aws-sdk-cpp
aws-sdk-cpp copied to clipboard
aws
[S3Crt] Unable to do getobject when explicit 'Aws::S3Crt::ClientConfiguration::ca_path' is set to default path
Describe the bug
Unable to do getobject when explicit 'Aws::S3Crt::ClientConfiguration::ca_path' is set to default path
Expected Behavior
Get Object should work as expected when ca_path is set explicitly.
When we don't set ca_path explicitly, it work fine.
Current Behavior
Receives the error message GetObject error:TLS (SSL) negotiation failed (aws-c-io: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE)
Reproduction Steps
The issue is easily reproducible with below code snippet
#include <iostream>
#include <string>
#include <openssl/crypto.h>
#include <aws/core/Aws.h>
#include <aws/core/utils/memory/stl/AWSStringStream.h>
#include <aws/core/utils/logging/CRTLogSystem.h>
#include <aws/s3-crt/S3CrtClient.h>
#include <aws/s3-crt/model/GetObjectRequest.h>
static const char ALLOCATION_TAG[] = "s3-crt-getobject-public";
std::string get_default_openssl_dir()
{
const std::string OPENSSLDIR_KEY("OPENSSLDIR: ");
auto ssl_dir = std::string(SSLeay_version(SSLEAY_DIR));
auto found = ssl_dir.find(OPENSSLDIR_KEY);
if(found != std::string::npos)
{
ssl_dir = ssl_dir.substr(OPENSSLDIR_KEY.size());
if(auto s = ssl_dir.size(); ssl_dir.at(0) == '"' && ssl_dir.at(s - 1) == '"')
ssl_dir = ssl_dir.substr(1, s -2);
}
return ssl_dir;
}
int main(int argc, char* argv[])
{
Aws::SDKOptions options;
Aws::String ca_path = get_default_openssl_dir();
options.httpOptions.initAndCleanupCurl = false;
options.cryptoOptions.initAndCleanupOpenSSL = false;
options.ioOptions.tlsConnectionOptions_create_fn = [=]() {
Aws::Crt::Io::TlsContextOptions tlsCtxOptions = Aws::Crt::Io::TlsContextOptions::InitDefaultClient();
tlsCtxOptions.SetVerifyPeer(true);
Aws::Crt::Io::TlsContext tlsContext(tlsCtxOptions, Aws::Crt::Io::TlsMode::CLIENT);
return Aws::MakeShared<Aws::Crt::Io::TlsConnectionOptions>(ALLOCATION_TAG, tlsContext.NewConnectionOptions());
};
options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Trace;
options.loggingOptions.crt_logger_create_fn = []() {
return Aws::MakeShared<Aws::Utils::Logging::DefaultCRTLogSystem>(
ALLOCATION_TAG, Aws::Utils::Logging::LogLevel::Trace);
};
Aws::InitAPI(options);
{
Aws::S3Crt::ClientConfiguration config;
config.region = Aws::Region::US_EAST_1;
config.caPath = Aws::String(ca_path);
Aws::S3Crt::S3CrtClient s3CrtClient(config, Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Never);
Aws::String bucket("my-tests");
Aws::String objectKey("test/my_object");
Aws::S3Crt::Model::GetObjectRequest request;
request.SetBucket(bucket);
request.SetKey(objectKey);
if(auto outcome = s3CrtClient.GetObject(request); outcome.IsSuccess())
std::cout << outcome.GetResult().GetBody().rdbuf() << std::endl;
else
std::cerr << "GetObject error:" << outcome.GetError().GetMessage() << std::endl;
}
Aws::ShutdownAPI(options);
return 0;
}
Please note that get_default_openssl_dir() is evaluate to /etc/pki/tls
Possible Solution
NA
Additional Information/Context
Build Command:
g++ -std=c++20 -o <output> test_s3_crt_ca_path.cpp -I${AWS_INSTALL_PATH}/include -L${AWS_INSTALL_PATH}/lib64 -lcurl -lssl -lpthread -lcrypto -laws-cpp-sdk-s3-crt -laws-cpp-sdk-core
AWS CPP SDK version used
AWS SDK for C++ 1.11.351
Compiler and Version used
g++ (GCC) 13.2.0
Operating System and version
Red Hat Enterprise Linux 9.4 (Plow)
