使用Java API的S3 / AWS SSL的问题:;主机名的证书不匹配&QUOT"不匹配、主机名、证书、问题
亚马逊的升级在其AWS Java SDK的SSL安全的1.3.21版本。这打破了访问任何S3桶使用Amazon的AWS的Java API时有时间在他们的名字。我使用的版本1.3.21.1这是目前最高月/ 5/2012我已经提供了一些解决方案,我下面的答案,但我在寻找额外的工作变通这个问题。
Amazon "upgraded" the SSL security in its AWS Java SDK in the 1.3.21 version. This broke access any S3 buckets that have periods in their name when using Amazon's AWS Java API. I'm using version 1.3.21.1 which is current up to Oct/5/2012. I've provided some solutions in my answer below but I'm looking for additional work arounds to this issue.
如果您收到此错误,你将看到类似下面的消息你的异常/日志。在这个例子中,斗名称为 foo.example.com
If you are getting this error, you will see something like the following message in your exceptions/logs. In this example, the bucket name is foo.example.com.
INFO: Unable to execute HTTP request: hostname in certificate didn't match:
<foo.example.com.s3.amazonaws.com> != <*.s3.amazonaws.com>
OR <*.s3.amazonaws.com> OR <s3.amazonaws.com>
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
at org.apache.http.conn.ssl.StrictHostnameVerifier.verify(StrictHostnameVerifier.java:61)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:130)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
您可以看到在AWS S3论坛这个问题的文档:
You can see documentation of this problem on the AWS S3 discussion forum:
https://forums.aws.amazon.com/thread ?.jspa邮件ID = 387508&放大器;#387508
Amazon的响应的问题是以下
Amazon's response to the problem is the following.
我们应该能够通过使用水桶寻址(而不是较新的虚拟主机方式的寻址)的桶与此命名模式旧的路径样式的方法来解决这个问题。我们将开始在修复,并确保我们的内部集成测试有测试用例包含时期桶的名字。
We should be able to fix this by using the older path style method of bucket addressing (instead of the newer virtual host style addressing) for buckets with this naming pattern. We'll get started on the fix and ensure that our internal integration tests have test cases for buckets names containing periods.
任何解决办法或其他的解决办法?感谢您的任何反馈。
Any workaround or other solutions? Thanks for any feedback.
推荐答案
编辑:
所以,在2012年10月5号的工作后,亚马逊发布的版本1.3.22从而解决了这个问题。我已经验证了我们的code现在的工作。从他们的发行说明中引用:
So after work on 10/5/2012, Amazon released version 1.3.22 which resolves this issue. I've verified that our code now works. To quote from their release notes:
桶,其名称包含句点,现在可以正确地再次通过HTTPS解决。
Buckets whose name contains periods can now be correctly addressed again over HTTPS.
有一对夫妇的解决方案,我可以看到,除了等待,直到亚马逊发布了新的API。
There are a couple of solutions that I can see, aside from waiting till Amazon releases a new API.
显然,你可以回滚到1.3.20版本,AWS的Java SDK的。不幸的是我需要的一些功能在1.3.21。
Obviously you could roll back to 1.3.20 version of the AWS Java SDK. Unfortunately I needed some of the features in 1.3.21.
您可以在类路径替换 org.apache.http.conn.ssl.StrictHostnameVerifier 。这是一个的破解的但是这将删除所有SSL检查Apache的HTTP连接,我想。下面是为我工作的code: http://pastebin.com/bvFELdJE
You can replace the org.apache.http.conn.ssl.StrictHostnameVerifier in the classpath. This is a hack however which will remove all SSL checking for Apache http connections I think. Here's the code that worked for me: http://pastebin.com/bvFELdJE
我结束了下载和从AWS源JAR建设自己的包。我申请了以下近似补丁的 HttpClientFactory 源。
I ended up downloading and building my own package from the AWS source jar. I applied the following approximate patch to the HttpClientFactory source.
===================================================================
--- src/main/java/com/amazonaws/http/HttpClientFactory.java (thirdparty/aws) (revision 20105)
+++ src/main/java/com/amazonaws/http/HttpClientFactory.java (thirdparty/aws) (working copy)
@@ -93,7 +93,7 @@
SSLSocketFactory sf = new SSLSocketFactory(
SSLContext.getDefault(),
- SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
+ SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
正确的解决方法是从域名斗改变处理,以基于路径的处理。
The right fix is to change from domain-name bucket handling to path based handling.
顺便说一句,下面好像它可能工作,但它的没有的。 AWS的客户特别要求严格验证,并且不使用默认的:
Btw, the following seems like it might work but it does not. The AWS client specifically requests the STRICT verifier and does not use the default one:
SSLSocketFactory.getSystemSocketFactory().setHostnameVerifier(
SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
