Enforcing a minimum TLS version in the Amazon SDK for Ruby - Amazon SDK for Ruby
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enforcing a minimum TLS version in the Amazon SDK for Ruby

Communication between the Amazon SDK for Ruby and Amazon is secured using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). All versions of SSL, and versions of TLS earlier than 1.2, have vulnerabilities that can compromise the security of your communication with Amazon. For this reason, you should make sure that you’re using the Amazon SDK for Ruby with a version of Ruby that supports TLS version 1.2 or later.

Ruby uses the OpenSSL library to secure HTTP connections. Supported versions of Ruby (1.9.3 and later) installed through system package managers (yum, apt, and others), an official installer, or Ruby managers (rbenv, RVM, and others) typically incorporate OpenSSL 1.0.1 or later, which supports TLS 1.2.

When used with a supported version of Ruby with OpenSSL 1.0.1 or later, the Amazon SDK for Ruby prefers TLS 1.2, and uses the latest version of SSL or TLS supported by both the client and server. This is always at least TLS 1.2 for Amazon Web Services. (The SDK uses the Ruby Net::HTTP class with use_ssl=true.)

Checking the OpenSSL version

To make sure your installation of Ruby is using OpenSSL 1.0.1 or later, enter the following command.

ruby -r openssl -e 'puts OpenSSL::OPENSSL_VERSION'

An alternative way to get the OpenSSL version is to query the openssl executable directly. First, locate the appropriate executable using the following command.

ruby -r rbconfig -e 'puts RbConfig::CONFIG["configure_args"]'

The output should have --with-openssl-dir=/path/to/openssl indicating the location of the OpenSSL installation. Make a note of this path. To check the version of OpenSSL, enter the following commands.

cd /path/to/openssl bin/openssl version

This latter method might not work with all installations of Ruby.

Upgrading TLS support

If the version of OpenSSL used by your Ruby installation is earlier than 1.0.1, upgrade your Ruby or OpenSSL installation using your system package manager, Ruby installer, or Ruby manager, as described in Ruby’s installation guide. If you’re installing Ruby from source, install the latest OpenSSL first, and then pass --with-openssl-dir=/path/to/upgraded/openssl when running ./configure.