Pinboard (jm)
https://pinboard.in/u:jm/public/
recent bookmarks from jms3.amazonaws.com "certificate verification failed" errors due to crappy Verisign certs and overzealous curl policies2015-04-29T15:16:23+00:00
https://forums.aws.amazon.com/thread.jspa?threadID=164095
jmSeth Vargo is correct. Its not the bit length of the key which is at issue, its the signature algorithm. The entire keychain for the s3.awsamazon.com key is signed with SHA1withRSA:
https://www.ssllabs.com/ssltest/analyze.html?d=s3.amazonaws.com&s=54.231.244.0&hideResults=on
At issue is that the root verisign key has been marked as weak because of SHA1 and taken out of the curl bundle which is widely popular, and this issue will continue to cause more and more issues going forwards as that bundle makes it way into shipping o/s distributions and aws certification verification breaks.
'This is still happening and curl is now failing on my machine causing all sorts of fun issues (including breaking CocoaPods that are using S3 for storage).' -- @jmhodges
This may be a contributory factor to the issue @nelson saw: https://nelsonslog.wordpress.com/2015/04/28/cyberduck-is-responsible-for-my-bad-ssl-certificate/
Curl's ca-certs bundle is also used by Node: https://github.com/joyent/node/issues/8894 and doubtless many other apps and packages.
Here's a mailing list thread discussing the issue: http://curl.haxx.se/mail/archive-2014-10/0066.html -- looks like the curl team aren't too bothered about it.
]]>curl s3 amazon aws ssl tls certs sha1 rsa key-length security cacertshttps://pinboard.in/https://pinboard.in/u:jm/b:332a42ed47b2/