AWS S3禁用SSLv3的支持 [英] AWS S3 Disabling SSLv3 Support

问题描述

我们从AWS，基本上说收到一封电子邮件，S3被禁用SSLv3的支持，访问将被切断15天。然后，他们列出了一些桶，我们有（一个在生产），这些目前正在接受来自客户端的指定SSLv3的要求。完整的电子邮件是在这里，和其他AWS用户似乎已经收到一个了：

We received an email from AWS that basically says 'S3 is disabling SSLv3 Support, access will be cut-off in 15 days'. They then listed some buckets we have (one in production) that are 'currently accepting request from clients that specify SSLv3'. The full email is here, and other AWS users seem to have received one too:

<一个href="https://gist.github.com/anonymous/4240c8af5208782c144c">https://gist.github.com/anonymous/4240c8af5208782c144c

我的问题是我们如何测试这种情况下，什么我们需要做的，以prepare这个截止日期？

My question is how do we test for this scenario, and what do we need to do to prepare for this cut-off date?

我们使用的Rails 4.1和雾（〜> 1.28.0）和right_aws（〜> 3.1.0）宝石AWS访问和我们在Heroku上。我们的应用程序提供了签署HTTPS连接到S3资源，我们的浏览器的用户在我们的用户界面。

We use Rails 4.1 and the Fog (~> 1.28.0) and right_aws (~> 3.1.0) gems for AWS access and we're on Heroku. Our app provides signed HTTPS links to S3 resources to our browser users in our UI.

这只是一个客户端（浏览器）的问题什么的，我们需要更好地了解和测试/修复？

Is this just a client (browser) issue or something we need to understand better and test/fix?

推荐答案

雾使用EXCON它的HTTP（S）运输。 EXCON是一个低级别的纯红宝石http客户端，这依赖于红宝石OpenSSL的绑定工作。虽然可以明确地设置SSL版本使用，EXCON没有，它尽我所知，应该意味着它与服务器协商来选择使用什么样的（所以如果服务器请求未SSLv3的，它应该合作）。

fog uses excon for its http(s) transport. excon is a low-level pure-ruby http client, which relies on the ruby openssl bindings to work. Though it is possible to explicitly set an ssl version to use, excon doesn't, which to the best of my knowledge should mean that it negotiates with the server to choose what to use (so if the server asks for not SSLv3, it should cooperate).

我认为应该是指将在这里不需要任何操作，但所有这些各不相同的Ruby和OpenSSL版本有些细节（更不用提，它仅仅是一个有点难以内省/了解这些绑定的细节） ，所以很难说一定的。 EXCON确实支持ssl_version参数，它可以用来强制一个特定的版本，如果它最终会是一个问题（这仅仅是不是一个很好的一般选择，因为它不允许谈判和细节Ruby版本有所不同）。

I believe that should mean no action would be required here, but the specifics of all that vary a bit across Ruby and OpenSSL versions (not to mention that it is just a bit hard to introspect/understand the specifics of those bindings), so it is hard to say for certain. excon does support an ssl_version argument, which can be used to force a specific version if it does end up being a problem (this is just not a good general choice because it disallows negotiation and the specifics vary between ruby versions).

希望有所帮助。

这篇关于AWS S3禁用SSLv3的支持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！