* Jakub Wilk <jw...@debian.org>, 2014-05-25, 17:09:
$ GET https://bbuseruploads.s3.amazonaws.com/
Can't connect to bbuseruploads.s3.amazonaws.com:443 (certificate verify failed)
LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed at /usr/share/perl5/LWP/Protocol/http.pm line 41.
.oO( Wouldn't it be awesome if the error message actually told you
what's wrong? )
No idea why the verification fails, though. Other TLS clients I tested
seem to be happy with it.
I've figured this out. The certificate has the following properties:
CN: *.s3.amazonaws.com
subjectAltName: *.s3.amazonaws.com, s3.amazonaws.com
But IO::Socket::SSL (which is what LWP uses as backend by default)
doesn't by default permit wildcard certificates for domain for public
suffixes. The "s3.amazonaws.com" domain is on the public suffix list,
although in the PRIVATE part. IO::Socket::SSL should probably ignore the
PRIVATE part for this purpose, just like Chrome does:
https://wiki.mozilla.org/Public_Suffix_List/Uses#Certificates
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
