-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[S3Crt] Unable to do getobject when explicit 'Aws::S3Crt::ClientConfiguration::ca_path' is set to default path #3007
Comments
Thanks for the detailed repro code and explanation. Looking into what might be causing this to fail. Here is what I'm seeing in the logs
|
It looks like Aws::String ca_file = ca_path + "/cert.pem";
config.caFile = Aws::String(ca_file); |
@jmklix It works fine when
Previously, we were setting only
and should be expected to work only setting directly in |
can you print out contents of your "/etc/pki/tls" folder? For context, s3 crt uses s2n on linux for tls support (https://github.com/aws/s2n-tls) and s2n just uses libcrypto's X509_STORE_load_locations under the covers to load all the certs. So somehow libcrypto is not able to load certs from that path. Im not super familiar with where RHEL expects to store certs, but initial guess is that certs are in a slightly different folder or process somehow is not able to access them |
Please see below |
And cert.pem has the root CA that covers s3 certs? Is it default RHEL's pem or is it custom one? I did a quick test on my AL2 machine and ca_path seems to work fine. |
With the same CA certs, S3 is working fine.
Also note that this behaviour has been observed since we upgraded to 1.11.313 from 1.11.100. |
Yes. This is root CA and default RHEL's PEM. We have custom self signed certs which we can not use. |
Describe the bug
Unable to do getobject when explicit 'Aws::S3Crt::ClientConfiguration::ca_path' is set to default path
Expected Behavior
Get Object should work as expected when ca_path is set explicitly.
When we don't set ca_path explicitly, it work fine.
Current Behavior
Receives the error message
GetObject error:TLS (SSL) negotiation failed (aws-c-io: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE)
Reproduction Steps
The issue is easily reproducible with below code snippet
Please note that
get_default_openssl_dir()
is evaluate to/etc/pki/tls
Possible Solution
NA
Additional Information/Context
Build Command:
g++ -std=c++20 -o <output> test_s3_crt_ca_path.cpp -I${AWS_INSTALL_PATH}/include -L${AWS_INSTALL_PATH}/lib64 -lcurl -lssl -lpthread -lcrypto -laws-cpp-sdk-s3-crt -laws-cpp-sdk-core
AWS CPP SDK version used
AWS SDK for C++ 1.11.351
Compiler and Version used
g++ (GCC) 13.2.0
Operating System and version
Red Hat Enterprise Linux 9.4 (Plow)
The text was updated successfully, but these errors were encountered: