[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Vlad Patrascu vladp at opensips.org
Wed Sep 14 13:13:24 UTC 2022 

Hi Jacky,

OpenSIPS will always require you to configure a client certificate for 
TLS client domains and will also present that certificate when 
connecting. But normally, a TLS server can simply choose not to verify 
the client certificate. I don't have any experience with AWS RDS though 
but it seems odd to not accept a connection only because the client did 
present a certificate.

Regards,

-- 
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 14.09.2022 05:42, jacky z wrote:
> Hi Bogdan-Andrei,
>
> I checked the mariadb documentation and found mariadb has two options 
> to set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS 
> only supports one-way TSL, that is, TSL is used without a client cert. 
> Does OPENSIPS support such one-way TSL to connect a database? Thanks!
>
> On Wed, Sep 14, 2022 at 12:06 AM jacky z <zjack0992 at gmail.com> wrote:
>
>     Hi Bogdan-Andrei,
>
>     I have set the "certificate" and "private_key" in my script, as I
>     explained in method 1. However, AWS RDS doesn't support a client
>     cert. Please refer to
>     https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>
>     Is there any workaround to use the public cert list provided by
>     AWS? Anyone has successfully used RDS with SSL connections? Thanks!
>
>     On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu
>     <bogdan at opensips.org> wrote:
>
>         Set the certificate and key you have in the tls_mgm module,
>         for the "certificate" and "private_key" parameters.
>
>         Regards,
>
>         Bogdan-Andrei Iancu
>
>         OpenSIPS Founder and Developer
>            https://www.opensips-solutions.com
>         OpenSIPS Summit 27-30 Sept 2022, Athens
>            https://www.opensips.org/events/Summit-2022Athens/
>
>         On 9/13/22 2:57 PM, jacky z wrote:
>>         Hi Bogdan-Andrei,
>>
>>         I tried two methods.
>>
>>         Method 1:
>>
>>         #enabled TLS connection:
>>         modparam("db_mysql", "use_tls", 1)
>>
>>         #setup a client domain:
>>         modparam("tls_mgm", "client_domain", "dom1")
>>         modparam("tls_mgm", "match_ip_address", "[dom1]*")
>>         modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>>         modparam("tls_mgm","certificate",
>>         "[dom1]/etc/ssl/certs/rootCACert.pem")
>>         modparam("tls_mgm","private_key",
>>         "[dom1]/etc/ssl/private/rootCAKey.pem")
>>         modparam("tls_mgm","ca_list",
>>         "[dom1]/etc/ssl/certs/rootCACert.pem")
>>         modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>>         modparam("tls_mgm","verify_cert", "[dom1]0")
>>         modparam("tls_mgm","require_cert", "[dom1]0")
>>         # set db_url
>>         modparam("usrloc", "db_url",
>>         "mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")
>>         ...
>>
>>         I couldn't figure out how to use global-bundle.pem AWS
>>         provided with this method. No luck to get a connection with
>>         RDS. If I don't use ssl, opensips can connect to RDS without
>>         encryption.
>>
>>         Method 2:
>>
>>         I tried
>>
>>         modparam("usrloc", "db_url",
>>         "mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>>
>>         to include the AWS cert. Still no luck.
>>
>>         Thanks!
>>
>>         On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu
>>         <bogdan at opensips.org> wrote:
>>
>>             Hi,
>>
>>             sorry for my silly question, but how do you connect from
>>             the OpenSIPS side ??
>>
>>             Regards,
>>
>>             Bogdan-Andrei Iancu
>>
>>             OpenSIPS Founder and Developer
>>                https://www.opensips-solutions.com
>>             OpenSIPS Summit 27-30 Sept 2022, Athens
>>                https://www.opensips.org/events/Summit-2022Athens/
>>
>>             On 9/13/22 10:41 AM, jacky z wrote:
>>>             Hi Team,
>>>
>>>             We hope to connect to aws RDS database with ssl
>>>             encryption. We have setup a client domain according to
>>>             OPENSIPS documents. However, AWS RDS does not support
>>>             client cert as someone has confirmed with AWS
>>>             https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>>
>>>             Is there any way to use the cert provided by AWS to
>>>             connect? AWS provides a global-bundle.pem
>>>             (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
>>>             for such a connection, but we don't know how to include
>>>             it in the config file.
>>>
>>>             Thanks
>>>
>>>             Jacky z
>>>
>>>             _______________________________________________
>>>             Users mailing list
>>>             Users at lists.opensips.org
>>>             http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220914/f566fa19/attachment.html>

More information about the Users mailing list