[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Sep 13 13:54:35 UTC 2022 

Set the certificate and key you have in the tls_mgm module, for the 
"certificate" and "private_key" parameters.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/

On 9/13/22 2:57 PM, jacky z wrote:
> Hi Bogdan-Andrei,
>
> I tried two methods.
>
> Method 1:
>
> #enabled TLS connection:
> modparam("db_mysql", "use_tls", 1)
>
> #setup a client domain:
> modparam("tls_mgm", "client_domain", "dom1")
> modparam("tls_mgm", "match_ip_address", "[dom1]*")
> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
> modparam("tls_mgm","verify_cert", "[dom1]0")
> modparam("tls_mgm","require_cert", "[dom1]0")
> # set db_url
> modparam("usrloc", "db_url", 
> "mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")
> ...
>
> I couldn't figure out how to use global-bundle.pem AWS provided with 
> this method. No luck to get a connection with RDS. If I don't use ssl, 
> opensips can connect to RDS without encryption.
>
> Method 2:
>
> I tried
>
> modparam("usrloc", "db_url", 
> "mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>
> to include the AWS cert. Still no luck.
>
> Thanks!
>
> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu 
> <bogdan at opensips.org <mailto:bogdan at opensips.org>> wrote:
>
>     Hi,
>
>     sorry for my silly question, but how do you connect from the
>     OpenSIPS side ??
>
>     Regards,
>
>     Bogdan-Andrei Iancu
>
>     OpenSIPS Founder and Developer
>        https://www.opensips-solutions.com  <https://www.opensips-solutions.com>
>     OpenSIPS Summit 27-30 Sept 2022, Athens
>        https://www.opensips.org/events/Summit-2022Athens/  <https://www.opensips.org/events/Summit-2022Athens/>
>
>     On 9/13/22 10:41 AM, jacky z wrote:
>>     Hi Team,
>>
>>     We hope to connect to aws RDS database with ssl encryption. We
>>     have setup a client domain according to OPENSIPS documents.
>>     However, AWS RDS does not support client cert as someone has
>>     confirmed with AWS
>>     https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>     <https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws>
>>
>>     Is there any way to use the cert provided by AWS to connect? AWS
>>     provides a global-bundle.pem
>>     (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
>>     <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html>)
>>     for such a connection, but we don't know how to include it in the
>>     config file.
>>
>>     Thanks
>>
>>     Jacky z
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.opensips.org  <mailto:Users at lists.opensips.org>
>>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users  <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220913/a0a3a4fa/attachment-0001.html>

More information about the Users mailing list