使用 Java API 的 S3/AWS 的 SSL 问题:“证书中的主机名不匹配" [英] SSL problems with S3/AWS using the Java API: "hostname in certificate didn't match"
问题描述
亚马逊在其 1.3.21 版本的 AWS Java SDK 中升级"了 SSL 安全性.在使用 Amazon 的 AWS Java API 时,这会中断对名称中包含句点的任何 S3 存储桶的访问.我使用的版本是 1.3.21.1,最新版本是 2012 年 10 月 5 日.我在下面的回答中提供了一些解决方案,但我正在寻找解决此问题的其他方法.
Amazon "upgraded" the SSL security in its AWS Java SDK in the 1.3.21 version. This broke access any S3 buckets that have periods in their name when using Amazon's AWS Java API. I'm using version 1.3.21.1 which is current up to Oct/5/2012. I've provided some solutions in my answer below but I'm looking for additional work arounds to this issue.
如果您收到此错误,您将在异常/日志中看到类似于以下消息的内容.在此示例中,存储桶名称为 foo.example.com.
If you are getting this error, you will see something like the following message in your exceptions/logs. In this example, the bucket name is foo.example.com.
INFO: Unable to execute HTTP request: hostname in certificate didn't match:
<foo.example.com.s3.amazonaws.com> != <*.s3.amazonaws.com>
OR <*.s3.amazonaws.com> OR <s3.amazonaws.com>
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
at org.apache.http.conn.ssl.StrictHostnameVerifier.verify(StrictHostnameVerifier.java:61)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:130)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
您可以在 AWS S3 论坛上查看此问题的文档:
You can see documentation of this problem on the AWS S3 discussion forum:
https://forums.aws.amazon.com/thread.jspa?messageID=387508񞦴
亚马逊对此问题的回应如下.
Amazon's response to the problem is the following.
对于具有此命名模式的存储桶,我们应该能够通过使用旧的路径样式的存储桶寻址方法(而不是较新的虚拟主机样式寻址)来解决此问题.我们将开始修复并确保我们的内部集成测试具有包含句点的存储桶名称的测试用例.
We should be able to fix this by using the older path style method of bucket addressing (instead of the newer virtual host style addressing) for buckets with this naming pattern. We'll get started on the fix and ensure that our internal integration tests have test cases for buckets names containing periods.
任何解决方法或其他解决方案?感谢您的任何反馈.
Any workaround or other solutions? Thanks for any feedback.
推荐答案
原文:2012 年 10 月
事实证明,亚马逊升级"了2012 年 9 月下旬 S3 上的 SSL 安全性.这破坏了在使用 Amazon 的 AWS Java API 时对名称中包含句点的任何 S3 存储桶的访问.
Turns out that Amazon "upgraded" the SSL security on S3 in late September 2012. This broke access any S3 buckets that have periods in their name when using Amazon's AWS Java API.
这是不准确的.S3 的 SSL 通配符匹配与 S3 在 2006 年推出时相同.更有可能的是,AWS Java SDK 团队启用了更严格的 SSL 证书验证(很好),但最终破坏了与 S3 的 SSL 冲突的存储桶名称证书(坏).
This is inaccurate. S3's SSL wildcard matching has been the same as when S3 launched back in 2006. What's more likely is that the AWS Java SDK team enabled stricter validation of SSL certificates (good), but ended up breaking bucket names that have been running afoul of S3's SSL cert (bad).
正确的答案是您需要使用 path-style 寻址而不是 DNS-style 寻址.这是解决 SSL 证书上的通配符匹配问题的唯一安全方法.禁用验证会使您面临中间人攻击.
The right answer is that you need to use path-style addressing instead of DNS-style addressing. That is the only secure way of working around the issue with the wildcard matching on the SSL certificate. Disabling the verification opens you up to Man-In-The-Middle attacks.
我目前不知道的是 Java SDK 是否将其作为可配置选项提供.如果是这样,这就是你的答案.否则,听起来 Java SDK 团队说我们将添加此功能,然后添加集成测试以确保一切正常."
What I don't presently know is if the Java SDK provides this as a configurable option. If so, that's your answer. Otherwise, it sounds like the Java SDK team said "we'll add this feature, and then add integration tests to make sure it all works."
更新:2020 年 10 月
AWS 宣布弃用的路径式寻址将在不久的将来消失.AWS 的建议是使用与 DNS 兼容的存储桶名称,这意味着没有句点(以及其他一些内容).S3 的某些新功能需要与 DNS 兼容的存储桶名称(例如,加速传输).
AWS has announced that path-style addressing is deprecated will be going away in the near-future. AWS’ advice is to use DNS-compatible bucket names, which means no periods (among a few other things). Certain newer features of S3 require DNS-compatible bucket names (e.g., accelerated transfer).
如果您需要一个包含句点的存储桶名称(在不久的将来,新存储桶也将不允许使用),如果您想通过 HTTPS 访问它,我最好的建议是在它前面放置一个 CloudFront 分配.
If you require a bucket name which contains periods (which will also be disallowed for new buckets in the near future), my best advice is to put a CloudFront distribution in front of it if you want to hit it over HTTPS.
这篇关于使用 Java API 的 S3/AWS 的 SSL 问题:“证书中的主机名不匹配"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
