Fix bug caused by some SSL implementations with bucket names that have dots in them. #42

Closed
wants to merge 1 commit into
from

Projects

None yet

3 participants

@apinstein

cURL, when compiled with modern versions of libssh2/OpenSSL, uses
stricter wildcard SSL CN matching. This causes bucketnames with dots in
them to generate SSL failures like so:

cURL error: SSL: certificate subject name '*.s3.amazonaws.com' does
not match target host name 'sub.domain.s3.amazonaws.com' (cURL
error code 51)

This patch causes the S3 authenticate() method to auto-detect this
situation and route around it securely by using path-style URL's for
making API calls.

Path-style URL's look like s3.amazonaws.com/[bucket-name]/key and thus
have no problem passing the strict SSL name matching algorithm.

@apinstein apinstein Fix bug caused by some SSL implementations with bucket names that hav…
…e dots in them.

cURL, when compiled with modern versions of libssh2/OpenSSL, uses
stricter wildcard SSL CN matching.  This causes bucketnames with dots in
them to generate SSL failures like so:

  cURL error: SSL: certificate subject name '*.s3.amazonaws.com' does
  not match target host name 'sub.domain.s3.amazonaws.com' (cURL
  error code 51)

This patch causes the S3 authenticate() method to auto-detect this
situation and route around it securely by using path-style URL's for
making API calls.

Path-style URL's look like s3.amazonaws.com/[bucket-name]/key and thus
have no problem passing the strict SSL name matching algorithm.
f2c4e66
Contributor

Looks good! I have this integrated in my local branch, but I added an additional condition so that it only coverts to path-style when using SSL. We don't accept pull requests directly due to logistical reasons, but I'll add you to our CONTRIBUTORS doc and close this pull request. These changes will be included in our next update.

@jeremeamia jeremeamia closed this Sep 22, 2012

Cool! Good idea on doing it SSL only.

FWIW there's some conversation on this here:

https://forums.aws.amazon.com/thread.jspa?threadID=69108&tstart=0&start=25

The concern seems to be that not all regions support path_style? Is that really true?

Just thought you should consider that before merging it.

Alan

On Sep 22, 2012, at 1:39 PM, Jeremy Lindblom wrote:

Looks good! I have this integrated in my local branch, but I added an additional condition so that it only coverts to path-style when using SSL. We don't accept pull requests directly due to logistical reasons, but I'll add you to our CONTRIBUTORS doc and close this pull request. These changes will be included in our next update.


Reply to this email directly or view it on GitHub.

jorrit commented Aug 22, 2013

This fix does not work on Ireland-based regions: the Amazon service replies with a 301 code when doing path style requests. For the default US region this works. The only fix for me seems to be to disable SSL when the bucket contains more than one dot and is in certain regions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment