Explicit list of TLS cipher suites (#2422)

82marbag · web-flow · commit f3e44742e3b4 · 2023-03-22T11:19:01.000Z
Signed-off-by: Daniele Ahmed &lt;ahmeddan@amazon.de&gt;
diff --git a/rust-runtime/aws-smithy-client/Cargo.toml b/rust-runtime/aws-smithy-client/Cargo.toml
@@ -11,7 +11,7 @@ repository = "https://github.com/awslabs/smithy-rs"
 rt-tokio = ["aws-smithy-async/rt-tokio"]
 test-util = ["aws-smithy-protocol-test", "serde/derive", "rustls", "hyper/server", "hyper/h2", "tokio/full"]
 native-tls = ["client-hyper", "hyper-tls", "rt-tokio"]
-rustls = ["client-hyper", "hyper-rustls", "rt-tokio", "lazy_static"]
+rustls = ["client-hyper", "hyper-rustls", "rt-tokio", "lazy_static", "dep:rustls"]
 client-hyper = ["hyper"]
 hyper-webpki-doctest-only = ["hyper-rustls/webpki-roots"]
 
@@ -32,6 +32,7 @@ hyper = { version = "0.14.25", features = ["client", "http2", "http1", "tcp"], o
 # https://github.com/rust-lang/cargo/issues/1596
 hyper-rustls = { version = "0.23.0", optional = true, features = ["rustls-native-certs", "http2"] }
 hyper-tls = { version = "0.5.0", optional = true }
+rustls = { version = "0.20", optional = true }
 lazy_static = { version = "1", optional = true }
 pin-project-lite = "0.2.7"
 serde = { version = "1", features = ["derive"], optional = true }
diff --git a/rust-runtime/aws-smithy-client/src/conns.rs b/rust-runtime/aws-smithy-client/src/conns.rs
@@ -19,13 +19,34 @@ pub type NativeTls = hyper_tls::HttpsConnector<hyper::client::HttpConnector>;
 /// A smithy connector that uses the `rustls` crate for TLS.
 pub type Rustls = crate::hyper_ext::Adapter<Https>;
 
+#[cfg(feature = "rustls")]
+use hyper_rustls::ConfigBuilderExt;
+
 // Creating a `with_native_roots` HTTP client takes 300ms on OS X. Cache this so that we
 // don't need to repeatedly incur that cost.
 #[cfg(feature = "rustls")]
 lazy_static::lazy_static! {
     static ref HTTPS_NATIVE_ROOTS: Https = {
         hyper_rustls::HttpsConnectorBuilder::new()
-            .with_native_roots()
+            .with_tls_config(
+                rustls::ClientConfig::builder()
+                    .with_cipher_suites(&[
+                        // TLS1.3 suites
+                        rustls::cipher_suite::TLS13_AES_256_GCM_SHA384,
+                        rustls::cipher_suite::TLS13_AES_128_GCM_SHA256,
+                        // TLS1.2 suites
+                        rustls::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+                        rustls::cipher_suite::TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+                        rustls::cipher_suite::TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+                        rustls::cipher_suite::TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+                        rustls::cipher_suite::TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+                    ])
+                    .with_safe_default_kx_groups()
+                    .with_safe_default_protocol_versions()
+                    .expect("Error with the TLS configuration. Please file a bug report under https://github.com/awslabs/smithy-rs/issues.")
+                    .with_native_roots()
+                    .with_no_client_auth()
+            )
             .https_or_http()
             .enable_http1()
             .enable_http2()
