Cloudfront distribution does not enforce TLS settings for Gateway API

0
votes

Follow up to AWS API Gateway should prevent use of TLS v1, I created a Cloudfront distribution with below config

Origin Domain Name as my Gate API endpoint https://abcdfefg.execute-api.us-east-1.amazonaws.com
Viewer Protocol Policy as HTTPS Only
Origin SSL Protocols as TLSv1.2, TLSv1.1 (Unchecked TLSv1)

other defaults

After the distribution was deployed, when I access my Gateway API with custom domain, I still was able to make calls on TLSv1.

How do I map my custom domain to this new cloudfront distribution to enforce TLS settings?

Update-1: In my java test program that calls the Gateway API using custom domain, I enabled below runtime arguments

-Dhttps.protocols=TLSv1 -Djavax.net.debug=all

Output from javax.net.debug confirms TLSv1 Exchange.

*** ClientHello, TLSv1
.... many lines output
*** ServerHello, TLSv1
..
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Confirmed the TLS v1 usage using curl too. Curl output includes:

* SSL connection using TLSv1.0 / ECDHE-RSA-AES128-SHA
1
amazon-web-servicesamazon-cloudfrontaws-api-gateway
How are you verifying that you are actually negotiating TLSv1?Michael - sqlbot
@Michael-sqlbot see my update which has debug info to confirm TLSv1 usagesuman j
What is the endpoint that is in question?Kannaiyan
Not sure why the down vote!suman j

1 Answers

0
votes

In order for Gateway API with additional cloud front distribution to work, we need to

  1. From AWS Console, under API Gateway go to Custom Domain Name and delete the mapped entry.
  2. Add a CNAME entry in cloud front settings. From AWS Console, follow the instructions under Adding an Alternate Domain Name

After the above changes are completed, accessing the custom domain name on https will enforce the TLS security settings as defined in Cloudfront distribution.