How to disable SSL certificate verification in sdk_s3?

[azzamsa]

Hi.

In Boto (and other SDKs). We can disable the SSL certificate verification such s3 = boto3.client('s3', verify=False) or via https_validate_certificates = False in config. The same thing applies to other related S3 tools.

Is it possible to do this in aws_sdk-s3?
Otherwise, I got:

     Running `target/debug/rust`
Error: Unhandled(DispatchFailure(ConnectorError { err: hyper::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificateData("invalid peer certificate: UnknownIssuer") } }), kind: Io }))

use aws_sdk_s3::Client;
use aws_types::region::Region;
use http::Uri;

#[tokio::main]
async fn main() -> Result<(), aws_sdk_s3::Error> {
	let secret_key = "secret"
    let access_key = "access";
    let url = "https://storage.company.net";

    let cred = aws_sdk_s3::Credentials::new(access_key, secret_key, None, None, "custom");
    let url: Uri = url.parse().unwrap();
    let endpoint = aws_sdk_s3::Endpoint::immutable(url);
    // Region is not used but is required by the SDK's API
    let region = Region::new("us-west-2");
    let config = aws_sdk_s3::config::Builder::new()
        .endpoint_resolver(endpoint)
        .region(region)
        .credentials_provider(cred)
        .build();
    let client = Client::from_conf(config);

    let resp = client.list_buckets().send().await?;
    let buckets = resp.buckets().unwrap_or_default();
    let num_buckets = buckets.len();

    for bucket in buckets {
        println!("{}", bucket.name().unwrap_or_default());
    }

    println!();
    println!("Found {} buckets.", num_buckets);

    Ok(())
}

Thanks!. Any help will be appreciated ❤️

[azzamsa]

I managed to solve this with the following approach:

// [dependencies]
// tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
// aws-sdk-s3 = "0.21.0"
//  aws-types = "0.51.0"
// http = "0.2.8"
// aws-smithy-client = "0.51.0"
// hyper-rustls = "0.23.0"
// rustls = { version = "0.20.6", features = ["dangerous_configuration"] }
// webpki-roots = "0.22.5"

use aws_sdk_s3::Client;
use aws_smithy_client::hyper_ext;
use aws_types::region::Region;
use http::Uri;
use std::sync::Arc;

pub struct NoCertificateVerification {}

impl rustls::client::ServerCertVerifier for NoCertificateVerification {
    fn verify_server_cert(
        &self,
        _end_entity: &rustls::Certificate,
        _intermediates: &[rustls::Certificate],
        _server_name: &rustls::ServerName,
        _scts: &mut dyn Iterator<Item = &[u8]>,
        _ocsp: &[u8],
        _now: std::time::SystemTime,
    ) -> Result<rustls::client::ServerCertVerified, rustls::Error> {
        Ok(rustls::client::ServerCertVerified::assertion())
    }
}

#[tokio::main]
async fn main() -> Result<(), aws_sdk_s3::Error> {
    let access_key = "access";
    let secret_key = "secret";
    let url = "https://storage.company.net";

    let cred = aws_sdk_s3::Credentials::new(access_key, secret_key, None, None, "custom");
    let url: Uri = url.parse().unwrap();
    let endpoint = aws_sdk_s3::Endpoint::immutable(url);
    // Region is not used, but required by the SDK's API
    let region = Region::new("us-west-2");
    let config = aws_sdk_s3::config::Builder::new()
        .endpoint_resolver(endpoint)
        .region(region)
        .credentials_provider(cred)
        .build();

    let mut root_store = rustls::RootCertStore::empty();
    root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
        rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
            ta.subject,
            ta.spki,
            ta.name_constraints,
        )
    }));

    let mut tls_config = rustls::ClientConfig::builder()
        .with_safe_defaults()
        .with_root_certificates(root_store)
        .with_no_client_auth();
    tls_config
        .dangerous()
        .set_certificate_verifier(Arc::new(NoCertificateVerification {}));

    let connector = hyper_rustls::HttpsConnectorBuilder::new()
        .with_tls_config(tls_config)
        .https_only()
        .enable_http1()
        .build();
    let client = Client::from_conf_conn(config, hyper_ext::Adapter::builder().build(connector));

    let resp = client.list_buckets().send().await?;
    let buckets = resp.buckets().unwrap_or_default();
    let num_buckets = buckets.len();

    for bucket in buckets {
        println!("{}", bucket.name().unwrap_or_default());
    }

    println!();
    println!("Found {} buckets.", num_buckets);

    Ok(())
}

Is there any better approach?

[nyurik]

I really feel like this should be offered by the rustls lib itself, perhaps as part of the danger module