Set the minimum TLS version as 1.2 for API Gateway

Question

I have api gateway for lambda such as

https://x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com/prod/c

Now I want to set this TLS for more than 1.2 only.

I found the document here below, but I am not sure what the custom-domain... my url is custom-domain???

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html

Where should I set??

my curl response is here

$curl -s -v --tlsv1.1  https://x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com/prod/c

*   Trying 65.9.17.XX:443...
* Connected to x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com (65.9.17.49) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.execute-api.ap-northeast-1.amazonaws.com
*  start date: Sep 27 00:00:00 2021 GMT
*  expire date: Oct 26 23:59:59 2022 GMT
*  subjectAltName: host "x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com" matched cert's "*.execute-api.ap-northeast-1.amazonaws.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x11f80b600)
> GET /prod/c HTTP/2
> Host: x6c5e11xkc.execute-api.ap-northeast-1.amazonaws.com
> user-agent: curl/7.79.1
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!

< HTTP/2 400 
< content-type: application/json
< content-length: 0
< date: Thu, 26 May 2022 02:41:55 GMT
< x-amzn-requestid: 73059bd5-7dae-4366-9a43-22fa50a331f2
< x-amz-apigw-id: StlUpHXeNjMFlww=
< x-amzn-trace-id: Root=1-628ee8ea-4bac852e062cd9bc28c64bf8;Sampled=0
< x-cache: Error from cloudfront
< via: 1.1 1eb001a93e05e8dbbe3865b069b8c264.cloudfront.net (CloudFront)
< x-amz-cf-pop: BKK50-C1
< x-amz-cf-id: T3RAkLW5HAdfnuxcVXlRHniwdNiI2JMyMzPxkAqcof1AkMTmJ7r0TQ==
<

Hugo Lesta · Accepted Answer

A custom domain is the domain you own like mydomain.com and you can set on API Gateway console, on top of that, you can use ACM(AWS Certificate Manager) to be assigned to that custom domain by applying the TLS policy you want (1.0 or 1,2 is preferred ), so navigate to ACM and create a certificate for your domain, and then assign it to the custom domain.

Create ACM certificate

Create Custom domain and assign an ACM Certificate

Finally, Select the API Mappings Tab and configure the API mappings, select API and stage.

API Mappings

Make sure that you configure your DNS to point to the API Gateway Domain name, you can use Route53 for example and add a new A (ALIAS) record.

Regarding TLS,is backwards compatible which means After upgrading the default to 1.2, systems using 1.1 and 1.0 will continue to function, so if any of your processing requires 1.0 and 1.1, it will remain available. Nevertheless, it’s recommended that developers upgrade the code to run on TLS 1.2 only.

I hope this information may be helpful

Set the minimum TLS version as 1.2 for API Gateway

Answers (2)

Related Questions