[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

jacky z zjack0992 at gmail.com
Sat Sep 17 15:46:13 UTC 2022 

Hi  Vlad,

Is there any workaround to disable the client cert? Thanks!

On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <vladp at opensips.org> wrote:

> Hi Jacky,
>
> OpenSIPS will always require you to configure a client certificate for TLS
> client domains and will also present that certificate when connecting. But
> normally, a TLS server can simply choose not to verify the client
> certificate. I don't have any experience with AWS RDS though but it seems
> odd to not accept a connection only because the client did present a
> certificate.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>
> On 14.09.2022 05:42, jacky z wrote:
>
> Hi Bogdan-Andrei,
>
> I checked the mariadb documentation and found mariadb has two options to
> set ssl connection: two-way TSL and one-way TSL. It seems AWS RDS only
> supports one-way TSL, that is, TSL is used without a client cert. Does
> OPENSIPS support such one-way TSL to connect a database? Thanks!
>
> On Wed, Sep 14, 2022 at 12:06 AM jacky z <zjack0992 at gmail.com> wrote:
>
>> Hi Bogdan-Andrei,
>>
>> I have set the "certificate" and "private_key" in my script, as I
>> explained in method 1. However, AWS RDS doesn't support a client cert.
>> Please refer to
>>
>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>
>> Is there any workaround to use the public cert list provided by AWS?
>> Anyone has successfully used RDS with SSL connections? Thanks!
>>
>> On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
>> wrote:
>>
>>> Set the certificate and key you have in the tls_mgm module, for the
>>> "certificate" and "private_key" parameters.
>>>
>>> Regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>>   https://www.opensips-solutions.com
>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>
>>> On 9/13/22 2:57 PM, jacky z wrote:
>>>
>>> Hi Bogdan-Andrei,
>>>
>>> I tried two methods.
>>>
>>> Method 1:
>>>
>>> #enabled TLS connection:
>>> modparam("db_mysql", "use_tls", 1)
>>>
>>> #setup a client domain:
>>> modparam("tls_mgm", "client_domain", "dom1")
>>> modparam("tls_mgm", "match_ip_address", "[dom1]*")
>>> modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>>> modparam("tls_mgm","certificate", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","private_key", "[dom1]/etc/ssl/private/rootCAKey.pem")
>>> modparam("tls_mgm","ca_list", "[dom1]/etc/ssl/certs/rootCACert.pem")
>>> modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>>> modparam("tls_mgm","verify_cert", "[dom1]0")
>>> modparam("tls_mgm","require_cert", "[dom1]0")
>>> # set db_url
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> <awsrdsaddress>/opensips?tls_domain=dom1")
>>> ...
>>>
>>> I couldn't figure out how to use global-bundle.pem AWS provided with
>>> this method. No luck to get a connection with RDS. If I don't use ssl,
>>> opensips can connect to RDS without encryption.
>>>
>>> Method 2:
>>>
>>> I tried
>>>
>>> modparam("usrloc", "db_url", "mysql://root:1234@
>>> <awsrdsaddress>/opensips?ssl=true&
>>> ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>>>
>>> to include the AWS cert. Still no luck.
>>>
>>> Thanks!
>>>
>>> On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu <bogdan at opensips.org>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> sorry for my silly question, but how do you connect from the OpenSIPS
>>>> side ??
>>>>
>>>> Regards,
>>>>
>>>> Bogdan-Andrei Iancu
>>>>
>>>> OpenSIPS Founder and Developer
>>>>   https://www.opensips-solutions.com
>>>> OpenSIPS Summit 27-30 Sept 2022, Athens
>>>>   https://www.opensips.org/events/Summit-2022Athens/
>>>>
>>>> On 9/13/22 10:41 AM, jacky z wrote:
>>>>
>>>> Hi Team,
>>>>
>>>> We hope to connect to aws RDS database with ssl encryption. We have
>>>> setup a client domain according to OPENSIPS documents. However, AWS RDS
>>>> does not support client cert as someone has confirmed with AWS
>>>> https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>>>
>>>> Is there any way to use the cert provided by AWS to connect? AWS
>>>> provides a global-bundle.pem (
>>>> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
>>>> for such a connection, but we don't know how to include it in the config
>>>> file.
>>>>
>>>> Thanks
>>>>
>>>> Jacky z
>>>>
>>>> _______________________________________________
>>>> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>
>>>>
>>>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220917/5e14818d/attachment.html>

More information about the Users mailing list