From a389ea2d4e36e25fee831260ad80827aab0ab686 Mon Sep 17 00:00:00 2001
From: Luca Palmieri <20745048+LukeMathWalker@users.noreply.github.com>
Date: Mon, 6 Feb 2023 16:30:33 +0000
Subject: [PATCH] Enforce the same minimum TLS version (1.2) for both TLS
 backends (#2312)

* Enforce the same minimum TLS version (1.2) for both TLS backends

* Add CHANGELOG entry

* Add documentation for both `https` and `native_tls`.

* Remove unnecessary mut
---
 CHANGELOG.next.toml                       |  6 ++++++
 rust-runtime/aws-smithy-client/src/lib.rs | 16 +++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.next.toml b/CHANGELOG.next.toml
index 1f24199f58..5a0ba40de5 100644
--- a/CHANGELOG.next.toml
+++ b/CHANGELOG.next.toml
@@ -11,6 +11,12 @@
 # meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client | server | all"}
 # author = "rcoh"
 
+[[smithy-rs]]
+message = "Raise the minimum TLS version from 1.0 to 1.2 when using the `native-tls` feature in `aws-smithy-client`."
+references = ["smithy-rs#2312"]
+meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client"}
+author = "LukeMathWalker"
+
 [[aws-sdk-rust]]
 message = """
 Provide a way to retrieve fallback credentials if a call to `provide_credentials` is interrupted. An interrupt can occur when a timeout future is raced against a future for `provide_credentials`, and the former wins the race. A new method, `fallback_on_interrupt` on the `ProvideCredentials` trait, can be used in that case. The following code snippet from `LazyCredentialsCache::provide_cached_credentials` has been updated like so:
diff --git a/rust-runtime/aws-smithy-client/src/lib.rs b/rust-runtime/aws-smithy-client/src/lib.rs
index b1e2b1128d..48126cef0e 100644
--- a/rust-runtime/aws-smithy-client/src/lib.rs
+++ b/rust-runtime/aws-smithy-client/src/lib.rs
@@ -72,13 +72,27 @@ pub mod conns {
     }
 
     #[cfg(feature = "rustls")]
+    /// Return a default HTTPS connector backed by the `rustls` crate.
+    ///
+    /// It requires a minimum TLS version of 1.2.
+    /// It allows you to connect to both `http` and `https` URLs.
     pub fn https() -> Https {
         HTTPS_NATIVE_ROOTS.clone()
     }
 
     #[cfg(feature = "native-tls")]
+    /// Return a default HTTPS connector backed by the `hyper_tls` crate.
+    ///
+    /// It requires a minimum TLS version of 1.2.
+    /// It allows you to connect to both `http` and `https` URLs.
     pub fn native_tls() -> NativeTls {
-        hyper_tls::HttpsConnector::new()
+        let mut tls = hyper_tls::native_tls::TlsConnector::builder();
+        let tls = tls
+            .min_protocol_version(Some(hyper_tls::native_tls::Protocol::Tlsv12))
+            .build()
+            .unwrap_or_else(|e| panic!("Error while creating TLS connector: {}", e));
+        let http = hyper::client::HttpConnector::new();
+        hyper_tls::HttpsConnector::from((http, tls.into()))
     }
 
     #[cfg(feature = "native-tls")]