Open
Description
Security issue notifications
If you discover a potential security issue in s2n we ask that you notify
AWS Security via our vulnerability reporting page. Please do not create a public github issue.
Problem:
Currently the "default" security policy is using TLS 1.2. We should update this security policy to prefer 1.3 to help drive TLS 1.3 adoption and follow best practices.
Solution:
A description of the possible solution in terms of S2N architecture. Highlight and explain any potentially controversial design decisions taken.
- Does this change what S2N sends over the wire? Yes, this will change the behavior customer's using the "default" security policy will see.
- Does this change any public APIs? No
- Which versions of TLS will this impact? N/A
Requirements / Acceptance Criteria:
Modifying the "default" security policy will accomplish this.
- RFC links: Links to relevant RFC(s)
- Related Issues: Link any relevant issues
- Will the Usage Guide or other documentation need to be updated? Yes, the Usage Guide should be updated to document this change.
- Testing: How will this change be tested? Call out new integration tests, functional tests, or particularly interesting/important unit tests.
- Will this change trigger SAW changes? Changes to the state machine, the s2n_handshake_io code that controls state transitions, the DRBG, or the corking/uncorking logic could trigger SAW failures.
- Should this change be fuzz tested? Will it handle untrusted input? Create a separate issue to track the fuzzing work.
Out of scope:
Is there anything the solution will intentionally NOT address?