aws-sdk-go
aws-sdk-go copied to clipboard
aws
AWS SDK mutates http.DefaultTransport
Describe the bug
When AWS_CA_BUNDLE env var is specified and a new session is created with defaults it mutates the http.DefaultTransport. This leads to a globally changed CA for all other parts of the same program using the http.DefaultTransport or http.DefaultClient to connect to another party which most likely will end up with an error like:
x509: certificate signed by unknown authority.
Expected Behavior
Specifying AWS_CA_BUNDLE does not mutate the CAs of the http.DefaultTransport.
Current Behavior
Specifying AWS_CA_BUNDLE does mutate the CAs of the http.DefaultTransport.
Reproduction Steps
Specify AWS_CA_BUNDLE, create a new session, connect to another party with the default HTTPClient.
Possible Solution
Create a new HTTPClient/Transport not using the global one.
Additional Information/Context
No response
SDK version used
v1.44.60
Environment details (Version of Go (go version)? OS name and version, etc.)
go: 1.18.4
Hi @jastBytes can you provide a sample of reproducible code that we can use to investigate this?
Hello. We have a reproduction example for you that exhibits the problem in a slightly different way by connecting to the same server rather than a subsequent connection to another party.
The attached go module:
- Generates a self-signed certificate
- Starts minio in a docker container, and waits for it to become available
- Creates three connections:
- Session without the caBundle set, and attempt to connect. We expect this to fail due to not trusting the self-signed cert.
- session with caBundle set. We expect this session to work, and it does.
- another session without the caBundle set. We expect this session to fail, just like the first one did. However, it succeeds.
In the third connection, the http.DefaultClient has the TLSClientConfig from the second session which allows it to connect even when the session is created without the CustomCABundle field set.
cc: @smiller70
