Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

virtual-host addressing style not working with custom tls verification #2939

Open
MartinNowak opened this issue May 12, 2023 · 1 comment
Open

virtual-host addressing style not working with custom tls verification #2939

MartinNowak opened this issue May 12, 2023 · 1 comment
Labels
bug This issue is a confirmed bug. endpoints needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue s3

Comments

@MartinNowak
Copy link

MartinNowak commented May 12, 2023
edited
Loading

Describe the bug

client = boto3.client('s3', verify=False, config=Config(s3=dict(addressing_style='virtual')))
client.list_objects_v2(Bucket='example.com', MaxKeys=1) # Endpoint provider result: https://s3.eu-central-1.amazonaws.com/example.com (path-style)

Subdomains are only allowed to use virtual-host addressing with http endpoints.

https://github.com/boto/botocore/blob/2091c2629f320c2dd16c9e29a0690d493375c8a7/botocore/data/s3/2006-03-01/endpoint-rule-set-1.json#L5314-L5337

https://github.com/boto/botocore/blob/2091c2629f320c2dd16c9e29a0690d493375c8a7/botocore/data/s3/2006-03-01/endpoint-rule-set-1.json#L2325-L2335

Expected Behavior

Should allow addressing subdomain buckets via virtual-host addressing style so one can properly filter egress.

Current Behavior

HTTPS endpoints are forced to use path-style addressing with subdomain buckets.

Reproduction Steps

See above.

Possible Solution

Allow virtual-host style addressing with disabled/manual TLS verification.
Possibly via an additional parameter.
Our workaround sets urllib3's assert_hostname to s3.amazonaws.com to still perform TLS verification. So maybe that would be a clearer parameter.
Could possibly be internalised to botocore as a boolean option even.

Additional Information/Context

Important
When you're using virtual-hosted–style buckets with SSL, the SSL wildcard certificate matches only buckets that do not contain dots (.). To work around this limitation, use HTTP or write your own certificate-verification logic. For more information, see Amazon S3 Path Deprecation Plan on the AWS News Blog.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html

SDK version used

botocore==1.29.105

Environment details (OS name and version, etc.)

na
@MartinNowak MartinNowak added bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged. labels May 12, 2023
@tim-finnigan
Copy link
Contributor

Thanks for reaching out - as mentioned in the other issue you recently opened, there are still some outstanding questions on the intended functionality here. I will mark this issue for further review by the team.

@tim-finnigan tim-finnigan added needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue s3 endpoints and removed needs-triage This issue or PR still needs to be triaged. labels May 16, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug This issue is a confirmed bug. endpoints needs-review This issue or pull request needs review from a core team member. p2 This is a standard priority issue s3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MartinNowak @tim-finnigan