Accessing s3 bucket using tokio-rustls-tls returns 403 error

[ArjunGTX]

Describe the bug
When trying to access s3 bucket using the tokio-rustls-tls feature, it is returning 403 (Access denied) as response for head_object() request. The same request succeeded when tokio-native-tls was used.

To Reproduce

• Include tokio-rustls-tls feature

rust-s3 = { version = "0.32", default-features = false, features = [
  "tokio-native-tls",
  "tags"
] }

• Create a bucket with appropriate credentials

let bucket = Bucket::new(
		"my_bucket",
		Region::Custom {
			endpoint: "my_endpoint",
			region: "my_region",
		},
		Credentials::new(
			Some("my_key"),
			Some("my_secret"),
			None,
			None,
			None,
		)
		.context("unable to create credentials")?,
	)
	.context("unable to create bucket")?;

• Invoke the head_object() request

let (head, code) = bucket.head_object(&file).await?;

Expected behavior

• The expected code was 200 but got 403
• Same request using tokio-native-tls returned 200 code

Environment

• Rust version: [e.g. 1.63]
• lib version [e.g. 0.32]

[Niedzwiedzw]

it happened to me too

[Niedzwiedzw]

sadly the environment I'm running my app in isn't required to have SSL installed, so I cannot live without it... can I help solve it somehow?

[durch]

@Niedzwiedzw there is a no-verify-ssl feature, that might help, it seems that rustls-tls has some issues with certain certs, there is a failing test against Digital Ocean spaces that only fails on rustls-tls.

Can you give me any more specifics on the environment you're running?

Would something like a no-tls feature be helpful?

[Niedzwiedzw]

it's running on a windows 10 machine I'm setting up for a local CI for my project, the target S3 is digitalocean, as for no-tls feature I'm not sure if it's help, but as far as I can see no-verify-ssl didn't help sadly. if reqwest supports no-tls then yeah why not give it a try, I can build from a branch and give it a quick test

[Niedzwiedzw]

hmm rustls-tls-native-roots - this feature for reqwest might do the trick, I'll give it a quick spin

[durch]

It did not work on the digital ocean test, I've tried it :(. That being said if it works on you're end I'd be happy to add another variant

[Niedzwiedzw]

I've added this as a feature on my branch, gonna test in a minute once it builds

[Niedzwiedzw]

yeah, no luck sadly... I'm out if ideas then

[Niedzwiedzw]

I've managed to work around this bo conditionally compiling for windows with nativetld ,and for linux with rustls (I must support a very old linux machine, this was the whole point :D)
if anyone finds it useful here's the config

[target.x86_64-pc-windows-gnu.dependencies]
rust-s3 = {version = "0.32", features = ["with-tokio"] }

[target.x86_64-unknown-linux-gnu.dependencies]
rust-s3 = {version = "0.32", default-features = false, features = ["tokio-rustls-tls", "with-tokio", "no-verify-ssl"] }

[durch]

Can you check if its only head_object() or if other routes are affected as well?

[Niedzwiedzw]

actually in my case it was failing when uploading a file

rust-s3/s3/src/bucket.rs

Line 892 in d69bc4c

pub async fn put_object_stream<R: AsyncRead + Unpin>(

this line

[durch]

I've managed to work around this bo conditionally compiling for windows with nativetld ,and for linux with rustls (I must support a very old linux machine, this was the whole point :D) if anyone finds it useful here's the config

[target.x86_64-pc-windows-gnu.dependencies]
rust-s3 = {version = "0.32", features = ["with-tokio"] }

[target.x86_64-unknown-linux-gnu.dependencies]
rust-s3 = {version = "0.32", default-features = false, features = ["tokio-rustls-tls", "with-tokio", "no-verify-ssl"] }

Super happy to hear that :)

[Niedzwiedzw]

so for future people who encounter this - it only happens on rustls on windows it seems, but let's wait for other people to confirm

[durch]

There are issues with tokio-rustls-tls, Digital Ocean for example has problems as well, it seems that they're related to how certificates are handled, all in all I hope this is something that gets fixed upstream eventually...

[Eric-Arellano]

One issue I had with Rustls is the bucket having periods in its name, which triggered rustls/rustls#184

[Magicloud]

sync-rustls-tls on AlpineLinux fails the same. no-verify-ssl does not help. put_object still got 403.

I do not think my case is because of the permission, same service account (in K8S) is used by other pods to upload files to S3.

Also, the 403 was got after I hacked rust-s3 source. The error was masked and an unparsable Json error was shown.