TLS Version in AWS SDK for Go V2
The AWS SDK for Go V2 configures the default HTTP client used by the SDK service clients to require a minimum version of TLS 1.2 or greater. When using the http.BuildableClient to customize the SDK HTTP client, the minimum TLS value is configured as TLS 1.2.
If your application constructs an HTTP client using a method other than the provided BuildableClient, you must
configure your client to set the minimum TLS version to 1.2.
Enforcing a Minimum TLS Version
You can construct a custom an http.Client or use the SDK provided http.BuildableClient builder. The following example demonstrates how to specify a minimum TLS version of 1.3 using the http.BuildableClient.
Some AWS Services do not yet support TLS 1.3; configuring this as your minimum version may affect SDK interoperability. We recommend testing this change with each service prior to production deployment.
package main
import (
"context"
"crypto/tls"
"net/http"
awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
"github.com/aws/aws-sdk-go-v2/config"
)
func main() {
// Create the custom HTTP client, configured for TLS 1.3 specified as the
// minimum TLS version.
httpClient := awshttp.NewBuildableClient().WithTransportOptions(func(tr *http.Transport) {
if tr.TLSClientConfig == nil {
tr.TLSClientConfig = &tls.Config{}
}
tr.TLSClientConfig.MinVersion = tls.VersionTLS13
})
// Load the SDK's configuration, and specify the custom HTTP client to be used
// by all SDK API clients created from this configuration.
cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithHTTPClient(httpClient))
// Use the loaded config and custom HTTP client to create SDK API client(s).
// ...
}