include::../description.adoc[]

== Noncompliant Code Example

[source,python]
----
from OpenSSL import SSL

SSL.Context(SSL.SSLv3_METHOD)  # Noncompliant
----

[source,python]
----
import ssl

ssl.SSLContext(ssl.PROTOCOL_SSLv3) # Noncompliant
----

For https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html[aws_cdk.aws_apigateway.DomainName]:
[source,python]
----
from aws_cdk.aws_apigateway import DomainName, SecurityPolicy
class ExampleStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs) 
        DomainName(self, "example",
            domain_name="example.com",
            certificate=certificate,
            security_policy=SecurityPolicy.TLS_1_0 # Noncompliant
        )
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:
[source,python]
----
from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion
class ExampleStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        CfnDomain(self, "example",
            version=EngineVersion.OPENSEARCH_1_3
        ) # Noncompliant: enables TLS 1.0 which is a deprecated version of the protocol 
----

== Compliant Solution

[source,python]
----
from OpenSSL import SSL

context = SSL.Context(SSL.TLS_SERVER_METHOD)
context.set_min_proto_version(SSL.TLS1_3_VERSION)
----

[source,python]
----
import ssl

context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.minimum_version = ssl.TLSVersion.TLSv1_3

----

For https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html[aws_cdk.aws_apigateway.DomainName]:
[source,python]
----
from aws_cdk.aws_apigateway import DomainName, SecurityPolicy
class ExampleStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs) 
        DomainName(self, "example",
            domain_name="example.com",
            certificate=certificate,
            security_policy=SecurityPolicy.TLS_1_2
        )
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:
[source,python]
----
from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion
class ExampleStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)
        CfnDomain(self, "example",
            version=EngineVersion.OPENSEARCH_1_3
            domain_endpoint_options=CfnDomain.DomainEndpointOptionsProperty(
                tls_security_policy="Policy-Min-TLS-1-2-2019-07"
            )
        )
----

include::../see.adoc[]
* https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html[Amazon API Gateway] - Choosing a minimum TLS version

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]