[OpenSIPS-Users] Connect to AWS RDS database with SSL enabled

Vlad Patrascu vladp at opensips.org
Mon Sep 19 13:06:06 UTC 2022


Hi Jacky,

I cant think of any workaround unfortunately.

Regards,

-- 
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 17.09.2022 18:46, jacky z wrote:
> Hi  Vlad,
>
> Is there any workaround to disable the client cert? Thanks!
>
> On Wed, Sep 14, 2022 at 9:16 PM Vlad Patrascu <vladp at opensips.org> wrote:
>
>     Hi Jacky,
>
>     OpenSIPS will always require you to configure a client certificate
>     for TLS client domains and will also present that certificate when
>     connecting. But normally, a TLS server can simply choose not to
>     verify the client certificate. I don't have any experience with
>     AWS RDS though but it seems odd to not accept a connection only
>     because the client did present a certificate.
>
>     Regards,
>
>     -- 
>     Vlad Patrascu
>     OpenSIPS Core Developer
>     http://www.opensips-solutions.com
>
>     On 14.09.2022 05:42, jacky z wrote:
>>     Hi Bogdan-Andrei,
>>
>>     I checked the mariadb documentation and found mariadb has two
>>     options to set ssl connection: two-way TSL and one-way TSL. It
>>     seems AWS RDS only supports one-way TSL, that is, TSL is used
>>     without a client cert. Does OPENSIPS support such one-way TSL to
>>     connect a database? Thanks!
>>
>>     On Wed, Sep 14, 2022 at 12:06 AM jacky z <zjack0992 at gmail.com> wrote:
>>
>>         Hi Bogdan-Andrei,
>>
>>         I have set the "certificate" and "private_key" in my script,
>>         as I explained in method 1. However, AWS RDS doesn't support
>>         a client cert. Please refer to
>>         https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>
>>         Is there any workaround to use the public cert list provided
>>         by AWS? Anyone has successfully used RDS with SSL
>>         connections? Thanks!
>>
>>         On Tue, Sep 13, 2022 at 9:54 PM Bogdan-Andrei Iancu
>>         <bogdan at opensips.org> wrote:
>>
>>             Set the certificate and key you have in the tls_mgm
>>             module, for the "certificate" and "private_key" parameters.
>>
>>             Regards,
>>
>>             Bogdan-Andrei Iancu
>>
>>             OpenSIPS Founder and Developer
>>                https://www.opensips-solutions.com
>>             OpenSIPS Summit 27-30 Sept 2022, Athens
>>                https://www.opensips.org/events/Summit-2022Athens/
>>
>>             On 9/13/22 2:57 PM, jacky z wrote:
>>>             Hi Bogdan-Andrei,
>>>
>>>             I tried two methods.
>>>
>>>             Method 1:
>>>
>>>             #enabled TLS connection:
>>>             modparam("db_mysql", "use_tls", 1)
>>>
>>>             #setup a client domain:
>>>             modparam("tls_mgm", "client_domain", "dom1")
>>>             modparam("tls_mgm", "match_ip_address", "[dom1]*")
>>>             modparam("tls_mgm", "match_sip_domain", "[dom1]*")
>>>             modparam("tls_mgm","certificate",
>>>             "[dom1]/etc/ssl/certs/rootCACert.pem")
>>>             modparam("tls_mgm","private_key",
>>>             "[dom1]/etc/ssl/private/rootCAKey.pem")
>>>             modparam("tls_mgm","ca_list",
>>>             "[dom1]/etc/ssl/certs/rootCACert.pem")
>>>             modparam("tls_mgm","tls_method", "[dom1]SSLv23")
>>>             modparam("tls_mgm","verify_cert", "[dom1]0")
>>>             modparam("tls_mgm","require_cert", "[dom1]0")
>>>             # set db_url
>>>             modparam("usrloc", "db_url",
>>>             "mysql://root:1234@<awsrdsaddress>/opensips?tls_domain=dom1")
>>>             ...
>>>
>>>             I couldn't figure out how to use global-bundle.pem AWS
>>>             provided with this method. No luck to get a connection
>>>             with RDS. If I don't use ssl, opensips can connect to
>>>             RDS without encryption.
>>>
>>>             Method 2:
>>>
>>>             I tried
>>>
>>>             modparam("usrloc", "db_url",
>>>             "mysql://root:1234@<awsrdsaddress>/opensips?ssl=true&ssl_ca_certs=/etc/ssl/certs/global-bundle.pem")
>>>
>>>             to include the AWS cert. Still no luck.
>>>
>>>             Thanks!
>>>
>>>             On Tue, Sep 13, 2022 at 4:52 PM Bogdan-Andrei Iancu
>>>             <bogdan at opensips.org> wrote:
>>>
>>>                 Hi,
>>>
>>>                 sorry for my silly question, but how do you connect
>>>                 from the OpenSIPS side ??
>>>
>>>                 Regards,
>>>
>>>                 Bogdan-Andrei Iancu
>>>
>>>                 OpenSIPS Founder and Developer
>>>                    https://www.opensips-solutions.com
>>>                 OpenSIPS Summit 27-30 Sept 2022, Athens
>>>                    https://www.opensips.org/events/Summit-2022Athens/
>>>
>>>                 On 9/13/22 10:41 AM, jacky z wrote:
>>>>                 Hi Team,
>>>>
>>>>                 We hope to connect to aws RDS database with ssl
>>>>                 encryption. We have setup a client domain according
>>>>                 to OPENSIPS documents. However, AWS RDS does not
>>>>                 support client cert as someone has confirmed with
>>>>                 AWS
>>>>                 https://stackoverflow.com/questions/53760104/how-to-configure-x509-client-certificate-based-authentication-to-connect-to-aws
>>>>
>>>>                 Is there any way to use the cert provided by AWS to
>>>>                 connect? AWS provides a global-bundle.pem
>>>>                 (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)
>>>>                 for such a connection, but we don't know how to
>>>>                 include it in the config file.
>>>>
>>>>                 Thanks
>>>>
>>>>                 Jacky z
>>>>
>>>>                 _______________________________________________
>>>>                 Users mailing list
>>>>                 Users at lists.opensips.org
>>>>                 http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>
>>
>>     _______________________________________________
>>     Users mailing list
>>     Users at lists.opensips.org
>>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     _______________________________________________
>     Users mailing list
>     Users at lists.opensips.org
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220919/234d4a25/attachment-0001.html>


More information about the Users mailing list