-
-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate trust errors for DNS-named buckets #3813
Comments
Replying to [3813 samj]:
RFC 2818 says
|
Sounds like we want an override preference (maybe not even one exposed in the UI) for this specific issue - to make the wildcard * greedy. |
It's tempting but I would rather not tamper the default SSL cert validation rules. The workaround is to use bucket names without a dot notation. |
Hi, It turns out that most S3 implementations support bucket names without dots, even when using HTTPS. These implementations do this by using path-style instead of virtual-host style methods when the bucket name has dots in it. Path-style connections are documented at:
Please consider fixing CyberDuck so that it, too, works with buckets that contain dots. If you are able to point to the sources that implement this, I might be able to help. Thanks! |
Replying to [comment:4 hunter blanks]:
The issue is that this requires to address the buckets with a region specific endpoint URI. From (http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html).
Further more, |
In 18562. Default to lax hostname verification. |
My UX with Cyberduck & Amazon S3 has suffered due to certificate trust errors that I finally [think I] got to the bottom of.
For each bucket that uses an FQDN as its name (e.g. media.samj.net) rather than a bare token (e.g. digitalcourier) Cyberduck wants to connect to fqdn.s3.amazonaws.com (e.g. media.samj.net.s3.amazonaws.com) which fails certificate verification even though a *.s3.amazonaws.com wildcard certificate is in place.
I have a feeling this may be the correct behaviour (e.g. .example.com should match a.example.com but not a.b.c.example.com) but it is rather annoying as it's not obvious that you have to expand for details and check 'Always trust ".s3.amazonaws.com" when connecting to "fqdn.s3.amazonaws.com"'.
Refer also to #2938 - created a new ticket more for SEO than anything else.
Attachments
Screen shot 2009-10-13 at 1.16.18 PM.png
(81.7 KiB)The text was updated successfully, but these errors were encountered: