Please allow ssl context options for object storage to be set in config.php so self-signed certificates can work

[bretton]

Is your feature request related to a problem? Please describe.
I can't access S3 object store using self-signed certificates, such as a local-only minio cluster.

Describe the solution you'd like
I want to set ssl context options in config.php in the format

  'objectstore' => array (
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' => array(
      'bucket' => 'mynextcloud',
      'autocreate' => true,
      'key'    => 'REDACTED',
      'secret' => 'REDACTED',
      'hostname' => '<your host>',
      'port' => '<your port>',
      'region' => 'optional',
      'use_path_style' => true,
      'use_ssl' => true,
      'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' -> true,
    ),
  ),

https://www.php.net/manual/en/context.ssl.php

just like it's done in https://github.com/nextcloud/server/blob/master/lib/private/Mail/Mailer.php for email, to ignore self-signed tls certs.

Describe alternatives you've considered
I am currently patching https://github.com/nextcloud/server/blob/master/lib/private/Files/ObjectStore/S3ObjectTrait.php from

$opts = [
    'http' => [
        'protocol_version' => $request->getProtocolVersion(),
        'header' => $headers,
    ],
];

to

$opts = [
    'http' => [
       'protocol_version' => $request->getProtocolVersion(),
       'header' => $headers,
    ],
   'ssl' => [
       'verify_peer' => false,
       'verify_peer_name' => false,
   ],
];

Additional context
I also have to append the self-signed CA certificate to ca-root-nss.crt , or /usr/local/share/certs/ca-root-nss.crt in my case, on freebsd 13.0.

[kesselb]

Index: lib/private/Files/ObjectStore/S3ConnectionTrait.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
--- a/lib/private/Files/ObjectStore/S3ConnectionTrait.php	(revision 22a74c2de1f6d5224739c1f5e3d3fabd9094fefa)
+++ b/lib/private/Files/ObjectStore/S3ConnectionTrait.php	(date 1655740067414)
@@ -129,6 +129,7 @@
 			'signature_provider' => \Aws\or_chain([self::class, 'legacySignatureProvider'], ClientResolver::_default_signature_provider()),
 			'csm' => false,
 			'use_arn_region' => false,
+			'http' => ['verify' => false]
 		];
 		if ($this->getProxy()) {
 			$options['http'] = ['proxy' => $this->getProxy()];

Hi, does it work when you patch S3ConnectionTrait like above without the changes to S3ObjectStore?

[phieber]

Index: lib/private/Files/ObjectStore/S3ConnectionTrait.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
--- a/lib/private/Files/ObjectStore/S3ConnectionTrait.php	(revision 22a74c2de1f6d5224739c1f5e3d3fabd9094fefa)
+++ b/lib/private/Files/ObjectStore/S3ConnectionTrait.php	(date 1655740067414)
@@ -129,6 +129,7 @@
 			'signature_provider' => \Aws\or_chain([self::class, 'legacySignatureProvider'], ClientResolver::_default_signature_provider()),
 			'csm' => false,
 			'use_arn_region' => false,
+			'http' => ['verify' => false]
 		];
 		if ($this->getProxy()) {
 			$options['http'] = ['proxy' => $this->getProxy()];

Hi, does it work when you patch S3ConnectionTrait like above without the changes to S3ObjectStore?

Hi, works for me - thank you!

[bretton]

Hi, does it work when you patch S3ConnectionTrait like above without the changes to S3ObjectStore?

Hi @kesselb , sorry for delay. No it doesn't work. I get broken layout, no images or content.

The only thing that works for me is patching S3ObjectStore for ssl opts

[joshtrichards]

@bretton: Can you provide the logs when the broken layout/etc happens? That sounds like a typo or something in the patch.

[bretton]

Can you provide the logs when the broken layout/etc happens?

@joshtrichards sorry I don't have a system to check atm

[bretton]

let me close so long, can re-open if I get something up

[helmo]

I also ran into this, it turns out that by now the code calls a function getCertificateBundlePath() for the value of verify. Which falls back to the /resources/config/ca-bundle.crt file.

So for someone else landing here, you might try to include your cacert into that file.