[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

jacky z zjack0992 at gmail.com
Thu Sep 15 06:59:36 UTC 2022 

Hi Vlad,

In theory, the RDS server is expected to work like what you mentioned.
However, based on test, when the client cert and key is specified, the
connection can't be set.
For example, if we specify the following when we connect to the RDS server
in the command line in our testing
--ssl-cert=/etc/ssl/certs/rootCACert.pem
--ssl-key=/etc/ssl/private/rootCAKey.pem

RDS returns this error:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading
authorization packet', system error: 11

On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <vladp at opensips.org> wrote:

> Hi Jacky,
>
> OpenSIPS will always require you to configure a client certificate for TLS
> client domains and will also present that certificate when connecting. But
> normally, a TLS server can simply choose not to verify the client
> certificate. I don't have any experience with AWS RDS though but it seems
> odd to not accept a connection only because the client did present a
> certificate.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>
> On 14.09.2022 05:42, jacky z wrote:
>
> Hi Bogdan-Andrei,
>
> I checked the mariadb documentation and found mariadb has two options to
> set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only
> supports one-way TSL, that is, TSL is used without a client cert. Does
> OPENSIPS support such one-way TSL to connect a database? Thanks!
>
> On Wed, Sep 14, 2022 at 12:06 AM jacky z <zjack0992 at gmail.com> wrote:
>
>> Hi Bogdan-Andrei,
>>
>> I have set the "certificate" and "private_key" in my script, as I
>> explained in method 1. However, AWS RDS doesn't support a client cert.
>> Please refer to
>>
>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>
>> Is there any workaround to use the public cert list provided by AWS?
>> Anyone has successfully used RDS with SSL connections? Thanks!
>>
>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
>> wrote:
>>
>>> Set the certificate and key you have in the tls_mgm module, for the
>>> "certificate" and "private_key" parameters.
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 9/13/22 2:57 PM, jacky z wrote:
>>>
>>> Hi Bogdan-Andrei,
>>>
>>> I tried two methods.
>>>
>>> Method 1:
>>>
>>> #enabled TLS connection:
>>> modparam("db_mysql", "use_tls", 1)
>>>
>>> #setup a client domain:
>>> modparam("tls_mgm", "client_domain", "dom1")
>>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>>> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
>>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>>> modparam("tls_mgm","verify_cert", "[dom1]0")
>>> modparam("tls_mgm","require_cert", "[dom1]0")
>>> # set db_url
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> <awsrdsaddress>/opensips?tls_domain=dom1")
>>> ...
>>>
>>> I couldn't figure out how to use global-bundle.pem AWS provided with
>>> this method. No luck to get a connection with RDS. If I don't use ssl,
>>> opensips can connect to RDS without encryption.
>>>
>>> Method 2:
>>>
>>> I tried
>>>
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> <awsrdsaddress>/opensips?ssl=true&
>>> ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>>>
>>> to include the AWS cert. Still no luck.
>>>
>>> Thanks!
>>>
>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> sorry for my silly question, but how do you connect from the OpenSIPS
>>>> side ??
>>>>
>>>> Regards,
>>>>
>>>> Bogdan-Andrei Iancu
>>>>
>>>> OpenSIPS Founder and Developer
>>>>   https://www.opensips-solutions.com
>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>>
>>>> On 9/13/22 10:41 AM, jacky z wrote:
>>>>
>>>> Hi Team,
>>>>
>>>> We hope to connect to aws RDS database with ssl encryption. We have
>>>> setup a client domain according to OPENSIPS documents. However, AWS RDS
>>>> does not support client cert as someone has confirmed with AWS
>>>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>>>
>>>> Is there any way to use the cert provided by AWS to connect? AWS
>>>> provides a global-bundle.pem (
>>>> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
>>>> for such a connection, but we don't know how to include it in the config
>>>> file.
>>>>
>>>> Thanks
>>>>
>>>> Jacky z
>>>>
>>>> _______________________________________________
>>>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>>
>>>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220915/2dff47b8/attachment-0001.html>

More information about the Users mailing list