[GH-ISSUE #640] unclear if certs validation is occuring? #364

Closed
opened 2026-03-04 01:44:47 +03:00 by kerem · 2 comments
Owner

Originally created by @quadgnim on GitHub (Sep 14, 2017).
Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/640

I noticed in https://github.com/s3fs-fuse/s3fs-fuse/blob/master/src/s3fs.cpp, line 4938 indicates the cert validation logic is commented out. Can anyone verify if this is being done elsewhere, and if not, why is it commented out, is there a problem with it? to protect from man in the middle attacks, we'd very much like to see cert validation against the s3 endpoint ocuring. Is this in the plans to enable soon?

Originally created by @quadgnim on GitHub (Sep 14, 2017). Original GitHub issue: https://github.com/s3fs-fuse/s3fs-fuse/issues/640 I noticed in https://github.com/s3fs-fuse/s3fs-fuse/blob/master/src/s3fs.cpp, line 4938 indicates the cert validation logic is commented out. Can anyone verify if this is being done elsewhere, and if not, why is it commented out, is there a problem with it? to protect from man in the middle attacks, we'd very much like to see cert validation against the s3 endpoint ocuring. Is this in the plans to enable soon?
kerem closed this issue 2026-03-04 01:44:47 +03:00
Author
Owner

@ggtakec commented on GitHub (Sep 17, 2017):

@quadgnim
This comment is outdated.
(We will delete comments at a later date.)

By default we are checking with CURLOPT_SSL_VERIFYHOST.
https://github.com/s3fs-fuse/s3fs-fuse/blob/master/src/curl.cpp#L1589

If you do not want to check, please specify ssl_verify_hostname = 0.

Currently, even if "." (Period) is included in the bucket name, it will work if you set use_path_request_style.
https://github.com/s3fs-fuse/s3fs-fuse/wiki/FAQ#q-https-connecting-failed-if-bucket-name-includes-dod

<!-- gh-comment-id:330029271 --> @ggtakec commented on GitHub (Sep 17, 2017): @quadgnim This comment is outdated. (We will delete comments at a later date.) By default we are checking with CURLOPT_SSL_VERIFYHOST. https://github.com/s3fs-fuse/s3fs-fuse/blob/master/src/curl.cpp#L1589 If you do not want to check, please specify ssl_verify_hostname = 0. Currently, even if "." (Period) is included in the bucket name, it will work if you set use_path_request_style. https://github.com/s3fs-fuse/s3fs-fuse/wiki/FAQ#q-https-connecting-failed-if-bucket-name-includes-dod
Author
Owner

@gaul commented on GitHub (Mar 15, 2019):

As demonstrated by S3Proxy unit tests, SSL validation occurs and we specifically need to disable it for this self-signed certificate. Please reopen if I misunderstand this issue.

<!-- gh-comment-id:473199067 --> @gaul commented on GitHub (Mar 15, 2019): As demonstrated by S3Proxy unit tests, SSL validation occurs and we specifically need to disable it for this self-signed certificate. Please reopen if I misunderstand this issue.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/s3fs-fuse#364
No description provided.