeDirectoryType\":\"LOGICAL\",\"Role\":\"arn:aws:iam::123456789:role/ftp-s3-access-role\",\"Policy\":\"{\"Version\": \"2012-10-17\", \"Statement\": [{\"Sid\": \"AllowListAccessToBucket\", \"Action\": [\"s3:ListBucket\"], \"Effect\": \"Allow\", \"Resource\": [\"arn:aws:s3:::xxx-prod\"]}, {\"Sid\": \"TransferDataBucketAccess\", \"Effect\": \"Allow\", \"Action\": [\"s3:PutObject\", \"s3:GetObject\", \"s3:GetObjectVersion\", \"s3:GetObjectACL\", \"s3:PutObjectACL\"], \"Resource\": [\"arn:aws:s3:::xxx-prod/xxx/new\", \"arn:aws:s3:::xxx-prod/xxx/new/*\"]}]}\",\"UserName\":\"test\",\"IdentityProviderType\":\"AWS_LAMBDA\"}", "StatusCode": 200, "Message": "" } ```lg...

Hi, I have finished setting aws ec2 ssl cert to use https://mydomain, but after setting all including application load balance I still get connection refuse if I try to connect with https. Http is working well. I used ssl and domain from outside(imported). So I have done the extra setting for importing domain such as ns forwarding. I can't find any solution. Please help me on this.lg...

Hi, * Editing my question. On LightSail I created a certificate and got two values to be configured as a CNAME for validation. I have a public hosted zone on Amazon Route53 (public domain). Now my question is do I need to create a hosted a DNS zone with the same domain name that is hosted on Route53 and create the CNAME records there on LightSail or do I create the CNAME records on Route53 or on both?* The problem I am getting is the progress is stuck on "validating...." Any suggestions please? Thank you. ----------------------------------------------------------------- The SSL certificate validation is taking ages on Validating state I am using Lightsail and I have done the below configurations. I configured wp-config.php file correctly to use https. This is the running configuration define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] . '/'); define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] . '/'); if (isset($_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO']) && $_SERVER['HTTP_CLOUDFRONT_FORWARDED_PROTO'] === 'https') { $_SERVER['HTTPS'] = 'on'; I have a domain hosted on Route53 and I created a CNAME for both (abc.com and www.abc.com) But the SSL still not validated now its more than 12 hours. Any ideas? Thanks.lg...

Hello, We build some app where our java job sent request to external app and in response we have some body as xml or json with data what we need. This is classified as Data Transfer ?lg...

I've attempted to enable TLSv1.3 on a Lightsail instance with Apache 2.4.52 and I receive "SSLProtocol: Illegal protocol 'TLSv1.3'" I have OpenSSL version 1.0.2k installed. When I run yum update, it does not update OpenSSL. Any thoughts on how you can enable TLSv1.3 on Amazon Linux 2 with Apache?lg...

Documentation here (https://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html) says 'use FIPS endpoint for your region', but I can't find any information on how to configure or enable it. I'm using this on gov cloud region. Is the FIPS endpoint just there and auto-provisioned like an alias for any service? If there is something needed in the CLI could you kindly provide the syntax?lg...

Hi, I have remote battery powered cellular devices uploading their measurements to IOT Core. They disconnected their modem each packet upload, which could be 1/min. However the data overhead required to connect and handshake, exchange certs etc is too large. At the moment 4k-6k is required on each connect, even if just sending 100bytes of data. The handshake is killing my data usage. See this blog I found for info on the overhead required by TLS 1.2 http://netsekure.org/2010/03/tls-overhead/ For devices that need to be as efficient as possible with data and power, is it possible to a) resume TLS connections? or b) what is the recommended way for these devices to connect to the MQTT IOT Core service? This is a low power sensor device that is not able to run the SDK. So we need to implement out own connection to the MQTT ports on AWS (8883). AWS also does not allow unencrypted connections... A very similar and related question that went unanswered (https://forums.aws.amazon.com/thread.jspa?messageID=891100&#891100), however considering MQTT is desinged for IOT devices and is supposed to minimise load and be efficient it is hard to accept a 4k-6k overhead on each connection.lg...

I have a script (unchanged in 4 years) that has been used to access an API that is behind an https URL. It is used each Jan-Feb. My AWS server is an EC2 dedicated server. This year, I suddenly find that script is not working (cannot verify certificate). (It is a perl script using HTTP::Request in the LWP family. And yes, the LWP::Protocol::https module is appropriately installed, along with SSLeahy.) I've checked the target site with my browser and with online cert checkers, and it is fine. So I'm pretty sure the problem is the expiration of openssl 1.0.2 last September. The target site is probably using only the 1.3 protocol version. However, my efforts to find a way to upgrade to openssl 1.1.1 have been unsuccessful. I found a note that AWS had posted the package openssl11, but when I try to get that using "sudo yum install," it doesn't find the package. So how do I get the new version installed on my EC2 server? Help please! This is an urgent issue.lg...

Hi, I am trying to disable TLS 1.1 and 1.0 on my site. On Windows Server 2008 I have installed Nartac's IIS Crypto and disabled TLS 1.1 for the test. After I click apply and reboot I can no longer access RDP which says an internal error has occurred. What can I do about this?lg...