Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS SDK mutates http.DefaultTransport #4496

Open
jastBytes opened this issue Aug 1, 2022 · 3 comments
Open

AWS SDK mutates http.DefaultTransport #4496

jastBytes opened this issue Aug 1, 2022 · 3 comments
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@jastBytes
Copy link

Describe the bug

When AWS_CA_BUNDLE env var is specified and a new session is created with defaults it mutates the http.DefaultTransport. This leads to a globally changed CA for all other parts of the same program using the http.DefaultTransport or http.DefaultClient to connect to another party which most likely will end up with an error like:
x509: certificate signed by unknown authority.

Expected Behavior

Specifying AWS_CA_BUNDLE does not mutate the CAs of the http.DefaultTransport.

Current Behavior

Specifying AWS_CA_BUNDLE does mutate the CAs of the http.DefaultTransport.

Reproduction Steps

Specify AWS_CA_BUNDLE, create a new session, connect to another party with the default HTTPClient.

Possible Solution

Create a new HTTPClient/Transport not using the global one.

Additional Information/Context

No response

SDK version used

v1.44.60

Environment details (Version of Go (go version)? OS name and version, etc.)

go: 1.18.4
@jastBytes jastBytes added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 1, 2022
@jastBytes jastBytes mentioned this issue Aug 1, 2022
Closed
@vudh1
Copy link
Contributor

vudh1 commented Aug 1, 2022

Hi @jastBytes can you provide a sample of reproducible code that we can use to investigate this?

@vudh1 vudh1 added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 1, 2022
@jastBytes
Copy link
Author

Hi! I will provide an example as soon as I get to it. :)

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Aug 3, 2022
@dsharp-pivotal
Copy link

Hello. We have a reproduction example for you that exhibits the problem in a slightly different way by connecting to the same server rather than a subsequent connection to another party.

The attached go module:

  • Generates a self-signed certificate
  • Starts minio in a docker container, and waits for it to become available
  • Creates three connections:
    1. Session without the caBundle set, and attempt to connect. We expect this to fail due to not trusting the self-signed cert.
    2. session with caBundle set. We expect this session to work, and it does.
    3. another session without the caBundle set. We expect this session to fail, just like the first one did. However, it succeeds.

In the third connection, the http.DefaultClient has the TLSClientConfig from the second session which allows it to connect even when the session is created without the CustomCABundle field set.

reproduction.tar.gz

cc: @SMiller70

@RanVaknin RanVaknin added the p2 This is a standard priority issue label Mar 29, 2023
@sarahzinger sarahzinger mentioned this issue Dec 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jastBytes @dsharp-pivotal @vudh1 @RanVaknin