By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

bypass or disable SSL certificate verification for S3

0

Hello Team,

We are stuck on one scenario,

We have IoT devices on the field, which are connected to the MQTT broker hosted on the AWS EC2. In that device, we have hard-coded the OTA S3 URL with HTTPS and Digicert root certificates for verification of the request.

Example URL: https://test3.s3.amazonaws.com/firmware/1.0.8.bin

Now when performing the OTA(Over the Air) updates, it is stuck at certificate verification error as AWS S3 has shifted the root certificates from Digicert to its own service known as Amazon trust service.

Can you please guide us on how to provide OTA updates bypassing verification of the certificate or any other method?

Thanks & Regards

Topics
Security, Identity, & ComplianceStorage
Tags
AWS Certificate ManagerS3 Object LockAWS Private Certificate Authority
Language
English
teamcloud
asked 10 months ago3535 views
1 Answer
1

The AWS Rust SDK allows disabling SSL verification by using the rustls library. This involves creating a custom struct that implements the ServerCertVerifier trait, where the verify_server_cert function always returns Ok(). Then, you configure the S3 client to use this verifier. The detailed code is available in this GitHub discussion​.

https://github.com/awslabs/aws-sdk-rust/discussions/650

If you're using the boto3 library, disabling SSL verification is as simple as passing verify=False when creating your S3 client: https://stackoverflow.com/questions/60664637/sslerror-using-boto https://github.com/iterative/dvc/issues/1394

s3 = boto3.client('s3', verify=False)

In the AWS SDK for Java, you can disable SSL verification by setting the TRUST_ALL_CERTIFICATES configuration option to true. https://stackoverflow.com/questions/54749971/is-it-possible-to-disable-ssl-certificate-checking-in-the-amazon-kinesis-consume

final AttributeMap attributeMap = AttributeMap.builder()
    .put(SdkHttpConfigurationOption.TRUST_ALL_CERTIFICATES, true)
    .build();
final SdkHttpClient sdkHttpClient = new DefaultSdkHttpClientBuilder().buildWithDefaults(attributeMap);
return S3Client.builder()
    .httpClient(sdkHttpClient)
    .build();
profile picture
EXPERT
Sedat Salman
answered 10 months ago
  • teamcloud
    10 months ago

    Hello Salman, thank you so much for taking time to read the question and giving answer with code samples. I really appreciated that. However, the question and the problem we are addressing here is different. The devices are in the field, so if we will need to send any updates to the devices, we have to do OTA and that is not working right now because when the OTA process is initiated, the S3 bucket rejects the request because the certificate stored in the device's memory is not supported and identified by AWS anymore. Can you please suggest a way to bypass SSL authentication from AWS?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content