Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Fix bug caused by some SSL implementations with bucket names that have dots in them. #42

Closed
wants to merge 1 commit into from

3 participants

Alan Pinstein Jeremy Lindblom Jorrit Schippers
Alan Pinstein

cURL, when compiled with modern versions of libssh2/OpenSSL, uses
stricter wildcard SSL CN matching. This causes bucketnames with dots in
them to generate SSL failures like so:

cURL error: SSL: certificate subject name '*.s3.amazonaws.com' does
not match target host name 'sub.domain.s3.amazonaws.com' (cURL
error code 51)

This patch causes the S3 authenticate() method to auto-detect this
situation and route around it securely by using path-style URL's for
making API calls.

Path-style URL's look like s3.amazonaws.com/[bucket-name]/key and thus
have no problem passing the strict SSL name matching algorithm.

Alan Pinstein apinstein Fix bug caused by some SSL implementations with bucket names that hav…
…e dots in them.

cURL, when compiled with modern versions of libssh2/OpenSSL, uses
stricter wildcard SSL CN matching.  This causes bucketnames with dots in
them to generate SSL failures like so:

  cURL error: SSL: certificate subject name '*.s3.amazonaws.com' does
  not match target host name 'sub.domain.s3.amazonaws.com' (cURL
  error code 51)

This patch causes the S3 authenticate() method to auto-detect this
situation and route around it securely by using path-style URL's for
making API calls.

Path-style URL's look like s3.amazonaws.com/[bucket-name]/key and thus
have no problem passing the strict SSL name matching algorithm.
f2c4e66
Jeremy Lindblom
Owner

Looks good! I have this integrated in my local branch, but I added an additional condition so that it only coverts to path-style when using SSL. We don't accept pull requests directly due to logistical reasons, but I'll add you to our CONTRIBUTORS doc and close this pull request. These changes will be included in our next update.

Jeremy Lindblom jeremeamia closed this
Alan Pinstein
Jorrit Schippers

This fix does not work on Ireland-based regions: the Amazon service replies with a 301 code when doing path style requests. For the default US region this works. The only fix for me seems to be to disable SSL when the bucket contains more than one dot and is in certain regions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 21, 2012
  1. Alan Pinstein

    Fix bug caused by some SSL implementations with bucket names that hav…

    apinstein authored
    …e dots in them.
    
    cURL, when compiled with modern versions of libssh2/OpenSSL, uses
    stricter wildcard SSL CN matching.  This causes bucketnames with dots in
    them to generate SSL failures like so:
    
      cURL error: SSL: certificate subject name '*.s3.amazonaws.com' does
      not match target host name 'sub.domain.s3.amazonaws.com' (cURL
      error code 51)
    
    This patch causes the S3 authenticate() method to auto-detect this
    situation and route around it securely by using path-style URL's for
    making API calls.
    
    Path-style URL's look like s3.amazonaws.com/[bucket-name]/key and thus
    have no problem passing the strict SSL name matching algorithm.
This page is out of date. Refresh to see the latest.
Showing with 7 additions and 1 deletion.
  1. +7 −1 services/s3.class.php
8 services/s3.class.php
View
@@ -555,9 +555,15 @@ public function authenticate($operation, $payload)
$this->temporary_prefix = true;
}
+ $bucket_name_may_cause_ssl_wildcard_failures = false;
+ if (strpos($bucket, '.') !== false)
+ {
+ $bucket_name_may_cause_ssl_wildcard_failures = true;
+ }
+
// Determine hostname
$scheme = $this->use_ssl ? 'https://' : 'http://';
- if ($this->resource_prefix || $this->path_style) // Use bucket-in-path method.
+ if ($bucket_name_may_cause_ssl_wildcard_failures || $this->resource_prefix || $this->path_style) // Use bucket-in-path method.
{
$hostname = $this->hostname . $this->resource_prefix . (($bucket === '' || $this->resource_prefix === '/' . $bucket) ? '' : ('/' . $bucket));
}
Something went wrong with that request. Please try again.