[PR #2436] [MERGED] Support SSL client cert and added ssl_client_cert option #2539

New issue

Closed

opened 2026-03-04 02:06:03 +03:00 by kerem · 0 comments

kerem commented 2026-03-04 02:06:03 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/s3fs-fuse/s3fs-fuse/pull/2436
Author: @ggtakec
Created: 3/24/2024
Status: ✅ Merged
Merged: 4/14/2024
Merged by: @gaul

Base: master ← Head: ssl_client_cert

---

📝 Commits (1)

• 030a14a Support SSL client cert and added ssl_client_cert option

📊 Changes

5 files changed (+150 additions, -0 deletions)

View changed files

📝 doc/man/s3fs.1.in (+12 -0)
📝 src/curl.cpp (+106 -0)
📝 src/curl.h (+9 -0)
📝 src/s3fs.cpp (+8 -0)
📝 src/s3fs_help.cpp (+15 -0)

📄 Description

Relevant Issue (if applicable)

#2357

Details

There is a request to use a client certificate when connecting s3fs to an S3 server.
This PR is its implementation.

Since s3fs uses libcurl, we have made it possible to specify the following libcurl options:

• CURLOPT_SSLCERT
• CURLOPT_SSLCERTTYPE
• CURLOPT_SSLKEY
• CURLOPT_SSLKEYTYPE
• CURLOPT_KEYPASSWD

The ssl_client_cert option has been added to allow user to specify the libcurl parameters listed above.
Specify the ssl_client_cert option in the following format:

ssl_client_cert=<SSL Cert>[:<Cert Type>[:<Private Key>[:<Key Type>[:<Password>] ] ] ]

• <SSL Cert>
  Specify the SSL client certificate file path.
  If user are using NSS etc., you can specify a Nickname of cert.
• <Cert Type>
  Specify the SSL client certificate type (PEM, P12(for PKCS#12), etc.).
  This value is optional, and if omitted(unspecified or empty string), the PEM type will be used.
• <Private Key>
  Specify SSL private key.
  This value is optional(unspecified or empty string).
  If this value is omitted, the following <Key Type> and <Password> fields are ignored.
• <Key Type>
  Specify the SSL private key type (PEM, P12(for PKCS#12), etc.).
  This value is optional, and if omitted(unspecified or empty string), the PEM type will be used.
• <Password>
  Specify a passphrase to access the SSL private key.
  This value is optional, if omitted(unspecified or empty string), no passphrase will be set.
  However, if user omit this value and the S3FS_SSL_PRIVKEY_PASSWORD environment is set, the value of this will be set as the passphrase (to avoid specifying a passphrase on the command line).

NOTE

This modification has not tested the operation by specifying a client certificate.
(Maybe for that we need to have a client certificate verify function in s3proxy etc.)
Therefore, I believe that this option should remain an unofficial one even if this PR is merged.
I think it would be a good idea to change to the official option while checking its performance.
Finally, it maybe better to specify the passphrase in a file instead of just using options and environment variables.

@gaul
Please let me know your opinion on adding this option.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/s3fs-fuse/s3fs-fuse/pull/2436 **Author:** [@ggtakec](https://github.com/ggtakec) **Created:** 3/24/2024 **Status:** ✅ Merged **Merged:** 4/14/2024 **Merged by:** [@gaul](https://github.com/gaul) **Base:** `master` ← **Head:** `ssl_client_cert` --- ### 📝 Commits (1) - [`030a14a`](https://github.com/s3fs-fuse/s3fs-fuse/commit/030a14aa698a956198fb990c895092235e9b3a0f) Support SSL client cert and added ssl_client_cert option ### 📊 Changes **5 files changed** (+150 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `doc/man/s3fs.1.in` (+12 -0) 📝 `src/curl.cpp` (+106 -0) 📝 `src/curl.h` (+9 -0) 📝 `src/s3fs.cpp` (+8 -0) 📝 `src/s3fs_help.cpp` (+15 -0) </details> ### 📄 Description ### Relevant Issue (if applicable) #2357 ### Details There is a request to use a client certificate when connecting s3fs to an S3 server. This PR is its implementation. Since s3fs uses libcurl, we have made it possible to specify the following libcurl options: - [CURLOPT_SSLCERT](https://curl.se/libcurl/c/CURLOPT_SSLCERT.html) - [CURLOPT_SSLCERTTYPE](https://curl.se/libcurl/c/CURLOPT_SSLCERTTYPE.html) - [CURLOPT_SSLKEY](https://curl.se/libcurl/c/CURLOPT_SSLKEY.html) - [CURLOPT_SSLKEYTYPE](https://curl.se/libcurl/c/CURLOPT_SSLKEYTYPE.html) - [CURLOPT_KEYPASSWD](https://curl.se/libcurl/c/CURLOPT_KEYPASSWD.html) The `ssl_client_cert` option has been added to allow user to specify the libcurl parameters listed above. Specify the `ssl_client_cert` option in the following format: ``` ssl_client_cert=<SSL Cert>[:<Cert Type>[:<Private Key>[:<Key Type>[:<Password>] ] ] ] ``` - **\<SSL Cert\>** Specify the SSL client certificate file path. If user are using NSS etc., you can specify a Nickname of cert. - **\<Cert Type\>** Specify the SSL client certificate type (`PEM`, `P12`(for `PKCS#12`), etc.). This value is optional, and if omitted(unspecified or empty string), the `PEM` type will be used. - **\<Private Key\>** Specify SSL private key. This value is optional(unspecified or empty string). If this value is omitted, the following `<Key Type>` and `<Password>` fields are ignored. - **\<Key Type\>** Specify the SSL private key type (`PEM`, `P12`(for `PKCS#12`), etc.). This value is optional, and if omitted(unspecified or empty string), the `PEM` type will be used. - **\<Password\>** Specify a passphrase to access the SSL private key. This value is optional, if omitted(unspecified or empty string), no passphrase will be set. However, if user omit this value and the `S3FS_SSL_PRIVKEY_PASSWORD` environment is set, the value of this will be set as the passphrase (to avoid specifying a passphrase on the command line). #### NOTE This modification has not tested the operation by specifying a client certificate. (Maybe for that we need to have a client certificate verify function in s3proxy etc.) Therefore, I believe that this option should remain an unofficial one even if this PR is merged. I think it would be a good idea to change to the official option while checking its performance. Finally, it maybe better to specify the passphrase in a file instead of just using options and environment variables. @gaul Please let me know your opinion on adding this option. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-03-04 02:06:03 +03:00

• closed this issue
• added the
  pull-request
  label

kerem referenced this issue 2026-03-04 02:06:23 +03:00

[PR #2539] [MERGED] Fixed fake_diskfree option #2605

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.97

v1.96

v1.95

v1.94

v1.93

v1.92

v1.91

v1.90

v1.89

v1.88

v1.87

v1.86

v1.85

v1.84

v1.83

v1.82

v1.81

v1.80

v1.79

v1.78

Pre-v1.78

v1.77

v1.76

v1.75

v1.74

Labels

Clear labels   

bug

  

bug

  

dataloss

  

duplicate

  

enhancement

  

feature request

  

help wanted

  

invalid

  

need info

  

performance

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

testing

No labels

bug

bug

dataloss

duplicate

enhancement

feature request

help wanted

invalid

need info

performance

pull-request

question

question

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/s3fs-fuse#2539

No description provided.