humanmade / S3-Uploads

The WordPress Plugin to Store Uploads on Amazon S3
1.95k stars 392 forks source link

Update S3 object access TLS #628

Open Airhune opened 1 year ago

Airhune commented 1 year ago

I recently received that I should update the current TLS 1.0 connection to TLS 1.2 in the amazon bucket that I use for uploading images, is there any compatibility problem with the plugin or should I make any configuration changes?

rmccue commented 1 year ago

We haven't received any similar notices and use TLS 1.2 extensively in production, so I suspect it works fine. I would assume the AWS SDK handles any of this seamlessly provided you're using a relatively recent version of PHP, but I'd suggest conducting your own testing to evaluate it.

nbyloff commented 1 year ago

@Airhune I got a notification today stating the same thing. Did you resolve your issue? My S3 access from this library was flagged as TLS1.0. They suggest this as a configuration change:

How can I enforce connections to my bucket(s) be over TLSv1.2 and above?
As a best practice, and to prepare for our enforcement of TLS 1.2 or higher, we recommend you proactively enforce a minimum of TLS 1.2 directly on all of your shared S3 bucket(s). You may do this by applying a bucket policy with the s3:TlsVersion condition key as documented in this Knowledge Center article [7].

My bucket policy is blank, but since @rmccue says they're using TLS 1.2 in production, I need to figure out why my requests seem to be using TLS 1.0. How did you force PHP to use TLS 1.2?

EDIT: Just ran the following script and it says all my servers are using TLS 1.3, so not sure why Amazon is detecting 1.0. My current assumption is small number of users are browsing these websites with a TLS 1.0 encryption. I have enabled logging to confirm.

$ch = curl_init('https://www.howsmyssl.com/a/check'); 
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
  $data = curl_exec($ch); 
  curl_close($ch); 
  $json = json_decode($data); 
  echo "TLS version is: " . $json->tls_version . "\n";
rmccue commented 1 year ago

Thanks for the ping here, we actually did get a ping today, but only for our us-east-1 region and not any others. I'm wondering if it might be related to old-style bucket URLs.

Going to have our engineers check this in any case.

rmccue commented 1 year ago

Noting that the affected resource notes a user agent of:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C;

Which is definitely not our internal systems; could be from a lingering direct reference.

@Airhune @nbyloff Are you seeing similar for your user agents? (The agent for the AWS SDK should be Guzzle/... I think)

nbyloff commented 1 year ago

@rmccue I enabled logging on my S3 bucket and the first handful I looked at show valid requests using TLSv1.2 and one TLSv1.3. So far since the errors for me were on GET requests, I am leaning towards the errors are triggered when a client browses a page, loading images with a client using TLSv1.0

Airhune commented 1 year ago

@rmccue In aws healt dashboard it appears that I have the following resource affected by tls 1.0 connections: eu-west-3|bucket | REST.GET.OBJECT|TLSv1|62|[BPImageWalker/2.0 (www.bdbrandprotect.com)]

I have been investigating when the BPImageWalker function is called but I do not know its origin and since it is a bucket that we use specifically for wordpress uploads, I understand that it comes from the plugin itself