2022-09-26 14:04:15 +02:00
include::../description.adoc[]
2020-06-30 12:49:37 +02:00
== Noncompliant Code Example
2022-02-04 17:28:24 +01:00
[source,python]
2020-06-30 12:49:37 +02:00
----
from OpenSSL import SSL
SSL.Context(SSL.SSLv3_METHOD) # Noncompliant
----
2022-02-04 17:28:24 +01:00
[source,python]
2020-06-30 12:49:37 +02:00
----
import ssl
ssl.SSLContext(ssl.PROTOCOL_SSLv3) # Noncompliant
----
2022-09-26 14:04:15 +02:00
For https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html[aws_cdk.aws_apigateway.DomainName]:
[source,python]
----
from aws_cdk.aws_apigateway import DomainName, SecurityPolicy
class ExampleStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
DomainName(self, "example",
domain_name="example.com",
certificate=certificate,
security_policy=SecurityPolicy.TLS_1_0 # Noncompliant
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:
[source,python]
----
from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion
class ExampleStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
CfnDomain(self, "example",
version=EngineVersion.OPENSEARCH_1_3
) # Noncompliant: enables TLS 1.0 which is a deprecated version of the protocol
----
2020-06-30 12:49:37 +02:00
== Compliant Solution
2022-02-04 17:28:24 +01:00
[source,python]
2020-06-30 12:49:37 +02:00
----
from OpenSSL import SSL
2022-12-06 13:55:06 +01:00
context = SSL.Context(SSL.TLS_SERVER_METHOD)
context.set_min_proto_version(SSL.TLS1_3_VERSION)
2020-06-30 12:49:37 +02:00
----
2022-02-04 17:28:24 +01:00
[source,python]
2020-06-30 12:49:37 +02:00
----
import ssl
2022-12-06 13:55:06 +01:00
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.minimum_version = ssl.TLSVersion.TLSv1_3
2022-09-26 14:04:15 +02:00
----
For https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html[aws_cdk.aws_apigateway.DomainName]:
[source,python]
----
from aws_cdk.aws_apigateway import DomainName, SecurityPolicy
class ExampleStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
DomainName(self, "example",
domain_name="example.com",
certificate=certificate,
security_policy=SecurityPolicy.TLS_1_2
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:
[source,python]
----
from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion
class ExampleStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
CfnDomain(self, "example",
version=EngineVersion.OPENSEARCH_1_3
domain_endpoint_options=CfnDomain.DomainEndpointOptionsProperty(
2022-10-10 18:04:24 +02:00
tls_security_policy="Policy-Min-TLS-1-2-2019-07"
2022-09-26 14:04:15 +02:00
)
)
2020-06-30 12:49:37 +02:00
----
include::../see.adoc[]
2022-09-26 14:04:15 +02:00
* https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html[Amazon API Gateway] - Choosing a minimum TLS version
2021-06-02 20:44:38 +02:00
2021-06-03 09:05:38 +02:00
ifdef::env-github,rspecator-view[]
2021-09-20 15:38:42 +02:00
'''
== Implementation Specification
(visible only on this page)
2022-09-26 14:04:15 +02:00
include::message.adoc[]
2021-09-20 15:38:42 +02:00
include::../highlighting.adoc[]
2021-06-08 15:52:13 +02:00
'''
2021-06-02 20:44:38 +02:00
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
2021-06-03 09:05:38 +02:00
endif::env-github,rspecator-view[]
