I'm debugging an issue I found when using the Apache 5 client with one of S3's integration tests:
java.lang.AssertionError: > Expecting a throwable with cause being an instance of: > <software.amazon.awssdk.services.s3.model.S3Exception> > but was an instance of: > <software.amazon.awssdk.core.exception.SdkClientException: Certificate > for < > exceptionunmarshallingintegrationtest-ryansch-2655.s3.eu-central-1.amazonaws.com> > doesn't match any of the subject alternative names: [*. > s3.eu-central-1.amazonaws.com, *.s3-eu-central-1.amazonaws.com, > s3-eu-central-1.amazonaws.com, s3.eu-central-1.amazonaws.com, > s3.dualstack.eu-central-1.amazonaws.com, *. > s3.dualstack.eu-central-1.amazonaws.com, *.s3.amazonaws.com, *. > s3-control.eu-central-1.amazonaws.com, > s3-control.eu-central-1.amazonaws.com, *. > s3-control.dualstack.eu-central-1.amazonaws.com, > s3-control.dualstack.eu-central-1.amazonaws.com, *. > s3-accesspoint.eu-central-1.amazonaws.com, *. > s3-accesspoint.dualstack.eu-central-1.amazonaws.com]> The reason for this exception is that `s3.eu-central-1.amazonaws.com` is one of the entries in Mozilla's Public Suffix List [1]. This entry is located in the "PRIVATE DOMAINS" section of the list, not the "ICANN DOMAINS" section, which I believe is the only section intended to restrict wildcard certs (see [2] under "Standards"). If this interpretation is correct, we should patch `PublicSuffixMatcher` to only respect ICANN domains (i.e. everything between `===BEGIN ICANN DOMAINS===` and `===END ICANN DOMAINS===`). I'd like to commit this change before the next client beta release. Thoughts? [1] https://publicsuffix.org/list/public_suffix_list.dat [2] https://publicsuffix.org/learn/
