Bug#749225: [uscan] does not work with bitbucket
Jakub Wilk
jwilk at debian.org
Sun May 25 16:55:46 UTC 2014
* Jakub Wilk <jwilk at debian.org>, 2014-05-25, 17:09:
>$ GET https://bbuseruploads.s3.amazonaws.com/
>Can't connect to bbuseruploads.s3.amazonaws.com:443 (certificate verify failed)
>
>LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 41.
.oO( Wouldn't it be awesome if the error message actually told you
what's wrong? )
>No idea why the verification fails, though. Other TLS clients I tested
>seem to be happy with it.
I've figured this out. The certificate has the following properties:
CN: *.s3.amazonaws.com
subjectAltName: *.s3.amazonaws.com, s3.amazonaws.com
But IO::Socket::SSL (which is what LWP uses as backend by default)
doesn't by default permit wildcard certificates for domain for public
suffixes. The "s3.amazonaws.com" domain is on the public suffix list,
although in the PRIVATE part. IO::Socket::SSL should probably ignore the
PRIVATE part for this purpose, just like Chrome does:
https://wiki.mozilla.org/Public_Suffix_List/Uses#Certificates
--
Jakub Wilk
More information about the devscripts-devel
mailing list